Sample Cisco router configuration file for a simple Internet
! connection, with one Serial port to an ISP and one Ethernet.
! This example shows a Frame Relay serial connection. You may
! have a standard leased line which will differ slightly.
!
! This example includes extensive sample use of access lists
! to control network, host, TCP, and UDP access.
!
! Cisco's web site contains full details on configurations,
! including samples and command summaries, at:
!
http://www.cisco.com
!
! Prevent router from answering service requests.
!
no service udp-small-servers
no service tcp-small-servers
!
! Required to allocate more buffers to this config file, needed because
! of its size of access lists.
!
boot buffersize 50000
!
! This specifies the name of the router, a hostname.
!
hostname router-gw
!
! enable password is the equivalent of the "root" password on a Unix system.
! The virtual terminal password (at the end of the config) is the
! unprivileged one.
! Replace the sample password with a well chosen password
!
enable password PickAGoodPassword
!
ip subnet-zero
!
! Turn off source routing. This prevents people from masquerading as
! other than their real IP addresses onto your network.
!
no ip source-route
!
interface Ethernet0
description To your network -- example network 192.168.1.0 shown
! Router IP address shown as 192.168.1.1 as an EXAMPLE -- use your real address
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
!
interface Serial0.1 point-to-point
ip unnumbered Ethernet0
bandwidth 56
frame-relay interface-dlci 145 IETF
!
interface Serial1
no ip address
shutdown
!
! insert your real domain name in place of example.com
!
ip domain-name example.com
!
! we run our own primary nameserver on host 192.168.1.10,
! use your real IP addresses.
!
ip name-server 192.168.1.10
!
! specify a secondary nameserver as supplied by your ISP
!
! ip name-server XXX.XXX.XXX.XXX
!
! We use classless routing
!
ip classless
!
! Only a default route upstream to our ISP
!
ip route 0.0.0.0 0.0.0.0 Serial0.1
!
! ------------------------ Access Lists ---------------------
! Access list to control virtual terminal access to our router.
! We don't allow access from anywhere except inside our own network.
!
! Note that ALL access lists are CLEARED first, then reapplied.
! In the configuration file, "no access-list" is used to clear
! the old list from router memory, so as it reads in
! subsequent "access-list" statements, they are stored in
! router memory in order.
!
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
!
! Access list to control traffic FROM the Internet TO our network.
! It is applied as an OUTBOUND access list on the ETHERNET.
! This may seem counter-intuitive, but the access list is applied
! in the direction of data flow. Traffic in this example is
! INBOUND on the Serial port, and OUTBOUND on the Ethernet port.
!
! Clear the old list from router memory first.
!
no access-list 101
!
! The established keyword allows any traffic originating from
! inside your network to be allowed back in. This allows you
! to use services such as WWW, telnet, etc., without allowing
! others to access those ports inside your network.
!
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
! ----------------------- Begin blocked sites ------------------
! Sites/Nets we outright block.
! --------------------------------------------------------------
! marathon4com.net, auntmimi.net
access-list 101 deny tcp 209.16.106.0 0.0.0.255 192.168.1.0 0.0.0.255
! joinusnow.com
access-list 101 deny tcp 209.1.197.0 0.0.0.255 192.168.1.0 0.0.0.255
! --------------------------------------------------------------
! PSI's unsecured mail relays
! relay1.smtp.psi.net
access-list 101 deny tcp 38.8.14.2 0.0.0.0 192.168.1.0 0.0.0.255
! relay2.smtp.psi.net
access-list 101 deny tcp 38.8.188.2 0.0.0.0 192.168.1.0 0.0.0.255
! relay3.smtp.psi.net
access-list 101 deny tcp 38.8.210.2 0.0.0.0 192.168.1.0 0.0.0.255
! relay4.smtp.psi.net
access-list 101 deny tcp 38.9.52.2 0.0.0.0 192.168.1.0 0.0.0.255
! ----------------------- End blocked sites ------------------
! Begin port filtering. TCP first, then UDP.
!
! TCP ports to allow. To be secure, you should allow services
! to as FEW hosts as possible, and those hosts should have
! a VERY thorough security policy.
!
! Everything not explicity permitted below 1024 is denied
! 20 - ftp-data
access-list 101 permit tcp any host 192.168.1.10 eq ftp-data
! 21 - ftp
access-list 101 permit tcp any host 192.168.1.10 eq ftp
! 23 - telnet
! We don't allow telnet into our network.
! 25 - smtp
access-list 101 permit tcp any host 192.168.1.10 eq smtp
! 53 - DNS (TCP and UDP)
access-list 101 permit tcp any host 192.168.1.10 eq domain
! 79 - finger
access-list 101 permit tcp any host 192.168.1.10 eq finger
! 80 - www
access-list 101 permit tcp any host 192.168.1.10 eq www
! 110 - pop3
access-list 101 permit tcp any host 192.168.1.10 eq pop3
! 123 - ntp (TCP and UDP)
access-list 101 permit tcp any host 192.168.1.10 eq 123
! 517 - talk
access-list 101 permit tcp any host 192.168.1.10 eq talk
! ----------------------------------------------------------------
!
! TCP ports above 1023 are considered OPEN, so we need to
! explicity CLOSE those which we do not want the Internet
! to access.
!
! This is due to FTP having seperate control and data channels,
! and makes configuration complex. If you will NOT need
! to FTP from the Internet, you can greatly simplify
! this by just blocking everything above 1023.
!
! Block ports above 1023 which we don't want people to get to
! 1524 - ingreslock
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 1524
! 2000-2010 - X server (OpenWindows)
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 range 2000 2010
! 2049 - nfsd (TCP and UDP)
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 2049
! 2766 - listen
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 2766
! 4045 - lockd (TCP and UDP)
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 4045
! 6000-6010 - X server
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 range 6000 6010
! 6112 - dtspc CDE subprocess
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 6112
! 7100 - fs - font server
access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 7100
! Permit any TCP ports above 1023 (required for FTP to build connections)
access-list 101 permit tcp any host 192.168.1.10 gt 1023
! ----------------------------------------------------------------
! UDP
! Exceptions
! allow our router to tftp from its boot host (udp 69)
access-list 101 permit udp host 192.168.1.1 host 192.168.1.10 eq 69
! allow our router to get to loghost (udp 514)
access-list 101 permit udp host 192.168.1.1 host 192.168.1.10 eq 514
! Denied UDP ports
! 7 echo - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 7
! 9 discard - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 9
! 13 daytime - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 13
! 19 chargen - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 19
! 37 time
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 37
! 42 name
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 42
! 69 tftp
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 69
! 111 sunrpc - TCP and UDP
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 111
! 512 biff
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 512
! 513 who
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 513
! 514 syslog
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 514
! 520 route
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 520
! 550 new-rwho
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 550
! 560 rmonitor
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 560
! 561 monitor
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 561
! 750 kerberos
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 750
! 1008 ufsd
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 1008
! 2049 - nfsd (TCP and UDP)
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 2049
! 4045 - lockd (TCP and UDP)
access-list 101 deny udp any 192.168.1.0 0.0.0.255 eq 4045
! We allow the following well known UDP ports:
! 53 domain (DNS)
! 123 ntp
! 517 talk
!
! Allow any other UDP connections to the WHOLE NETWORK.
! This is to make life simple for RealAudio, etc.
! You may want a STRICTER POLICY than this.
!
access-list 101 permit udp any any
! ----------------------------------------------------------------
! All ICMP allowed. Many sites do not allow ICMP
! at all, and DENY all ICMP. It will cause services
! such as "traceroute" to be unusable, however.
!
access-list 101 permit icmp any any
! ------------------------ End Access Lists ---------------------
!
! If your ISP uses SNMP, you should receive instructions
! from them on how to fill in this parameters. You will need
! to also decomment (remove the leading !s) from these lines.
!
! snmp-server community Community-String RO
! snmp-server trap-authentication
! snmp-server host ISPs-Host-Addr-for-SNMP
! snmp-server contact Your contact info, such as phone number
!
! Logging to your loghost. A open port above in the filters allows
! this traffic in to your loghost ONLY from your router.
!
logging 192.168.1.10
!
! Do not log to the cisco console (unless you really have a hardwired
! terminal physically connected to the console port).
!
no logging console
!
! Specify a Message Of The Day banner which will be displayed when
! someone connects either via telnet or the console port.
!
! Clear the old banner.
!
no banner exec
no banner motd
!
! Specify a new one, customize to your site policy.
! AVOID using "Welcome to ...". The courts have decided
! that using the phrase "Welcome" implies access is allowed
! even to unauthorized parties. Use a more generic phrase, as shown.
!
banner motd /
Unauthorized use of this facility is prohibited.
/
!
! Console port definitions
!
line con 0
exec-timeout 0 0
! Replace the sample password with a well chosen password
password PickAGoodPassword
login
transport preferred none
!
! Auxiliary port (used for modem) definitions.
!
line aux 0
exec-timeout 0 0
! Replace the sample password with a well chosen password
password PickAGoodPassword
login
transport preferred none
!
! Virtual terminal ports (used to telnet to the router).
! Note use of access-class to restrict who can access
! the router. IN GENERAL, only hosts INSIDE your
! network should be allowed access. Your ISP may have
! differing policies and require access to your router,
! you should verify this with them.
!
line vty 0 4
access-class 10 in
exec-timeout 0 0
! Replace the sample password with a well chosen password
password PickAGoodPassword
login
transport preferred none
!
end
حتما" با دقت و حوصله بخون