! Cisco 3640 Router ! Sample Routing with Firewall Configuration with Named Access Lists ! ! Updated 24-Mar-2008 by MJG, with explanations ! version 12.3 ! !========================================================================================= ! ! Miscellaneous Configuration Items ! hostname XXXXXX ! ! Service Configurations ! no service pad no service config no service tcp-small-servers no service udp-small-servers no service password-encryption service tcp-keepalives-in service tcp-keepalives-out ! ! Memory Configurations ! memory-size iomem 15 memory sanity all ! ! IP Domain Configuration ! ip domain list XXXXXXXXXXXXXXXXXXXXX ip domain list XXXXXXXXXXXXXXXXXXXXX ip domain name XXXXXXXXXXXXXXXXXXXXX ip name-server XXX.XXX.XXX.XXX ip name-server XXX.XXX.XXX.XXX ! ! Miscellaneous ! ip subnet-zero no ip source-route no ip finger no ip bootp server no boot network ip cef no aaa new-model ! boot-start-marker boot-end-marker ! !========================================================================================= ! ! Users ! enable secret 5 XXXXXXXXXXXXXXXXXXXXX username admin privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXX ! !========================================================================================= ! ! Privilege Changes ! privilege exec level 15 connect privilege exec level 15 telnet privilege exec level 15 rlogin privilege exec level 15 show ip access-lists privilege exec level 15 show access-lists privilege exec level 15 show logging privilege exec level 1 show ip ! !========================================================================================= ! ! SSH Configurations ! crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 ! !========================================================================================= ! ! Packet Inspection Configs ! ip inspect udp idle-time 15 ip inspect name scan udp alert on ! ip inspect tcp idle-time 1800 ip inspect tcp finwait-time 1 ip inspect tcp synwait-time 15 ip inspect name scan tcp alert on ! ip inspect name scan fragment maximum 256 timeout 1 ip inspect name scan icmp alert on timeout 30 ip inspect name scan smtp ip inspect name scan ftp ! ip audit po max-events 100 ! !========================================================================================= ! ! Virtual Private Dialup Network Configuration ! ! Enabled PPPoE for the DSL/ATM interface ! vpdn enable vpdn-group pppoe request-dialin protocol pppoe ! !========================================================================================= ! ! Interface Configurations ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! ! Null Interface Configuration ! interface Null0 no ip unreachables ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! ! ATM ADSL Interface Configuration ! ! Cisco ADSL WIC is really an ATM interface... ! interface ATM0/0 description External DSL Interface no ip address no atm ilmi-keepalive dsl operating-mode auto ! ! Attaches ATM PtP Virtual Circuit to a dial pool (dial ppol 1) ! interface ATM0/0.1 point-to-point description External DSL Channel Interface pvc 0/35 pppoe-client dial-pool-number 1 ! ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! ! Fast Ethernet (Copper) Interface Configuration ! interface FastEthernet0/0 description Internal 100Base-T Copper Interface no ip address ip nat inside ip route-cache flow ip tcp adjust-mss 1452 ip verify unicast reverse-path shutdown duplex auto speed auto ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! ! Fast Ethernet (Fiber) Interface Configuration ! interface FastEthernet1/0 description Internal 100Base-FX Fiber Interface ip address 192.168.10.1 255.255.255.0 ip nat inside ip route-cache flow ip tcp adjust-mss 1452 ip verify unicast reverse-path full-duplex ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! ! Dialer Interface Configuration ! ! Dialer interface to connect DSL circuit over Cisco ADSL WIC ! Interfaces to specific PtP dial pool (dialer pool 1) ! interface Dialer1 description External DSL Dialer Interface ip address negotiated bandwidth 608 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast no ip mask-reply ip mtu 1492 ip nat outside ip access-group inbound-filter in ip access-group outbound-filter out ip inspect scan in ip verify unicast reverse-path encapsulation ppp dialer pool 1 dialer persistent ntp disable no cdp enable ppp authentication pap callin ppp pap sent-username XXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXX ! !========================================================================================= ! ! Specific NAT Translations ! ! Force specific internal IP to exist as specific external IP ! ! Internal IP External IP ip nat inside source static XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX ip nat inside source static XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX ip nat inside source static XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX ip nat inside source static XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX ip nat inside source static XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX ip nat inside source static udp XXX.XXX.XXX.XXX 123 XXX.XXX.XXX.XXX 123 extendable ip nat inside source static udp XXX.XXX.XXX.XXX 4569 XXX.XXX.XXX.XXX 4569 extendable ip nat inside source static udp XXX.XXX.XXX.XXX 5060 XXX.XXX.XXX.XXX 5060 extendable ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! ! Network NAT Translations ! ! Sets up a single, fixed, external IP for internal outbound requests ! Uses access-list 1 from below ! ip nat pool external XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.248 ip nat inside source list 1 pool external overload ! !========================================================================================= ! ! IP Routing ! ! All traffic to next hop router ! ip routing ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX ! !========================================================================================= ! ! Network Access List Configuration ! ! Set internal IP network addresses as NAT'able ! Don't forget - inverted masks! Opposite of PIX firewall configuration! ! no access-list 1 access-list 1 remark NAT Translator Access List access-list 1 permit XXX.XXX.XXX.XXX 0.0.0.255 access-list 1 deny any log ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! no ip access-list extended inbound-filter ip access-list extended inbound-filter remark Inbound Filtration ! ! IP addresses, below, are EXTERNAL FIXED IPs ... NOT INTERNAL! ! All netmasks in rules should be INVERTED! ! ! Deny traffic from spoofed IPs - outside deny ip host 0.0.0.0 any deny ip host 255.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 31.255.255.255 any deny ip 240.0.0.0 7.255.255.255 any deny ip XXX.XXX.XXX.XXX 0.0.0.7 any ! ! Established TCP permit tcp any XXX.XXX.XXX.XXX 0.0.0.7 established ! ! DNS to/from primary DNS server !permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 22 permit udp any eq 53 host XXX.XXX.XXX.XXX gt 1023 permit udp any eq 53 host XXX.XXX.XXX.XXX eq 53 permit udp any gt 1023 host XXX.XXX.XXX.XXX eq 53 ! ! DNS to/from secondary DNS server !permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 22 permit udp any eq 53 host XXX.XXX.XXX.XXX gt 1023 permit udp any eq 53 host XXX.XXX.XXX.XXX eq 53 permit udp any gt 1023 host XXX.XXX.XXX.XXX eq 53 ! ! Services to web server permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 20 permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 21 !permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 22 permit tcp any gt 1023 host XXX.XXX.XXX.XXX gt 1023 permit tcp any host XXX.XXX.XXX.XXX eq 80 ! ! Services to mail server !permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 22 permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 25 permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 80 permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 110 permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 143 permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 443 ! ! Services to VoIP Server (NTP & asterisk IAX/SIP) !permit tcp any gt 1023 host XXX.XXX.XXX.XXX eq 22 permit udp any eq 123 host XXX.XXX.XXX.XXX eq 123 permit udp any host XXX.XXX.XXX.XXX eq 4569 permit udp any host XXX.XXX.XXX.XXX eq 5060 ! ! ICMP replies permit icmp any any packet-too-big permit icmp any any source-quench permit icmp any any ttl-exceeded permit icmp any any echo-reply permit icmp any any echo deny icmp any any ! ! Evaluate reflections evaluate tcp-connections evaluate udp-sessions ! ! Deny everything else inbound deny ip any any ! != = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ! no ip access-list extended outbound-filter ip access-list extended outbound-filter remark Outbound Filtration ! ! IP addresses, below, are EXTERNAL FIXED IPs ... NOT INTERNAL! ! All netmasks in rules should be INVERTED! ! ! Permit established connections permit tcp XXX.XXX.XXX.XXX 0.0.0.7 any established ! ! DNS outbound from primary DNS server permit tcp host XXX.XXX.XXX.XXX any eq 53 permit udp host XXX.XXX.XXX.XXX eq 1023 any eq 53 permit udp host XXX.XXX.XXX.XXX eq 53 any eq 53 permit udp host XXX.XXX.XXX.XXX eq 53 any eq 1023 ! ! DNS outbound from secondary DNS server permit tcp host XXX.XXX.XXX.XXX any eq 53 permit udp host XXX.XXX.XXX.XXX eq 1023 any eq 53 permit udp host XXX.XXX.XXX.XXX eq 53 any eq 53 permit udp host XXX.XXX.XXX.XXX eq 53 any eq 1023 ! ! DNS outbound from mail server (Mail RBL Checking) permit tcp host XXX.XXX.XXX.XXX any eq 53 permit udp host XXX.XXX.XXX.XXX eq 1023 any eq 53 permit udp host XXX.XXX.XXX.XXX eq 53 any eq 53 permit udp host XXX.XXX.XXX.XXX eq 53 any eq 1023 ! ! Denied outbound traffic deny tcp any any eq 69 deny udp any any eq 69 deny tcp any any eq 111 deny udp any any eq 111 deny tcp any any range 135 139 deny udp any any range 135 139 deny tcp any any eq 445 deny udp any any eq 445 deny tcp any any range 512 514 deny udp any any range 512 514 ! ! Deny traffic from spoofed IPs - inside deny ip host 0.0.0.0 any deny ip host 255.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 224.0.0.0 31.255.255.255 any deny ip 240.0.0.0 7.255.255.255 any ! ! Deny traffic to spoofed IPs - inside deny ip any host 0.0.0.0 deny ip any host 255.255.255.255 deny ip any 10.0.0.0 0.255.255.255 deny ip any 127.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 169.254.0.0 0.0.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 224.0.0.0 31.255.255.255 deny ip any 240.0.0.0 7.255.255.255 ! ! ICMP replies permit icmp any any packet-too-big permit icmp any any source-quench permit icmp any any ttl-exceeded permit icmp any any echo-reply permit icmp any any echo deny icmp any any ! ! Allow reflections permit tcp any any reflect tcp-connections permit udp any any reflect udp-sessions ! ! Allow everything else outbound permit ip any any ! !========================================================================================= ! banner login %Cisco 3640 Router% ! !========================================================================================= ! ! SNMP Configuration ! snmp-server community public ro 1 snmp-server location XXXXXXXXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXXXXXXXXXXXX ! !========================================================================================= ! ! HTTP Server Configuration ! ip http server no ip http secure-server ip http authentication local ip http access-class 1 ! !========================================================================================= ! ! Line Access Configurations ! line con 0 password 7 XXXXXXXXXXXXXXXXXXXXX login transport preferred none line aux 0 line vty 0 4 access-class 1 in password 7 XXXXXXXXXXXXXXXXXXXXX login local transport preferred none transport input ssh ! !========================================================================================= ! ! Time Configuration ! clock timezone GMT 0 ntp server XXX.XXX.XXX.XXX ! !========================================================================================= ! end