Here is an example configuration from a Cisco 831 router using NAT, CBAC and SSH. DHCP on the WAN interface:
dslrouter#sh run
Building configuration...
Current configuration : 5415 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname dslrouter
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$zEom$D4SosdpMuSkDt4G1HJ65DS5LsVt.
!
username cisco privilege 15 secret 5 $1$LDSkDt4G1HJ65DS5LsVt.
clock timezone MST -7
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool lan
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 205.171.3.65 205.171.2.65
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Lan Interface
ip address 192.168.0.1 255.255.255.0
ip access-group LAN-INBOUND in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description Virtual Dial Interface
ip address negotiated
ip access-group WAN-INBOUND in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username username@qwest.net password
!
ip nat inside source list NAT-LIST interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip access-list extended LAN-INBOUND
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
ip access-list extended NAT-LIST
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended WAN-INBOUND
deny ip 192.168.0.0 0.0.0.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any
logging trap debugging
dialer-list 1 protocol ip permit
banner login ^C
***************************************************************************
* L E G A L N O T I C E -- Y O U M U S T R E A D *
***************************************************************************
* *
* You must have explicit permission to access or configure this *
* device. All activities performed on this device are logged and *
* violations of this policy may result in criminal prosecution. *
* *
***************************************************************************
* *
* This system is for the use of authorized users only. Individuals using *
* this computer system without authority, or in excess of their authority,*
* are subject to having all of their activities on this system monitored *
* and recorded by system personnel. *
* *
* *
* Anyone using this system expressly consents to such monitoring and is *
* advised that if such monitoring reveals possible evidence of criminal *
* activity, system personnel may provide the evidence of such monitoring *
* to law enforcement officials. *
* *
***************************************************************************
* UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED *
***************************************************************************
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
end
 feedback form
 feedback form
by Suffering  |
