dslreports logo
site
spacer

spacer
 
    «« DSL Hurdles Share Tool
spc

spacer




how-to block ads



Extracted from following thread:
»[HELP] IOS IPS -- Is the performance hit worth it?

Note:
To run this configuration, your router needs to run IOS image that has IPSec/IDS feature and have the signature file on its flash memory. Check out the following FAQ for more info.

»Cisco Forum FAQ »Protect my network! How do I do that using Cisco IOS?

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local 
aaa authorization network default group radius 
aaa authorization network sdm_vpn_group_ml_1 group radius 
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius
!
aaa session-id common
!
resource policy
!
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
ip icmp rate-limit unreachable 100
ip icmp rate-limit unreachable DF 1
ip cef
!
!
!
!
ip tcp ecn
ip tcp selective-ack
ip tcp window-size 65537
ip tcp synwait-time 10
no ip bootp server
ip domain name Company.local
ip name-server 192.168.<x>.<server>
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect tcp reassembly queue length 64
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 ntp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 fragment maximum 250 timeout 1
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 isakmp
ip inspect name DEFAULT100 ipsec-msft
ip inspect name DEFAULT100 l2tp
ip inspect name DEFAULT100 pptp
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
ip dhcp-server 192.168.x.server
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel receive-window 256
!
!
appfw policy-name DEFAULT100
  application http
    strict-http action allow alarm
    port-misuse tunneling action allow alarm
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-3534083426
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3534083426
 revocation-check none
 rsakeypair TP-self-signed-3534083426
!
crypto pki trustpoint titan
 enrollment mode ra
 enrollment url http://192.168.x.server:80/certsrv/mscep/mscep.dll
 usage ike
 password <removed>
 subject-name CN=Me,O=Company
 revocation-check crl none
!
!
crypto pki certificate chain TP-self-signed-3534083426
 certificate self-signed 01
  <removed>
  quit
crypto pki certificate chain titan
 certificate <removed>
  quit
 certificate ca <removed>
  quit
no crypto engine onboard 0
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 
   F3020301 0001
  quit
username xxx privilege 15 secret 5 <removed>
!
! 
!
crypto isakmp policy 1
 encr 3des
 group 2
 lifetime 900
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 900
crypto isakmp key <removed> address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec security-association idle-time 900
!
crypto ipsec transform-set ESP-3DES-SHA-transport esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 description L2TP/IPSec
 set transform-set ESP-3DES-SHA-transport 
 reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description Internet$ES_WAN$$FW_OUTSIDE$
 bandwidth 18147
 ip address <my ip address> 255.255.248.0
 ip access-group 101 in
 ip verify unicast reverse-path 103
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1500
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect DEFAULT100 out
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no snmp trap link-status
 atm route-bridged ip
 atm route-bridged ipv6
 pvc BeUnlimited 0/101 
  oam-pvc manage
  encapsulation aal5snap
 !
 ipv6 enable
 ipv6 nd ra suppress
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 
 description L2TP
 ip unnumbered BVI1
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1360
 peer default ip address dhcp
 ppp mtu adaptive
 ppp authentication eap ms-chap-v2
 ppp ipcp header-compression ack
 ppp ipcp username unique
 ppp timeout idle 600 either
!
interface Dot11Radio0
 description Wireless interface
 no ip address
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 countermeasure tkip hold-time 5
 !
 encryption mode ciphers tkip 
 !
 ssid Wireless
    authentication open 
    authentication key-management wpa
    guest-mode
    wpa-psk ascii <removed>
 !
 world-mode dot11d country GB indoor
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description LAN$ES_LAN$$FW_INSIDE$
 ip address 192.168.<x>.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 <gateway>
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 36000
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static udp 192.168.<x>.<server> 5005 interface ATM0.1 5005
ip nat inside source static udp 192.168.<x>.<server> 1755 interface ATM0.1 1755
ip nat inside source static tcp 192.168.<x>.<server> 1755 interface ATM0.1 1755
ip nat inside source static tcp 192.168.<x>.<server> 554 interface ATM0.1 554
ip nat inside source static tcp 192.168.<x>.<server> 3389 interface ATM0.1 3389
ip nat inside source static tcp 192.168.<x>.<server> 1723 interface ATM0.1 1723
ip nat inside source static tcp 192.168.<x>.<server> 4125 interface ATM0.1 4125
ip nat inside source static tcp 192.168.<x>.<server> 444 interface ATM0.1 444
ip nat inside source static tcp 192.168.<x>.<server> 443 interface ATM0.1 443
ip nat inside source static tcp 192.168.<x>.<server> 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.<x>.<server> 80 interface ATM0.1 80
!
logging trap debugging
logging 192.168.<x>.<server>
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.<x>.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.<x>.<server> eq 1645 host 192.168.<x>.1
access-list 100 permit udp host 192.168.<x>.<server> eq 1646 host 192.168.<x>.1
access-list 100 deny   ip 87.194.32.0 0.0.7.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit gre any any log
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any log
access-list 101 permit tcp any host <my ip address> eq www
access-list 101 permit esp any host <my ip address>
access-list 101 permit udp any host <my ip address> eq isakmp
access-list 101 permit udp any host <my ip address> eq non500-isakmp
access-list 101 permit udp any host <my ip address> eq 5005
access-list 101 permit udp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 554
access-list 101 permit tcp any host <my ip address> eq 3389
access-list 101 permit tcp any host <my ip address> eq 1723
access-list 101 permit gre any host <my ip address> log
access-list 101 permit tcp any host <my ip address> eq 4125
access-list 101 permit tcp any host <my ip address> range 443 444
access-list 101 permit tcp any host <my ip address> eq smtp
access-list 101 permit icmp any host <my ip address> echo-reply
access-list 101 permit icmp any host <my ip address> time-exceeded
access-list 101 permit icmp any host <my ip address> unreachable
access-list 101 remark Auto generated by SDM for NTP (123) 0.uk.pool.ntp.org
access-list 101 permit udp host 213.2.4.80 eq ntp host <my ip address> eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.190.230.66
access-list 101 permit udp host 193.190.230.66 eq ntp host <my ip address> eq ntp
access-list 101 deny   icmp any any redirect log
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.<x>.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark Log any unicast reverse path packets
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Deny any packets that fail unicast reverse path
access-list 103 deny   ip any any log
snmp-server community <removed> RW
snmp-server community <removed> RO
no cdp run
!
!
!
radius-server host 192.168.<x>.<server> auth-port 1645 acct-port 1646 key 7 <removed>
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
 speed 115200
line aux 0
 transport output telnet
line vty 0 4
 access-class 102 in
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp logging
ntp clock-period 17175097
ntp source BVI1
ntp server 193.190.230.66 source ATM0.1
ntp server 213.2.4.80 source ATM0.1
!
webvpn install svc flash:/webvpn/svc.pkg
end
 


Expand got feedback?

by aryoba See Profile
last modified: 2007-07-11 11:09:37