This will give a start.
Router will be DHCP enabled to give out 192.168.168.1 to 192.168.168.99 as DHCP addresses.
Router IP will be 192.168.168.254
Ethernet port 4 has been reserved for a future DMZ port
The FW is enabled if supported in your IOS
Access lists have been added and note after each section. It is important to understand and use access lists if you want to really secure your network
Don’t forget, access lists work in strict order from the top of the list down
The lines in bold italics are notes and not part of the config
The lines in BOLD CAPS are to replace with your data
START OF CONFIG
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ADSLRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 12288 debugging
logging console critical
enable secret < PUT SECRET PASSWORD HERE>
enable password , < PUT ENABLE PASSWORD HERE >
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip source-route
no ip gratuitous-arps
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.168.254
ip dhcp excluded-address 192.168.168.100 192.168.168.254
!
ip dhcp pool LAN
network 192.168.168.0 255.255.255.0
default-router 192.168.168.254
domain-name Local
dns-server < PUT DNS SERVER IP ADDRESSES HERE >
lease 0 12
!
!
ip cef
ip name-server < DNS IP 1 >
ip name-server < DNS IP 2 >
no ip bootp server
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
username login password < PUT LOCAL LOGIN PASSWORD HERE >
archive
log config
logging enable
!
!
!
!
!
interface Ethernet0
description INSIDE:192.168.168.254-255.255.255.0
ip address 192.168.168.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38 These are uk setings for ADSL
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
description LAN Port 1
duplex auto
speed auto
no shutdown
!
interface FastEthernet2
description LAN Port 2
duplex auto
speed auto
no shutdown
!
interface FastEthernet3
description LAN Port 3
duplex auto
speed auto
no shutdown
!
interface FastEthernet4
description DMZ Port
duplex auto
speed auto
shutdown
!
interface Dialer1
ip address negotiated
ip access-group 111 in This access list for traffic inbound
ip access-group 121 out This access list for traffic outbound
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1458
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname < PUT ADSL LOGIN NAME HERE >
ppp chap password < PUT ADSL LOGIN PASSWORD HERE >
!
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload This access list for dialer port forwarding
ip nat inside source static tcp 192.168.168.101 3074 interface Dialer1 3074 port fwd tcp 3074 to 192.168.168.101 port tcp 3074
ip nat inside source static udp 192.168.168.101 88 interface Dialer1 88
ip nat inside source static udp 192.168.168.105 6112 interface Dialer1 6112
ip nat inside source static udp 192.168.168.105 3074 interface Dialer1 3074
ip nat inside source static tcp 192.168.168.105 6112 interface Dialer1 6112
!
access-list 23 remark Allow Telnet to VTY 4 from LAN Allow Telnet to router from LAN only
access-list 23 permit 192.168.168.0 0.0.0.255 Allow Telnet to router from LAN only
access-list 102 remark NAT Dialer source
access-list 102 permit ip 192.168.168.0 0.0.0.255 any allow NAT access-list 102 to LAN ip’s
access-list 111 remark Dialer Inbound from WAN
access-list 111 permit tcp any any established Permit inbound Rules
access-list 111 remark XBOXLIVEports
access-list 111 permit tcp any any eq 3074 Allow traffic inbound from any external ip to any internal IP on port TCP 3074
access-list 111 permit udp any any eq 3074
access-list 111 permit udp any any eq 88
access-list 111 remark COH ports
access-list 111 permit udp any host 192.168.168.215 eq 6112 Allow traffic inbound from any external ip to 192.168.168.215 on port TCP 6112
access-list 111 deny icmp any any redirect
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 deny icmp any any unreachable
access-list 111 permit udp any any eq ntp
access-list 111 permit udp any eq domain any
access-list 111 deny tcp any any eq telnet
access-list 111 permit gre any any
access-list 111 deny ip any any log
access-list 121 remark Dialer Outbound to WAN Permit inbound Rules
access-list 121 permit tcp any any eq 3074 Permit traffic from any internal IP to any external IP on TCP port 3074
access-list 121 permit udp any any eq 3074
access-list 121 permit udp any any eq 88
access-list 121 permit tcp any any eq www
access-list 121 permit tcp any any eq 443
access-list 121 permit tcp any any eq smtp
access-list 121 deny tcp any any eq 593 DENY traffic from any internal IP to any external IP on TCP port 593
access-list 121 deny tcp any any eq 135 DENY traffic from any internal IP to any external IP on TCP port 135
access-list 121 deny udp any any eq 135 It makes sense to deny all thse ports sending traffic out to the internet
access-list 121 deny tcp any any eq 139 all these ports should be blocked 135,139,and the netbios ones below
access-list 121 deny udp any any eq netbios-ns
access-list 121 deny udp any any eq netbios-dgm
access-list 121 deny udp any any eq netbios-ss
access-list 121 deny udp any eq netbios-ns any
access-list 121 permit ip 192.168.168.0 0.0.0.255 any this allows traffic not explicitllly denied above to go out
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport output all
stopbits 1
line aux 0
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport input all
transport output all
!
scheduler max-task-time 5000
sntp server 158.43.128.66
sntp server 158.43.128.33
end
END OF CONFIG