Friday, July 07, 2006

Cisco 877 - Good for Australian DSL

Here's a good config for a Cisco 877 (no wireless) that is setup for the following:

- Connection to Australian ADSL
- Full NAT outbound access for first 64 addresses (192.168.0.1-192.168.0.64)
- Partial outbound access for remaining address (192168.0.65-192.168.0.254, on WEB/FTP etc)
- Support for Cisco VPN Client for remote access to internal network, 3des security
- Static NAT for port forwarding of SMTP port to internal server
- Access-lists preventing unwanted access from external networks/internet

Most of the variables that need to be changed for your environment appear in capitals, e.g. MYPASSWORD, MYIPPOOL etc. Change these to suit your environment

Enjoy!

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MYRTR
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable secret MYPASSWORD
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnauthen local
aaa authorization network vpngroup local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name
MYINSPECT icmp
ip inspect name
MYINSPECT ftp
ip inspect name
MYINSPECT dns
ip inspect name
MYINSPECT echo
ip inspect name
MYINSPECT udp
ip inspect name
MYINSPECT tcp
ip inspect name
MYINSPECT http
ip inspect name
MYINSPECT https
no ip domain lookup
ip domain name MYDOMAIN.COM
ip name-server 10.10.10.10
ip name-server 20.20.20.20
!
!
crypto pki server MYPKISERVER
!
!
username admin privilege 15 secret MYPASSWORD
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MYCRYPTOKEY address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local MYIPPOOL
!
crypto isakmp client configuration group MYVPNGROUP
key MYCRYPTOKEY
dns 192.168.0.2
wins 192.168.0.2
domain MYDOMAIN.COM
pool MYIPPOOL
acl 130
!
!
crypto ipsec transform-set MYTRANFORMSET esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set MYTRANSFORMSET
!
!
crypto map MYCRYPTOMAP client authentication list vpnauthen
crypto map
MYCRYPTOMAP isakmp authorization list vpngroup
crypto map
MYCRYPTOMAP client configuration address respond
crypto map
MYCRYPTOMAP 10 ipsec-isakmp dynamic dynmap
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip access-group inside-in in
ip inspect MYINSPECT in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip access-group outside-in in
ip verify unicast reverse-path
no ip unreachables
ip inspect
MYINSPECT in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 2147483
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname MYDSLUSERNAME
ppp chap password MYDSLPASSWORD
ppp pap sent-username MYDSLUSERNAME password MYDSLPASSWORD
crypto map MYCRYPTOMAP
!
ip local pool MYIPPOOL 192.168.2.10 192.168.2.50
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
!
ip access-list extended inside-in
permit ip 192.168.0.0 0.0.0.63 any
permit tcp 192.168.0.64 0.0.0.63 any eq www
permit tcp 192.168.0.64 0.0.0.63 any eq 443
permit tcp 192.168.0.64 0.0.0.63 any eq ftp
permit tcp 192.168.0.64 0.0.0.63 any eq smtp
permit tcp 192.168.0.64 0.0.0.63 any eq pop3
permit tcp 192.168.0.64 0.0.0.63 any eq domain
permit udp 192.168.0.64 0.0.0.63 any eq domain
permit udp 192.168.0.64 0.0.0.63 any eq non500-isakmp
permit udp 192.168.0.64 0.0.0.63 any eq isakmp
permit icmp 192.168.0.64 0.0.0.63 any
permit tcp 192.168.0.128 0.0.0.127 any eq www
permit tcp 192.168.0.128 0.0.0.127 any eq 443
permit tcp 192.168.0.128 0.0.0.127 any eq ftp
permit tcp 192.168.0.128 0.0.0.127 any eq smtp
permit tcp 192.168.0.128 0.0.0.127 any eq pop3
permit tcp 192.168.0.128 0.0.0.127 any eq domain
permit udp 192.168.0.128 0.0.0.127 any eq domain
permit udp 192.168.0.128 0.0.0.127 any eq non500-isakmp
permit udp 192.168.0.128 0.0.0.127 any eq isakmp
permit icmp 192.168.0.128 0.0.0.127 any
permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any host 192.168.0.1
deny ip any any
ip access-list extended outside-in
permit tcp any host MY.OUT.SIDE.IP eq smtp
permit udp any host
MY.OUT.SIDE.IP eq isakmp
permit udp any host
MY.OUT.SIDE.IP eq non500-isakmp
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip any any
!
logging trap debugging
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip host
MY.OUT.SIDE.IP any
access-list 130 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
password MYPASSWORD
transport input telnet ssh
!
scheduler max-task-time 5000
end

0 Comments:

Post a Comment

<< Home