Sample Cisco 800-series (877 or 877W) ADSL Broadband Router Config
I've spent several weeks configuring my new Cisco 877 ADSL router. The config was designed based upon Cisco documents, forum postings, FAQs etc. I was helped by other forum users, so if my completed config helps another person then this blog has been worthwhile.
Ok, my config does the following:
- VPN dialin support (PPTP)
- SSH access (controlled by an ACL)
- NAT
- DHCP
- Webserver and mailserver hosting inside the LAN (controlled by an ACL)
- NTP server
So, the config....
!
! Last configuration change at 12:37:56 GMT Mon Oct 5 2009 by User1
! NVRAM config last updated at 09:53:10 GMT Wed Oct 7 2009 by User1
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.241 192.168.1.254
!
ip dhcp pool CLIENTS
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1 192.168.1.254
lease 0 12
!
no ip cef
ip domain name mydomain.local
ip host www.myoverriddenDNS.co.uk 192.168.1.50
ip inspect name fw tcp timeout 3600
ip inspect name fw udp timeout 3600
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
ntp master
ntp server time.windows.com source Dialer0
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username User1 privilege 15 password 7 XXX
username User2 password 7 XXX
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface ATM0
description ADSL Connection
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl enable-training-log
dsl bitswap both
hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
peer default ip address pool VPNPOOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 chap
!
interface Vlan1
description MyLAN
ip address 192.168.0.254 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip access-group 120 in
ip access-group 121 out
ip nat outside
ip inspect fw out
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname MyUsername@MyISP.co.uk
ppp chap password 0 MyPassword
ppp ipcp dns request
ppp ipcp wins request
ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source list 102 interface Dialer0 overload
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.50
deny any
ip access-list standard SSH-ALLOWED
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny any
!
!
ip access-list logging interval 10
logging 192.168.1.50
access-list 102 remark Define NAT internal ranges
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 remark Inbound external interface
access-list 120 remark The below set the rfc1918 private exclusions
access-list 120 deny ip 192.168.0.0 0.0.255.255 any
access-list 120 deny ip 172.16.0.0 0.15.255.255 any
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 remark Allow established sessions back in
access-list 120 permit tcp any any established
access-list 120 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 22 log
access-list 120 permit tcp any any eq 1723
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data
access-list 120 remark Passive FTP ports matching vsftpd config
access-list 120 permit tcp any any range 50000 50050
access-list 120 permit gre any any
access-list 120 permit udp any eq domain any
access-list 120 remark Standard acceptable icmp rules
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any source-quench
access-list 120 permit icmp any any packet-too-big
access-list 120 permit icmp any any time-exceeded
access-list 120 deny ip any any
access-list 121 remark Allow all outbound IP
access-list 121 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community AnTeallach RW SNMP-ALLOWED
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 XXXX
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
access-class SSH-ALLOWED in
exec-timeout 0 0
privilege level 15
password 7 XXXX
length 40
width 160
transport input ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
time-range WEEKDAY
periodic weekdays 8:00 to 18:00
!
end
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment