#erase startup-config
service password-encryption
aaa new-model
aaa authentication login default local
username admin privilege 15 secret PASSWORD
hostname <...>
ip domain-name router.domain
crypto key generate rsa modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
line vty 0 4
transport input telnet ssh
privilege level 15
ip cef
clock timezone Ukraine 2
clock summer-time Ukraine recurring last Sun Mar 2:00 last Sun Oct 2:00
ntp update-calendar
ntp server NTP.SERVER.1.IP
ntp server NTP.SERVER.2.IP
archive
log config
logging enable
hidekeys
show archive log config all
ip domain-lookup
ip dns server
ip name-server XXX.XXX.XXX.XXX
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220
interface Vlan1
description === LAN ===
ip address 192.168.???.1
ip accounting output-packets
show ip accounting
clear ip accounting
ip dhcp excluded-address 192.168.???.1 192.168.???.99
ip dhcp pool LAN
network 192.168.???.0 255.255.255.0
default-router 192.168.???.1
dns-server 192.168.???.1
ip access-list extended FIREWALL
permit tcp any any eq 22
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT icmp router-traffic
interface FastEthernet0/0
description === Internet ===
ip address ???.???.???.??? 255.255.255.???
ip virtual-reassembly
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no cdp enable
ip inspect INSPECT_OUT out
ip access-group FIREWALL in
ip route 0.0.0.0 0.0.0.0 ???.???.???.???
interface FastEthernet0/0
ip nat outside
interface Vlan1
ip nat inside
ip access-list extended NAT
permit ip host 192.168.???.??? any
ip nat inside source list NAT interface FastEthernet0/0 overload
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no service pad
no ip finger
no ip source-route
no ip http server
no ip http secure-server
no ip bootp server
Source: https://habr.com/ru/post/87680/