The router configuration that i made with a colleageu. Is a configuration with a adsl connection, shdsl connection.
The configuration has a Local Lan IP and a DMZ IP. Further you can use this configuration by your own and create a new config for your own solution. If you have any question about it do not hessistate toe contact.
You will find some dutch words ( Like naar, this word means TO )
Building configuration…
Current configuration : 21094 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname < Hostname >
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
enable password < password >
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login CVPN group radius
aaa authentication ppp default local
aaa authorization network default local
!
!
aaa session-id common
clock timezone GMT+1 1
clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-1719397329
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1719397329
revocation-check none
rsakeypair TP-self-signed-1719397329
!
!
crypto pki certificate chain TP-self-signed-1719397329
certificate self-signed 01
< Will be created on its own >
quit
crypto pki certificate storage flash:/certificat/
!
!
ip cef
!
!
ip domain name < domain name >
ip name-server < dns server 1 >
ip name-server < dns server 2 >
ip inspect name FW_Dialer10_IN tcp
ip inspect name FW_Dialer10_IN udp
ip inspect name FW_Dialer10_IN icmp
ip inspect name FW_Dialer10_IN ftp
ip inspect name FW_Dialer10_IN ssh
ip inspect name FW_Dialer10_IN ntp
ip inspect name FW_Dialer10_IN isakmp
ip inspect name FW_Dialer10_IN fragment maximum 256 timeout 1
ip inspect name FW_Dialer10_OUT icmp
ip inspect name FW_Dialer10_OUT ftp
ip inspect name FW_Dialer10_OUT rtsp
ip inspect name FW_Dialer10_OUT fragment maximum 256 timeout 1
ip inspect name FW_Dialer10_OUT tcp router-traffic
ip inspect name FW_Dialer10_OUT udp router-traffic
ip inspect name FW_Dialer11_IN tcp
ip inspect name FW_Dialer11_IN udp
ip inspect name FW_Dialer11_IN icmp
ip inspect name FW_Dialer11_IN ftp
ip inspect name FW_Dialer11_IN ssh
ip inspect name FW_Dialer11_IN ntp
ip inspect name FW_Dialer11_IN isakmp
ip inspect name FW_Dialer11_IN fragment maximum 256 timeout 1
ip inspect name FW_Dialer11_OUT icmp
ip inspect name FW_Dialer11_OUT rtsp
ip inspect name FW_Dialer11_OUT fragment maximum 256 timeout 1
ip inspect name FW_Dialer11_OUT tcp router-traffic
ip inspect name FW_Dialer11_OUT udp router-traffic
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips notify SDEE
ip ips name IPS_Dialer10_OUT
ip ips name IPS_Dialer10_IN
ip ips name IPS_Dialer11_OUT
ip ips name IPS_Dialer11_IN
!
multilink bundle-name authenticated
!
async-bootp dns-server < internal dns server >
async-bootp nbns-server < internal nbns server >
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username < name > password < password >
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group < Group Name >
key < key name >
dns < internal dns server >
wins < internal wins server >
domain < domain name >
pool VPNCLIENT
acl ACL_VPN
save-password
split-dns < domain name >
backup-gateway < backup gateway >
netmask 255.255.255.0
crypto isakmp profile CIP_CVPN_CLIENT
match identity group < Group Name >
client authentication list CVPN
isakmp authorization list CVPN
client configuration address respond
!
!
crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CDM_CVPN_CLIENT 10
set transform-set CIT_CVPN_CLIENT
set isakmp-profile CIP_CVPN_CLIENT
!
!
crypto map CMP_CVPN_CLIENT 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT
!
archive
log config
hidekeys
!
!
controller DSL 0/1/0
mode atm
line-term cpe
line-mode auto enhanced
dsl-mode shdsl symmetric annex B
description < Description line >
!
ip ssh rsa keypair-name RSA_SSH
!
track 10 rtr 10 reachability
!
track 12 rtr 12 reachability
!
!
!
!
interface Loopback10
description Bypass NAT for IPsec traffic
ip address 1.1.192.1 255.255.255.0
!
interface Loopback252
description Cisco SSL VPN Client for WebVPN
ip address < loopback address >
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description < LAN Description >
ip address < Lan IP Address >
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_GigabitEthernet0/0_NO_NAT
duplex auto
speed auto
hold-queue 100 in
hold-queue 100 out
!
interface GigabitEthernet0/1
description DMZ to Webserver
ip address < DMZ IP address >
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_GigabitEthernet0/1_NO_NAT
duplex auto
speed auto
hold-queue 100 in
hold-queue 100 out
!
interface ATM0/0/0
description < Adsl description >
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/48 < can be various of your ISP >
encapsulation aal5mux ppp dialer
dialer pool-member 10
!
!
interface ATM0/1/0
description < shdsl description >
no ip address
no ip route-cache cef
no ip route-cache
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
pvc 0 0/35 < can be various of your ISP >
encapsulation aal5mux ppp dialer
dialer pool-member 11
!
!
interface Dialer10
description connected to ATM0 – ADSL over Pots -
ip address negotiated
ip access-group ACL_Dialer10_IN in
ip access-group ACL_Dialer10_OUT out
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect FW_Dialer10_IN in
ip inspect FW_Dialer10_OUT out
ip ips IPS_Dialer10_IN in
ip ips IPS_Dialer10_OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 10
dialer idle-timeout 0
dialer persistent
dialer-group 10
no cdp enable
ppp authentication pap callin
ppp pap sent-username < username@ISP.xxx password < password >
crypto map CMP_CVPN_CLIENT
!
interface Dialer11
description connected to ATM0 – SDSL
ip address negotiated
ip access-group ACL_Dialer11_IN in
ip access-group ACL_Dialer11_OUT out
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect FW_Dialer11_IN in
ip inspect FW_Dialer11_OUT out
ip ips IPS_Dialer11_IN in
ip ips IPS_Dialer11_OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 11
dialer idle-timeout 0
dialer persistent
dialer-group 11
no cdp enable
ppp authentication pap callin
ppp pap sent-username < username@ISP.xxx password < password >
crypto map CMP_CVPN_CLIENT
!
ip local policy route-map RMP_LOCAL_POLICY
ip local pool VPNCLIENT < VPN IP Range DHCP Pool >
ip local pool ILP_WVPN_CLIENT < WebVPN IP Range DHCP Pool >
no ip forward-protocol nd
ip route < VPN IP Range with subnetmask > Dialer11 track 10
ip route 0.0.0.0 0.0.0.0 Dialer10 track 12
ip route 0.0.0.0 0.0.0.0 Dialer11 200
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route < VPN IP Range with subnetmask > Dialer10 200
ip route 192.168.0.0 255.255.0.0 Null0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat translation timeout 300
ip nat inside source route-map RMP_Dialer10_OVERLOAD interface Dialer10 overload
ip nat inside source route-map RMP_Dialer11_OVERLOAD interface Dialer11 overload
ip nat inside source static tcp < local IP > 3389 < external IP > 3389 extendable
!
ip access-list standard ACL_VTY04_IN
permit < ip range who has access for telnet >
!
ip access-list extended ACL_Dailer10_IN
remark VPN
permit udp any any eq isakmp
permit esp any any
permit gre any any
permit tcp any any eq 1723
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit ip < VPN IP Range to Local LAN ip with both wild cards >
permit ip < VPN IP Range to Local DMZ ip with both wild cards >
remark router poorten
permit tcp any any eq 22
permit udp any any eq ntp
permit udp any any eq snmp
remark < servername >
permit tcp any any eq 3389
remark < servername >
permit tcp any any eq www
permit tcp any any eq 443
remark < servername >
permit tcp any any eq smtp
remark ABN-AMRO OfficeNet Extra
permit tcp host 193.172.44.45 any
permit tcp host 193.172.44.78 any
permit tcp host 194.151.107.44 any
permit tcp host 194.151.107.76 any
remark Anti-spoofing
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
remark ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer10_OUT
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit tcp any any eq 1723
remark Standard WWW services
permit tcp any any eq www
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq smtp
permit tcp any any eq 443
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq pop3
permit tcp any any eq nntp
permit tcp any any eq 22
permit tcp any any eq telnet
permit udp any any eq ntp
remark Belastingdienst
permit tcp any any eq 143
permit tcp any any eq 587
remark LDAP
permit tcp any any eq 389
remark HDN Lite
permit tcp any any eq 1150
remark Rabobank Telebankieren Extra
permit tcp any any eq 2901
remark Citrix ICA
permit tcp any any eq 1494
permit tcp any any eq 2598
remark Windows Media
permit tcp any any eq 1755
remark Windows Messenger
permit tcp any any eq 1863
permit udp any any range 1024 65535
permit tcp any any range 6891 6900
remark Microsoft RDP
permit tcp any any eq 3389
permit icmp any any
remark Mcafee
permit tcp any any eq 8801
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer10_OVERLOAD
deny ip < local LAN IP Range to VPN IP Range with wildcards >
deny ip < local DMZ IP Range to VPN IP Range with wildcards >
permit ip < Local LAN IP Range with wildcard > any
permit ip < Local DMZ IP Range with wildcard > any
ip access-list extended ACL_Dialer11_IN
remark VPN
permit udp any any eq isakmp
permit esp any any
permit gre any any
permit tcp any any eq 1723
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit ip < VPN IP Range to Local LAN ip with both wild cards >
permit ip < VPN IP Range to Local DMZ ip with both wild cards >
remark router poorten
permit tcp any any eq 22
permit udp any any eq snmp
remark SSL VPN
permit tcp any host < SSL VPN IP ADDRESS > eq www
permit tcp any host < SSL VPN IP ADDRESS > eq 443
remark < servername >
permit tcp any host < 2nd External IP > eq 3389
remark XCH01
permit tcp any host < 1st External IP > eq 3389
remark < servername >
permit tcp any host < 3rd External IP > eq www
permit tcp any host < 3rd External IP > eq 443
permit tcp any host < 3rd External IP > eq 3389
remark < servername >
permit tcp any host < 4th External IP > eq 3389
remark Anti-spoofing
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
remark ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer11_OUT
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit tcp any any eq 1723
remark Standard WWW services
permit tcp any any eq www
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq smtp
permit tcp any any eq 443
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq pop3
permit tcp any any eq nntp
permit tcp any any eq 22
permit tcp any any eq telnet
permit udp any any eq ntp
remark Belastingdienst
permit tcp any any eq 143
permit tcp any any eq 587
remark LDAP
permit tcp any any eq 389
remark HDN Lite
permit tcp any any eq 1150
remark Rabobank Telebankieren Extra
permit tcp any any eq 2901
remark Citrix ICA
permit tcp any any eq 1494
permit tcp any any eq 2598
remark Windows Media
permit tcp any any eq 1755
remark Windows Messenger
permit tcp any any eq 1863
permit udp any any range 1024 65535
permit tcp any any range 6891 6900
remark Microsoft RDP
permit tcp any any eq 3389
permit icmp any any
remark Mcafee
permit tcp any any eq 8801
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer11_OVERLOAD
deny ip < local LAN IP Range to VPN IP Range with wildcards >
deny ip < local DMZ IP Range to VPN IP Range with wildcards >
permit ip < Local LAN IP Range with wildcard > any
permit ip < Local DMZ IP Range with wildcard > any
ip access-list extended ACL_GigabitEthernet0/0_NO_NAT
permit ip < local LAN IP Range to VPN IP Range with wildcards >
ip access-list extended ACL_GigabitEthernet0/1_NO_NAT
permit ip < local DMZ IP Range to VPN IP Range with wildcards >
ip access-list extended ACL_NAAR_ISP
remark Ping dns
permit icmp any host < ISP dns > echo
ip access-list extended ACL_SDSL_REDIRECT
remark VPN
deny ip any < VPN IP Range with wild card >
remark < servername > (< domain name application >)
permit tcp host < DMZ IP address > eq www any
permit tcp host < DMZ IP address > eq 443 any
permit tcp host < DMZ IP address > eq 3389 any
remark < servername > (servername.domain name)
permit tcp host < LAN IP Exchange server > eq 3389 any
remark < servername > (servername.domain name)
permit tcp host < LAN IP server > eq 3389 any
remark < servername > (remote.domain name)
permit tcp host < LAN IP Terminal server > eq 3389 any
ip access-list extended ACL_VPN
permit ip < local LAN IP Range to VPN IP Range with wildcards >
permit ip < local DMZ IP Range to VPN IP Range with wildcards >
!
ip sla 10
icmp-echo < first hop > source-interface Dialer11
ip sla schedule 10 life forever start-time now
ip sla 12
icmp-echo < first hop > source-interface Dialer10
ip sla schedule 12 life forever start-time now
ip sla 80
http get http://www.google.nl/ name-server < dns server 1 > cache disable
threshold 500
tag Google
frequency 300
ip sla schedule 80 life forever start-time now
no logging trap
access-list 21 remark ———————————————————-
access-list 21 remark SNMP
access-list 21 remark ———————————————————
access-list 21 permit < IP address >
access-list 21 permit < IP Range external >
access-list 21 permit < IP Range Local LAN >
access-list 21 permit < IP Range Local DMZ >
access-list 110 remark ———————————————————
access-list 110 remark Dialer-list 10, Dialer10
access-list 110 remark ——————————————————–
access-list 110 permit ip any any
access-list 120 remark ———————————————————
access-list 120 remark Dialer-list 11
access-list 120 remark ——————————————————–
access-list 120 permit ip any any
dialer-list 10 protocol ip list 110
dialer-list 11 protocol ip list 120
snmp-server community mrtg RO 21
snmp-server location < Location Name >
snmp-server contact < Contact information >
snmp-server enable traps tty
snmp-server enable traps frame-relay multilink bundle-mismatch
!
!
!
route-map RMP_LOCAL_POLICY permit 10
match ip address ACL_NAAR_ISP
set ip next-hop < First hop see tracert / Traceroute >
set interface Null0
!
route-map RMP_GigabitEthernet0/1_NO_NAT permit 10
match ip address ACL_GigabitEthernet0/1_NO_NAT
set ip next-hop 1.1.192.2
!
route-map RMP_GigabitEthernet0/1_NO_NAT permit 12
match ip address ACL_SDSL_REDIRECT
set interface Dialer11
!
route-map RMP_GigabitEthernet0/0_NO_NAT permit 10
match ip address ACL_GigabitEthernet0/0_NO_NAT
set ip next-hop 1.1.192.2
!
route-map RMP_GigabitEthernet0/0_NO_NAT permit 12
match ip address ACL_SDSL_REDIRECT
set interface Dialer11
!
route-map RMP_Dialer11_OVERLOAD permit 10
match ip address ACL_Dialer11_OVERLOAD
match interface Dialer11
!
route-map RMP_Dialer10_OVERLOAD permit 10
match ip address ACL_Dialer10_OVERLOAD
match interface Dialer10
!
!
!
radius-server host < Radius server IP Address> auth-port 1645 acct-port 1646 key < Password >
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd #
*************************************************************
This system is restricted to authorized users for legitimate
purposes and is subject to audit. The unauthorized access,
use or modification of computer systems or the data contained
therein or in transit to/from, may be illegal.
*************************************************************
#
!
line con 0
line aux 0
line vty 0 4
exec-timeout 1800 0
timeout login response 200
privilege level 15
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp clock-period 17179872
ntp update-calendar
sntp server 145.24.129.6
sntp server 213.239.154.12
sntp server 193.79.237.14
sntp broadcast client
!
end
Recente reacties