Sample Cisco 837 Router Config

This will give a start.

Router will be DHCP enabled to give out 192.168.168.1 to 192.168.168.99 as DHCP addresses.
Router IP will be 192.168.168.254
Ethernet port 4 has been reserved for a future DMZ port
The FW is enabled if supported in your IOS
Access lists have been added and note after each section. It is important to understand and use access lists if you want to really secure your network

Don’t forget, access lists work in strict order from the top of the list down

The lines in bold italics are notes and not part of the config
The lines in BOLD CAPS are to replace with your data

START OF CONFIG

    !

    ! No configuration change since last restart

    !

    version 12.4

    no service pad

    service tcp-keepalives-in

    service tcp-keepalives-out

    service timestamps debug datetime localtime

    service timestamps log datetime localtime

    service password-encryption

    !

    hostname ADSLRouter

    !

    boot-start-marker

    boot-end-marker

    !

    logging buffered 12288 debugging

    logging console critical

    enable secret < PUT SECRET PASSWORD HERE>

    enable password , < PUT ENABLE PASSWORD HERE >

    !

    no aaa new-model

    clock timezone GMT 0

    clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

    no ip source-route

    no ip gratuitous-arps

    no ip dhcp use vrf connected

    ip dhcp excluded-address 192.168.168.254

    ip dhcp excluded-address 192.168.168.100 192.168.168.254

    !

    ip dhcp pool LAN

    network 192.168.168.0 255.255.255.0

    default-router 192.168.168.254

    domain-name Local

    dns-server < PUT DNS SERVER IP ADDRESSES HERE >

    lease 0 12

    !

    !

    ip cef

    ip name-server < DNS IP 1 >

    ip name-server < DNS IP 2 >

    no ip bootp server

    ip inspect name myfw cuseeme timeout 3600

    ip inspect name myfw ftp timeout 3600

    ip inspect name myfw rcmd timeout 3600

    ip inspect name myfw realaudio timeout 3600

    ip inspect name myfw smtp timeout 3600

    ip inspect name myfw tftp timeout 30

    ip inspect name myfw udp timeout 15

    ip inspect name myfw tcp timeout 3600

    ip inspect name myfw h323 timeout 3600

    !

    !

    !

    username login password < PUT LOCAL LOGIN PASSWORD HERE >

    archive

    log config

    logging enable

    !

    !

    !

    !

    !

    interface Ethernet0

    description INSIDE:192.168.168.254-255.255.255.0

    ip address 192.168.168.254 255.255.255.0

    ip nat inside

    ip virtual-reassembly

    no ip mroute-cache

    no cdp enable

    hold-queue 100 out

    !

    !

    interface ATM0

    no ip address

    no ip mroute-cache

    atm vc-per-vp 64

    no atm ilmi-keepalive

    dsl operating-mode auto

    pvc 0/38 These are uk setings for ADSL

    encapsulation aal5mux ppp dialer

    dialer pool-member 1

    !

    !

    interface FastEthernet1

    description LAN Port 1

    duplex auto

    speed auto

    no shutdown

    !

    interface FastEthernet2

    description LAN Port 2

    duplex auto

    speed auto

    no shutdown

    !

    interface FastEthernet3

    description LAN Port 3

    duplex auto

    speed auto

    no shutdown

    !

    interface FastEthernet4

    description DMZ Port

    duplex auto

    speed auto

    shutdown

    !

    interface Dialer1

    ip address negotiated

    ip access-group 111 in This access list for traffic inbound

    ip access-group 121 out This access list for traffic outbound

    no ip redirects

    no ip unreachables

    no ip proxy-arp

    ip mtu 1458

    ip nat outside

    ip inspect myfw out

    ip virtual-reassembly

    encapsulation ppp

    dialer pool 1

    no cdp enable

    ppp authentication chap callin

    ppp chap hostname < PUT ADSL LOGIN NAME HERE >

    ppp chap password < PUT ADSL LOGIN PASSWORD HERE >

    !

    ip route 0.0.0.0 0.0.0.0 Dialer1

    no ip http server

    no ip http secure-server

    !

    ip nat inside source list 102 interface Dialer1 overload This access list for dialer port forwarding

    ip nat inside source static tcp 192.168.168.101 3074 interface Dialer1 3074 port fwd tcp 3074 to 192.168.168.101 port tcp 3074

    ip nat inside source static udp 192.168.168.101 88 interface Dialer1 88

    ip nat inside source static udp 192.168.168.105 6112 interface Dialer1 6112

    ip nat inside source static udp 192.168.168.105 3074 interface Dialer1 3074

    ip nat inside source static tcp 192.168.168.105 6112 interface Dialer1 6112

    !

    access-list 23 remark Allow Telnet to VTY 4 from LAN Allow Telnet to router from LAN only

    access-list 23 permit 192.168.168.0 0.0.0.255 Allow Telnet to router from LAN only

    access-list 102 remark NAT Dialer source

    access-list 102 permit ip 192.168.168.0 0.0.0.255 any allow NAT access-list 102 to LAN ip’s

    access-list 111 remark Dialer Inbound from WAN

    access-list 111 permit tcp any any established Permit inbound Rules

    access-list 111 remark XBOXLIVEports

    access-list 111 permit tcp any any eq 3074 Allow traffic inbound from any external ip to any internal IP on port TCP 3074

    access-list 111 permit udp any any eq 3074

    access-list 111 permit udp any any eq 88

    access-list 111 remark COH ports

    access-list 111 permit udp any host 192.168.168.215 eq 6112 Allow traffic inbound from any external ip to 192.168.168.215 on port TCP 6112

    access-list 111 deny icmp any any redirect

    access-list 111 permit icmp any any administratively-prohibited

    access-list 111 permit icmp any any echo

    access-list 111 permit icmp any any echo-reply

    access-list 111 permit icmp any any packet-too-big

    access-list 111 permit icmp any any time-exceeded

    access-list 111 permit icmp any any traceroute

    access-list 111 deny icmp any any unreachable

    access-list 111 permit udp any any eq ntp

    access-list 111 permit udp any eq domain any

    access-list 111 deny tcp any any eq telnet

    access-list 111 permit gre any any

    access-list 111 deny ip any any log

    access-list 121 remark Dialer Outbound to WAN Permit inbound Rules

    access-list 121 permit tcp any any eq 3074 Permit traffic from any internal IP to any external IP on TCP port 3074

    access-list 121 permit udp any any eq 3074

    access-list 121 permit udp any any eq 88

    access-list 121 permit tcp any any eq www

    access-list 121 permit tcp any any eq 443

    access-list 121 permit tcp any any eq smtp

    access-list 121 deny tcp any any eq 593 DENY traffic from any internal IP to any external IP on TCP port 593

    access-list 121 deny tcp any any eq 135 DENY traffic from any internal IP to any external IP on TCP port 135

    access-list 121 deny udp any any eq 135 It makes sense to deny all thse ports sending traffic out to the internet

    access-list 121 deny tcp any any eq 139 all these ports should be blocked 135,139,and the netbios ones below

    access-list 121 deny udp any any eq netbios-ns

    access-list 121 deny udp any any eq netbios-dgm

    access-list 121 deny udp any any eq netbios-ss

    access-list 121 deny udp any eq netbios-ns any

    access-list 121 permit ip 192.168.168.0 0.0.0.255 any this allows traffic not explicitllly denied above to go out

    no cdp run

    !

    control-plane

    !

    !

    line con 0

    exec-timeout 120 0

    no modem enable

    transport output all

    stopbits 1

    line aux 0

    transport output all

    line vty 0 4

    access-class 23 in

    exec-timeout 120 0

    login local

    length 0

    transport input all

    transport output all

    !

    scheduler max-task-time 5000

    sntp server 158.43.128.66

    sntp server 158.43.128.33

    end

    END OF CONFIG

Stuff I do & Images I make