Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business
For some broadband Internet connections such as cable and DSL and business-grade Internet connections using T1/E1 or faster, the ISPs inform their customers (subscribers) to set their router to specifically set IP address into their router. This means that the subscriber's router is set to use static IP address to connect to the Internet.
When this is your case, then the following sample configuration is a good starting point to help you configure the router. Following is a quite secure sample configuration that is running on a 1605r model. However this sample configuration may be implemented to any routers that has at least dual Ethernet ports.
This sample configuration really works best with a static IP. There are xxx's which is your given IP. There are yyy's, which that's your given subnet. If you have any questions about this, please feel free to contact me at bradley.walter@verizon.net.
Typical network environment that might utilize following sample router configuration is as follows
* There is a modem in front of the router, which the modem connects to the ISP
* ISP is providing Public IP address to the router statically
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
This sample router configuration assumes the followings
* Internal private IP subnet (for hosts behind the router): 192.168.1.0/24
* All of the hosts' gateway would be the router inside interface IP address: 192.168.1.1
* The IP address range of 192.168.1.2-192.168.1.254 would be available for hosts within your LAN
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
SAMPLE CONFIGURATION
foo-gw#show running-config
Building configuration...
Current configuration:
!
version 12.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname Router
!
logging buffered 16000 debugging
logging console critical
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxxxxxxxxx !sets user login to "admin".
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip finger
no ip bootp server
no ip domain-lookup
ip domain-name foo.com !change these four lines to fit your needs
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
clock timezone GMT 0
!
!
!
interface Ethernet0
description Connection to internet.
ip address xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy !IP and Subnet
ip access-group 115 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip nat outside
no ip route-cache
no cdp enable
!
interface Ethernet1
description Connection to Lan.
ip address 192.168.1.1 255.255.255.0
ip access-group 116 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no ip route-cache
no cdp enable
!
ip nat inside source list 1 interface Ethernet0 overload
!
!the next three lines are a few port maps to show you how to map to external ports to internal servers, here, mail is mapped to mail server, and web is mapped to web server.
!
ip nat inside source static tcp 192.168.1.160 110 24.229.10.4 110 extendable
ip nat inside source static tcp 192.168.1.160 25 24.229.10.4 25 extendable
ip nat inside source static tcp 192.168.1.150 80 24.229.10.4 80 extendable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 115 deny ip xxx.xxx.xxx.0 0.0.0.63 any
access-list 115 deny ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 10.0.0.0 0.255.255.255 any
access-list 115 deny ip 0.0.0.0 0.255.255.255 any
access-list 115 deny ip 172.16.0.0 0.15.255.255 any
access-list 115 deny ip 192.168.0.0 0.0.255.255 any
access-list 115 deny ip 192.0.2.0 0.0.0.255 any
access-list 115 deny ip 169.254.0.0 0.0.255.255 any
access-list 115 deny ip 255.0.0.0 0.255.255.255 any
access-list 115 deny ip 224.0.0.0 15.255.255.255 any
access-list 115 deny ip any host 24.229.10.63
access-list 115 deny ip any host 24.229.10.0
access-list 115 deny tcp any any eq 135
access-list 115 deny tcp any any eq 137
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 1023
access-list 115 deny tcp any any range 1025 1029
access-list 115 deny tcp any any range 1433 1434
access-list 115 deny tcp any any eq 2745
access-list 115 deny tcp any any eq 3127
access-list 115 deny tcp any any eq 5554
access-list 115 deny tcp any any eq 6129
access-list 115 deny tcp any any eq 9898
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq 445
access-list 115 deny icmp any any echo
access-list 115 deny icmp any any redirect
access-list 115 deny icmp any any mask-request
access-list 115 permit ip any xxx.xxx.xxx.0 0.0.0.63
access-list 115 permit icmp any xxx.xxx.xxx.0 0.0.0.63
access-list 116 deny ip host 192.168.1.1 host 192.168.1.1
access-list 116 deny ip 10.0.0.0 0.255.255.255 any
access-list 116 deny ip 172.16.0.0 0.15.255.255 any
access-list 116 deny ip 192.0.2.0 0.0.0.255 any
access-list 116 deny ip 169.254.0.0 0.0.255.255 any
access-list 116 deny ip any 10.0.0.0 0.255.255.255
access-list 116 deny ip any 172.16.0.0 0.15.255.255
access-list 116 deny ip any 192.0.2.0 0.0.0.255
access-list 116 deny ip any 169.254.0.0 0.0.255.255
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any source-quench
access-list 116 deny icmp 192.168.1.0 0.0.0.255 any
access-list 116 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
banner motd ^C
|-----------------------------------------------------------------|
| This system is for the use of authorized users only. |
| Individuals using this computer system without authority, or in |
| excess of their authority, are subject to having all of their |
| activities on this system monitored and recorded by system |
| personnel. |
| |
| In the course of monitoring individuals improperly using this |
| system, or in the course of system maintenance, the activities |
| of authorized users may also be monitored. |
| |
| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible |
| evidence of criminal activity, system personnel may provide the |
| evidence of such monitoring to law enforcement officials. |
|-----------------------------------------------------------------|
^C
!
line con 0
transport input none
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxxx
transport input telnet
!
end
 feedback form
 feedback form
by sortofageek  edited by aryoba
last modified: 2008-04-13 06:49:08 |
