Recently, Cisco routers (mostly 800–1800 series) for my company's branches often have to be configured from scratch so as not to recruit one and the same team a dozen times for myself has compiled a small template for various settings. I’ll say right away that I didn’t receive any certificates from Cisco, I didn’t read any books on these routers, I gained all my experience using scientific method, smoking manuals on cisco.com and some thoughtful borrowing of pieces of other configs ...
So, unpack the router, upload the latest firmware (for SSH, a minimum of Advanced Security is required), do
#erase startup-config
in order to get rid of pre-configured garbage and overload.
Configure authorization and access via SSH
! enable password encryption
service password-encryption
! use the new AAA model and local user base
aaa new-model
aaa authentication login default local
! we get the user with the maximum rights
username admin privilege 15 secret PASSWORD
! give the name of the router
hostname <...>
ip domain-name router.domain
! we generate a key for SSH
crypto key generate rsa modulus 1024
! SSH tuning
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
! and enable it on the remote console
line vty 0 4
transport input telnet ssh
privilege level 15
Setting up routing
')
! enable accelerated packet switching
ip cef
Time setting
! GMT + 2 time zone
clock timezone Ukraine 2
clock summer-time Ukraine recurring last Sun Mar 2:00 last Sun Oct 2:00
! NTP system clock update
ntp update-calendar
! It is better to set the ntp server by ip, because if the DNS server is not available when the DNS server is overloaded, then the settings by the names go off ...
ntp server NTP.SERVER.1.IP
ntp server NTP.SERVER.2.IP
Archiving Configs
! we include archiving of all changes of a config, hiding passwords in logs
archive
log config
logging enable
hidekeys
! history of config changes can be viewed by the command
show archive log config all
DNS setup
! enable name resolution
ip domain-lookup
! turn on the internal DNS server
ip dns server
! we register DNS provider
ip name-server XXX.XXX.XXX.XXX
! just in case we add several public DNS servers
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220
LAN setting
! usually the internal switch ports on the router are combined in Vlan1
interface Vlan1
description === LAN ===
ip address 192.168.???.1
! we include on the interface counting of packets transmitted to customers - it is convenient to see who eats up traffic
ip accounting output-packets
! see the statistics can be a team
show ip accounting
! to clear
clear ip accounting
Setting up a DHCP server
! we exclude some addresses from a pool
ip dhcp excluded-address 192.168.???.1 192.168.???.99
! and configure the address pool
ip dhcp pool LAN
network 192.168.???.0 255.255.255.0
default-router 192.168.???.1
dns-server 192.168.???.1
Internet and Firewall Setup
! we configure the filter of the entering traffic (by default everything is prohibited)
ip access-list extended FIREWALL
permit tcp any any eq 22
! enable inspection of traffic between the local network and the Internet
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT icmp router-traffic
! set up a port on the Internet and put some protection on it
interface FastEthernet0/0
description === Internet ===
ip address ???.???.???.??? 255.255.255.???
ip virtual-reassembly
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no cdp enable
ip inspect INSPECT_OUT out
ip access-group FIREWALL in
! and finally, the default gateway
ip route 0.0.0.0 0.0.0.0 ???.???.???.???
NAT Setup
! on the internet interface
interface FastEthernet0/0
ip nat outside
! on the local interface
interface Vlan1
ip nat inside
! we create the list of IP having access to NAT
ip access-list extended NAT
permit ip host 192.168.???.??? any
! enable NAT on the external interface
ip nat inside source list NAT interface FastEthernet0/0 overload
! add inspection of popular protocols
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
Disable unnecessary services
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no service pad
no ip finger
no ip source-route
no ip http server
no ip http secure-server
no ip bootp server
UPD. Removed too much on the advice of habrouser
UPD2. Added disable unnecessary services
UPD3. Changed firewall setting (thanks to
Fedia )