dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2750
share rss forum feed

Manta
Premium
join:2003-11-04
UK

[Config] Example config showing wireless, PEAP, GRE, IPSEC etc

I've got a significant amount of help from people here on various topics - including the wireless involved here - and wanted to post back my config with what I've learned so far. Hopefully it will be useful to some and possibly I might get suggested improvements back.

I have trimmed the irrelevant things out - like multiple port-maps entries - and hopefully all the sensitive stuff like passwords and external IPs but I've tried to keep it as complete as possible to be as useful as possible. If I've missed censoring something I should have, please let me know though!

I'm quite happy to answer questions on how or why I've done things if people have them.

If there's interest in a particular chunk of code, I might try (with somebody's help) to turn it into a FAQ post.

Many thanks for everyone's continued support,

Gareth

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
logging buffered 40960 warnings
enable secret <secret>
!
aaa new-model
!
!
aaa group server radius wireless-radius
 server 10.1.0.2 auth-port 1645 acct-port 1646
 ip radius source-interface Vlan1
!
aaa authentication login local-auth local-case
aaa authentication login wireless-eap group wireless-radius
aaa authentication ppp default local-case
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid w-secure
   vlan 2
   authentication open eap wireless-eap
   authentication key-management wpa
!
dot11 ssid w-ps3
   vlan 3
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii <WPA key>
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name bullet-systems.com
ip multicast-routing
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name INTERNET-OUT tcp alert on
ip inspect name INTERNET-OUT udp alert on
ip inspect name INTERNET-OUT http java-list 2 alert on
ip inspect name INTERNET-OUT ftp alert on timeout 300
ip inspect name INTERNET-OUT tftp alert on
ip inspect name INTERNET-OUT sip alert on
ip inspect name INTERNET-OUT rtsp alert on
ip ips name INTERNET-OUT
!
multilink bundle-name authenticated
!
!
username <username> secret <secret>
!
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key <preshared key> address <vpn endpoint1>
crypto isakmp key <preshared key> address <vpn endpoint2>
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set ipsec-tunnel esp-3des esp-sha-hmac
!
crypto map vpn-tunnel 100 ipsec-isakmp
 description A to B IPSec tunnel to carry GRE
 set peer <endpoint IP>
 set transform-set ipsec-tunnel
 set pfs group5
 match address adsl-gre
!
crypto map vpn-tunnel 110 ipsec-isakmp
 description A to B via SDSL
 set peer <endpoint IP
 set transform-set ipsec-tunnel
 set pfs group5
 match address sdsl-gre
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 9000 20
 match access-group name voip
!
!
policy-map voip
 class voip
  priority 516
 class class-default
  fair-queue
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!
interface Loopback5
 ip address 192.168.1.5 255.255.255.255
!
interface Tunnel0
 description Tunnel over ADSL
 bandwidth 800
 ip unnumbered Loopback0
 ip load-sharing per-packet
 ip multicast boundary multicast-boundary
 ip virtual-reassembly
 ip tcp adjust-mss 1200
 qos pre-classify
 keepalive 3 3
 tunnel source Loopback0
 tunnel destination 192.168.1.2
 tunnel key 0
 tunnel bandwidth transmit 800
!
interface Tunnel5
 description Tunnel SDSL
 bandwidth 800
 bandwidth receive 1024
 ip unnumbered Loopback5
 ip load-sharing per-packet
 ip multicast boundary multicast-boundary
 ip virtual-reassembly
 ip tcp adjust-mss 1200
 qos pre-classify
 keepalive 3 3
 tunnel source Loopback5
 tunnel destination 192.168.1.6
 tunnel key 5
 tunnel bandwidth transmit 800
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  ubr 832
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  service-policy output voip
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 3 mode ciphers aes-ccm
 !
 ssid w-secure
 !
 ssid w-ps3
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.2
 description Wireless VLAN for laptop and trusted machines
 encapsulation dot1Q 2
 ip address 10.2.2.1 255.255.255.0
 ip helper-address 10.1.0.2
 ip nat inside
 ip virtual-reassembly
!
interface Dot11Radio0.3
 description Wireless VLAN for PS3
 encapsulation dot1Q 3
 ip address 10.2.3.1 255.255.255.0
 ip access-group wireless-lockdown in
 ip helper-address 10.1.0.2
 ip pim sparse-dense-mode
 ip nat inside
 ip virtual-reassembly
!
interface Vlan1
 description Local Area Network
 bandwidth 100000
 ip address 10.1.0.1 255.255.255.0
 ip access-group ethernet-in in
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface Dialer0
 description ADSL line 8192kbps/832kbps
 bandwidth 8192
 ip address negotiated
 ip access-group internet-in in
 no ip proxy-arp
 ip multicast boundary multicast-boundary
 ip nat outside
 ip inspect INTERNET-OUT out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname <username>
 ppp chap password <password>
 crypto map vpn-tunnel
!
no ip forward-protocol nd
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel5
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 1800
ip nat translation tcp-timeout 300
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation max-entries host 10.1.0.52 1500
ip nat pool used-ip-block <start> <end> prefix-length 29
ip nat pool unused-ip-block <start> <end> prefix-length 29
ip nat inside source list nat-list pool used-ip-block overload
ip nat inside source static tcp <inside host> <tcp port> <outside IP> <tcp port> extendable
ip nat inside source static udp <inside host> <udp port> <outside IP> <udp port> extendable
!
ip access-list standard multicast-boundary
 deny   239.255.0.0 0.0.255.255
 permit any
!
ip access-list extended sdsl-gre
 permit ip host 192.168.1.5 host 192.168.1.6
!
ip access-list extended ethernet-in
 permit ip any host 192.168.2.2
 remark Invalid internet addresses
 deny   ip any 0.0.0.0 0.255.255.255 log
 deny   ip any 127.0.0.0 0.255.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 deny   ip any 192.0.2.0 0.0.0.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 remark Other
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any
 permit udp any any
 permit igmp 10.1.0.0 0.0.0.255 any
 deny   ip any any log
!
ip access-list extended internet-in
 permit esp host <vpn endpoint> any
 permit udp host <vpn endpoint> eq isakmp any eq isakmp
 remark Invalid internet addresses
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 permit tcp any any eq domain
 permit udp any any eq domain
 remark Other
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit icmp any any echo-reply
 permit udp host 158.43.128.33 any eq ntp
 permit udp host 158.43.128.66 any eq ntp
 deny   ip any any log
!
ip access-list extended adsl-gre
 permit ip host 192.168.1.1 host 192.168.1.2
!
ip access-list extended nat-list
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip 10.1.0.0 0.0.255.255 any
 permit ip 10.2.2.0 0.0.0.255 any
 permit ip 10.2.3.0 0.0.0.255 any
!
ip access-list extended voip
 permit ip any 217.10.79.0 0.0.0.255
 permit udp host 10.1.0.2 range 9000 9020 any
!
ip access-list extended wireless-lockdown
 permit tcp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain
 permit udp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain
 permit tcp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain
 permit udp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain
 permit ip 10.2.3.0 0.0.0.255 host 10.1.0.3
 permit udp any eq bootpc any eq bootps
 deny   ip 10.2.3.0 0.0.0.255 10.0.0.0 0.255.255.255 log
 deny   ip 10.2.3.0 0.0.0.255 192.168.0.0 0.0.255.255 log
 permit igmp 10.2.3.0 0.0.0.255 any
 permit ip 10.2.3.0 0.0.0.255 any
!
ip radius source-interface Vlan1
logging history size 100
access-list 1 remark SNMP access
access-list 1 permit 10.1.0.2
access-list 1 deny   any log
!
access-list 2 remark JAVA applet firewall exception list
access-list 2 permit 72.5.124.95
access-list 2 permit 85.210.20.0 0.0.0.255
!
!
access-list 700 permit 0123.4567.8901   0000.0000.0000
!
snmp-server community <read-only community name> RO 1
snmp-server contact Me
snmp-server chassis-id <id>
snmp-server enable traps tty
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.1.0.2 auth-port 1645 acct-port 1646 key <key>
radius-server vsa send accounting
!
control-plane
!
banner login ^CC
Access to this device is only permitted by authorised users
All access to this device is logged
^C
!
line con 0
 logging synchronous
 login authentication local-auth
 no modem enable
 stopbits 1
line aux 0
 login authentication local-auth
 stopbits 1
line vty 0 4
 exec-timeout 20 0
 logging synchronous
 login authentication local-auth
 transport input ssh
!
scheduler max-task-time 5000
sntp server 158.43.128.33
sntp server 158.43.128.66
!
!
end
 

aryoba
Premium,MVM
join:2002-08-22
kudos:4

Re: [Config] Example config showing wireless, PEAP, GRE, IPSEC e

Of course we can always have more sample configuration for FAQ

However if you don't mind, can you post detail descriptions of the objective of such configuration. I'm sure a lot of people wonder why you configure the router in such a way.

Manta
Premium
join:2003-11-04
UK
reply to Manta
Sure, I'll try to annotate it when I get a second.