Cisco 827/827H/SOHO97/837 Firewall Configuration

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
logging buffered 4096 debugging
!
!
!
ip subnet-zero
! This prevents the DHCP server from allocating these addresses. If you have any static IP
! devices (printers, servers, etc), make their addresses 192.168.1.1 to 192.168.1.100.
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.254
!
! This enables the DHCP server on interfaces in the
! network 192.168.1.0/24 – the Ethernet interface.
ip dhcp pool dhcppool
  import all
  network 192.168.1.0 255.255.255.0
  default-router 192.168.1.254
  !
!
! For those people who actually set their routers time; this causes it to be
! displayed in local NZ time.
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
!
! This is the firewall inspection rules. It tells the router what traffic to take
! a closer look at.
ip inspect name Dialer_0 tcp
ip inspect name Dialer_0 udp
ip inspect name Dialer_0 cuseeme
ip inspect name Dialer_0 ftp
ip inspect name Dialer_0 h323
ip inspect name Dialer_0 rcmd
ip inspect name Dialer_0 realaudio
ip inspect name Dialer_0 streamworks
ip inspect name Dialer_0 vdolive
ip inspect name Dialer_0 sqlnet
ip inspect name Dialer_0 tftp
!
!
interface Ethernet0
  ip address 192.168.1.254 255.255.255.0
  ip access-group 102 in
  ip nat inside
!
interface ATM0
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto
!
interface ATM0.1 point-to-point
  pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
interface Dialer0
  bandwidth 640
  ip address negotiated
  ip inspect Dialer_0 out
  ip access-group 101 in
  no ip redirects
  no ip unreachables
  ip nat outside
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp pap sent-username <username>
  password <password>
  ppp ipcp dns request
  no cdp enable
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
banner motd |Original config (c)IFM Ltd sales@ifm.net.nz, prepared by IFM Ltd/sales@ifm.net.nz|
!
! This is for telnet.  It is disabled by default.  Once enabled, access is
! restricted to traffic coming in via the Ethernet interface.
line vty 0 4
  ! This restricts where the telnet traffic can come from.
  access-class 1 in
  ! Add the below line to enable telnet.
  ! password <password>
  exit
!
! This defines traffic that is considered local to the LAN
access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
!
! This controls what is allowed to come in from the Internet.
! All private IP addresses are blocked, tunnel traffic is allowed through, and
! ping/traceroute/MTU discovery traffic is allowed through.
access-list 101 remark Traffic allowed to enter the router from Internet
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit gre any any
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 deny ip any any log
!
! This controls what traffic is allow to go to the Internet from the local LAN.
! TFTP is blocked (to stop NIMDA and the like).
! Only traffic with a valid local IP is allowed through.
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny udp any any eq tftp
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any host 192.168.1.254
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
!
dialer-list 1 protocol ip permit