کد:
http://wiki.nil.com/SOHO_router_configuration
This document contains a sample SOHO router configuration. While it's probably secure enough for average SOHO office, you use it at your own risk.
Contents



  • 1 Annotated configuration snippets
    • 1.1 Logging and timezones
    • 1.2 Global IP routing, DHCP and other services
    • 1.3 Content-based Access Control
    • 1.4 Global PPPoE commands
    • 1.5 Interfaces
    • 1.6 DNS server
    • 1.7 Network Address Translation
    • 1.8 Access lists and route maps
    • 1.9 NTP configuration
    • 1.10 Line configuration
  • 2 Complete configuration

Annotated configuration snippets

Logging and timezones

Whenever you want to know when something happens in your network and don't have a centralized network management system, use NTP to synchronize the clock on your router with an external time source and enable date-time timestamps on all logging and debugging messages.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
You should disable console logging, enable logging buffer (to allow you to inspect the past events) and store logging messages into a file to ensure message persistence across router reloads.
hostname SOHO-firewall
!
logging buffered 128000
logging persistent url flash:/
no logging console
Use enable secret, not enable password. It's more secure and cannot be easily cracked.
enable secret *****
Configure your timezone (I'm in Europe which is 1 hour ahead of GMT) and daylight saving time if you want to be able to talk to the ISP support team and compare the times
clock timezone CET 1
clock summer-time CDT recurring last Sun Mar 2:00 last Sun Oct 3:00
Global IP routing, DHCP and other services

IP source routing should be disabled and you should use CEF (unless you hit a CEF-related bug that forces you to disable CEF .
no ip source-route
!
ip cef
In SOHO environment, it's better if you configure DHCP on your router than on one of the workstations acting like a server. The default gateway and the DNS server are set to the router's IP address.
ip dhcp pool DHCP
network 192.168.200.192 255.255.255.240
default-router 192.168.200.193
dns-server 192.168.200.193
You should also set the DNS parameters: the default timeout and the default domain.
ip domain timeout 2
ip domain name mydomain.com
If you want to upload files from the router using FTP, the FTP source interface has to be an inside interface, otherwise FTP to outside destinations fails.
ip ftp source-interface Vlan1
Content-based Access Control

To simplify your access lists and allow weird protocols like FTP to pass through them, you should configure stateful inspection (CBAC). All special protocols have to be listed first, followed by the protocol groups you want to support (usually you need all three). You should always inspect the router-generated traffic to ensure that the services started from the router itself (for example, NTP queries) work as expected.
ip inspect name FW ftp
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW icmp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW tcp router-traffic
Global PPPoE commands

These are the "mandatory" commands to make ADSL work. If you really want to know what they do, search Cisco IOS documentation.
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
l2tp tunnel receive-window 256
!
bba-group pppoe global
Interfaces

Outside interface configuration. ADSL is used, so we're just configuring the PPPoE dial pool.
interface FastEthernet0
description outside LAN
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 3
1800-series router with integrated switch was used to generate this configuration. Each inside port appears as a separate FastEthernet interface and you have to use the VLAN interface to tie them together into a single IP subnet.
interface Vlan1
ip address 192.168.200.193 255.255.255.240
ip nat inside
ip virtual-reassembly
load-interval 30
ADSL uplink is configured as a dialer interface. You have to configure the dialer interface as an outside NAT interface with CBAC inspection to enable the stateful firewall. The IP address is usually negotiated via IPCP and you should lower the MTU and MSS parameters since ADSL cannot transport 1500-byte packets. The dialer interface is tied to the Fast Ethernet physical interface with the dialer pool command and the dialer group command is just another thing we have to configure since the actual IOS code to support the dialer interfaces evolved from the real dialup links like ISDN.
To avoid the pitfalls of router-wide PPP authentication, it's best to configure all PPP CHAP parameters directly on the interface.
interface Dialer3
description ADSL Uplink
ip address negotiated
ip access-group FW in
ip mtu 1492
ip nat outside
ip inspect FW out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 3
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *****
ppp chap password *****
ppp ipcp dns request accept
The default route points to the dialer interface.
ip route 0.0.0.0 0.0.0.0 Dialer3
DNS server

DNS server parameters are configured with the ip dns view default command (assuming you have late 12.4T or 12.5+). Yet again, the source interface for DNS resolver and DNS forwarder have to be set to one of the inside interfaces. The DNS forwarders could be set to the DNS servers of your ISP or to a public service like OpenDNS.
ip dns view default
domain timeout 2
domain resolver source-interface Vlan1
dns forwarder 208.67.220.220
dns forwarder 208.67.222.222
dns forwarding source-interface Vlan1
ip dns server
Network Address Translation

NAT overload is configured on the Dialer interface. The route-map is not absolutely necessary but comes extremely handy if you want to configure multiple uplinks or Internet access in combination with company VPN (split VPN).
ip nat inside source route-map Dialer3 interface Dialer3 overload
Access lists and route maps

The access-list that serves as the basis for CBAC should be as restrictive as possible. ICMPs usually don't do much harm (at least not to the router) and it's safe to allow NTP from a well-known NTP server. You might not want to log all failures (as I do), as this generates lots of logging traffic (more so if you use peer-to-peer networking).
ip access-list extended FW
permit icmp any any
permit udp host 129.132.97.15 eq ntp any
deny ip any any log
The access-list 90 is used to limit access to the router. Unless you have special needs, allowing only the inside IP subnet to access the router is a good idea.
access-list 50 permit 192.168.200.192 0.0.0.15
The dialer-list and dialer-related access-list are just pro-forma commands that have to be entered.
access-list 199 permit ip any any
dialer-list 1 protocol ip list 199
The NAT route-map is extremely simple: translate everything that goes out of Dialer3 interface.
route-map Dialer3 permit 10
match interface Dialer3
NTP configuration

Usually you should enable NTP logging, unless it generates too much noise. If at all possible, configure an NTP server to ensure you have correct time
ntp logging
ntp server 129.132.97.15 prefer
Line configuration

And finally the line configuration. Password-based authentication should be enough for a SOHO office.
line con 0
login
password *****
line vty 0 4
password ****
login
access-class 90 in
transport input telnet ssh
Complete configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SOHO-firewall
!
logging buffered 128000
logging persistent url flash:/
no logging console
enable secret *****
!
clock timezone CET 1
clock summer-time CDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ip source-route
!
ip cef
!
ip dhcp pool DHCP
network 192.168.200.192 255.255.255.240
default-router 192.168.200.193
dns-server 192.168.200.193
!
ip domain timeout 2
ip domain name mydomain.com
!
ip inspect name FW ftp
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW icmp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW tcp router-traffic
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
l2tp tunnel receive-window 256
!
ip ftp source-interface Vlan1
!
bba-group pppoe global
!
interface FastEthernet0
description outside LAN
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 3
!
interface Vlan1
ip address 192.168.200.193 255.255.255.240
ip nat inside
ip virtual-reassembly
load-interval 30
!
interface Dialer3
description ADSL Uplink
ip address negotiated
ip access-group FW in
ip mtu 1492
ip nat outside
ip inspect FW out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 3
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *****
ppp chap password *****
ppp ipcp dns request accept
!
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip dns view default
domain timeout 2
domain resolver source-interface Vlan1
dns forwarder 208.67.220.220
dns forwarder 208.67.222.222
dns forwarding source-interface Vlan1
ip dns server
!
ip nat inside source route-map Dialer3 interface Dialer3 overload
!
ip access-list extended FW
permit icmp any any
permit udp host 129.132.97.15 eq ntp any
deny ip any any log
!
access-list 199 permit ip any any
dialer-list 1 protocol ip list 199
!
route-map Dialer3 permit 10
match interface Dialer3
!
ntp logging
ntp server 129.132.97.15 prefer
!
line con 0
login
password *****
line vty 0 4
password ****
login
access-class 90 in
transport input telnet ssh
!
end





موضوعات مشابه: