Cisco 827/827H/SOHO97/837 Firewall Configuration
This recipe is designed for those Cisco 827’s that have the firewall and VPN feature set. Most Cisco 827’s in NZ should be using this configuration.
Recommendation: Take special note of the versions and memory requirements of the software we recommend.
To use this configuration, download the template file, 827_fw_nz.tpl, and use Cisco FastStep to install it.
A configuration created with this template will look something like:
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
logging buffered 4096 debugging
!
!
!
ip subnet-zero
! This prevents the DHCP server from allocating these addresses. If you have any static IP
! devices (printers, servers, etc), make their addresses 192.168.1.1 to 192.168.1.100.
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.254
!
! This enables the DHCP server on interfaces in the
! network 192.168.1.0/24 – the Ethernet interface.
ip dhcp pool dhcppool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
!
!
! For those people who actually set their routers time; this causes it to be
! displayed in local NZ time.
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
!
! This is the firewall inspection rules. It tells the router what traffic to take
! a closer look at.
ip inspect name Dialer_0 tcp
ip inspect name Dialer_0 udp
ip inspect name Dialer_0 cuseeme
ip inspect name Dialer_0 ftp
ip inspect name Dialer_0 h323
ip inspect name Dialer_0 rcmd
ip inspect name Dialer_0 realaudio
ip inspect name Dialer_0 streamworks
ip inspect name Dialer_0 vdolive
ip inspect name Dialer_0 sqlnet
ip inspect name Dialer_0 tftp
!
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Dialer0
bandwidth 640
ip address negotiated
ip inspect Dialer_0 out
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username <username>
password <password>
ppp ipcp dns request
no cdp enable
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
banner motd |Original config (c)IFM NZ Ltd sales@ifm.net.nz, prepared by IFM NZ Ltd/sales@ifm.net.nz|
!
! This is for telnet. It is disabled by default. Once enabled, access is
! restricted to traffic coming in via the Ethernet interface.
line vty 0 4
! This restricts where the telnet traffic can come from.
access-class 1 in
! Add the below line to enable telnet.
! password <password>
exit
!
! This defines traffic that is considered local to the LAN
access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
!
! This controls what is allowed to come in from the Internet.
! All private IP addresses are blocked, tunnel traffic is allowed through, and
! ping/traceroute/MTU discovery traffic is allowed through.
access-list 101 remark Traffic allowed to enter the router from Internet
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit gre any any
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 deny ip any any log
!
! This controls what traffic is allow to go to the Internet from the local LAN.
! TFTP is blocked (to stop NIMDA and the like).
! Only traffic with a valid local IP is allowed through.
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny udp any any eq tftp
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any host 192.168.1.254
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
!
dialer-list 1 protocol ip permit
|
