Configuration Example - 2610 with Dialup ISDN
[Last Updated: Tuesday, 13-Jul-2010 16:46:54 EDT]
The following is a configuration example taken from my own
personal 2610 router that was used for Internet access at home. When I get
a chance I will add a list of detailed comments on the relevant portions.
It has been quite some time since I have worked with dialer
configurations, so I had to basically reread Cisco's documentation to get
it right. I found that Cisco's site was lacking a catch-all document for
complete configuration of dynamic ISDN dialup using NAT, CBAC, and PPP
etc. So hopefully I will cover the majority of frequently asked questions
in one document here. I had to do plenty of debugging to get everything
working 100% the way I wanted it, so I figured I'd put this document out
here to help anyone else save some time.
The information supplied in this configuration is in no
way guaranteed to work in every situation nor supported by the author.
Every service provider has different default configurations and
requirements so your mileage may vary. This document is meant to provide
an example of generally accepted configuration practices for dialup ISDN
to untrusted networks like the Internet. The ! signifies a commented line
in Cisco's notation. Non-commented lines are the actual configuration
syntax as it would be entered on the Cisco router.
DISCLAIMER
No Warranty of any kind is expressed or implied with respect to the information contained in this document!
The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.
Use this information at your own risk!
Scott S. 2010
Example Configuration for Dynamic ISDN Dialup
version 12.2
service nagle
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname r583net-1
!
boot system flash c2600-jk9o3s-mz.122-12c.bin
logging buffered 50000 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username user1 password 7 xxxxxxxxxxxxxxxxxx
username user2 password 7 xxxxxxxxxxxxxxxxxx
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
!
!
ip domain-name thewaystation.com
ip name-server 204.147.128.78
ip name-server 166.60.12.11
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.250 192.168.1.255
ip dhcp ping packets 5
ip dhcp ping timeout 5000
!
ip dhcp pool Home
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 204.147.128.78 166.60.12.11
netbios-node-type h-node
domain-name thewaystation.com
lease 30
!
ip dhcp pool Laptop
host 192.168.1.10 255.255.255.0
client-identifier 0100.0347.b757.3b
client-name WorkLaptop
default-router 192.168.1.1
dns-server 204.147.128.78 166.60.12.11
netbios-node-type h-node
domain-name thewaystation.com
lease infinite
!
ip inspect max-incomplete low 100
ip inspect max-incomplete high 300
ip inspect dns-timeout 8
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 8
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name Internet tcp alert on audit-trail on timeout 7200
ip inspect name Internet udp alert on audit-trail on timeout 60
ip inspect name Internet http alert on audit-trail on timeout 120
ip inspect name Internet smtp alert on audit-trail on timeout 30
ip inspect name Internet ftp alert on audit-trail on timeout 120
ip inspect name Internet fragment maximum 250 timeout 15
ip audit attack action alarm drop
ip audit notify log
ip audit po max-events 50
ip audit protected x.y.z.0 to x.y.x.255
ip audit smtp spam 100
ip audit name Internet attack action alarm drop
!
isdn switch-type basic-ni
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip access-group inside-out in
ip access-group inside-in out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
full-duplex
no cdp enable
!
interface Serial0/0
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
interface BRI0/0
bandwidth 128
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 xxxxxxxxxx0101 xxxxxxx
isdn spid2 xxxxxxxxxx0101 xxxxxxx
no cdp enable
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
interface Dialer0
description IPass Internet Dialup
ip address negotiated
ip access-group internet-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect Internet out
ip audit Internet in
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name IPass
dialer idle-timeout 600
dialer string 1847xxxxxxx
dialer hold-queue 5
dialer load-threshold 1 either
dialer-group 1
no cdp enable
ppp max-bad-auth 3
ppp authentication chap pap callout optional
ppp chap hostname user1
ppp chap password 7 xxxxxxxxxxxxxxxxxx
ppp pap sent-username user1 password 7 xxxxxxxxxxxxxxxxxx
ppp ipcp accept-address
ppp ipcp header-compression ack
ppp ipcp dns accept
ppp multilink
ppp timeout authentication 20
ppp timeout idle 600
!
ip nat inside source list 111 interface Dialer0 overload
ip nat inside source static esp 192.168.1.10 interface Dialer0
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
no ip http server
ip pim bidir-enable
!
!
ip access-list extended inside-in
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
deny icmp any any
permit ip host 192.168.1.1 any
deny tcp any range 0 65535 any range 0 65535 log-input
deny udp any range 0 65535 any range 0 65535 log-input
deny ip any any log-input
ip access-list extended inside-out
permit ip any host 192.168.1.1
deny ip any 0.0.0.0 0.255.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 127.0.0.0 0.255.255.255 log-input
deny ip any 169.254.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 224.0.0.0 15.255.255.255 log-input
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
permit ip 192.168.1.0 0.0.0.255 any
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log-input
ip access-list extended internet-in
deny 53 any any log-input
deny 55 any any log-input
deny 77 any any log-input
deny pim any any log-input
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip host 255.255.255.255 any log-input
deny ip 224.0.0.0 15.255.255.255 any log-input
deny ip host 0.0.0.0 any log-input
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
deny icmp any any
deny udp any any eq netbios-ns log
deny udp any any eq netbios-dgm log
deny udp any any eq netbios-ss log
permit ip any any
access-list 10 permit 192.168.1.2
access-list 10 permit 192.168.1.254
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 50 permit 192.168.1.0 0.0.0.255 log
access-list 110 deny ip any host 255.255.255.255
access-list 110 deny tcp any any eq 137
access-list 110 deny tcp any any eq 138
access-list 110 deny tcp any any eq 139
access-list 110 deny icmp any any
access-list 110 permit tcp any any eq ftp-data
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq 22
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq 443
access-list 110 permit udp any any eq domain
access-list 110 permit udp any any eq ntp
access-list 110 permit udp any any eq isakmp
access-list 110 permit esp any any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip any any
access-list 199 permit ip any any
dialer-list 1 protocol ip list 110
no cdp run
!
!
dial-peer cor custom
!
!
!
!
banner motd ^C
Property of
Scott S.
Unauthorized Use Is Prohibited
You should not be here unless you
have been given explicit permission to do so
^C
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxx
login
transport preferred none
line aux 0
exec-timeout 5 0
password 7 xxxxxxxxxxxxxx
login
modem InOut
no exec
transport input all
stopbits 1
speed 19200
flowcontrol hardware
line vty 0 4
access-class 50 in
exec-timeout 5 0
password 7 xxxxxxxxxxxxxx
login local
transport preferred ssh
transport input ssh
!
ntp clock-period 17208756
ntp source Ethernet0/0
ntp access-group peer 10
ntp access-group serve-only 11
ntp server 192.168.1.2
ntp peer 192.168.1.254
end
|
