something like this should do . . . . check on www.cisco.com any command you don't
understand what's for . . .
the config assumes the s0/0 interface is connected to the outside, untrusted (maybe
the internet) network, and the fa0/0 is connected to your trusted internal network . .
.
sorry for the spanish comments ! :)
dario
no service pad
no service tcp-small-servers
no service udp-small-servers
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service nagle
service tcp-keepalives-in
!
aaa new-model
aaa authentication login Cisco-Lab local
!
!
username dario password cisco
!
hostname border1
!
logging buffered 16384 debugging
enable secret cisco
enable password sanfran
!
! tambien puede ponerse "no enable password"
!
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
no ip bootp server
!
spd enable
!
no cdp run
!
! si planeamos usar Unicast RPF, tenemos que habilitar CEF
!
ip cef
!
!
interface Loopback0
ip address 10.0.10.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.2.1 255.255.255.0
no ip proxy-arp
! para no servir como relay de smurf
no ip directed-broadcast
no ip redirects
! el "no ip unrecheables" puede tener consecuencias adversas . . .
no ip unreachables
no ip mask-reply
no cdp enable
!
interface Serial0/0
ip address 10.0.1.1 255.255.255.0
ip access-group 100 in
ip verify unicast reverse-path
no ip proxy-arp
no ip directed-broadcast
no ip redirects
! el "no ip unrecheables" puede tener consecuencias adversas . . .
no ip unreachables
no ip mask-reply
no cdp enable
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip classless
no ip http server
!
logging buffered 16384
logging facility local7
logging source-interface Loopback0
logging 10.0.2.200
logging 10.0.2.201
!
no access-list 101
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log
access-list 101 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log
access-list 101 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 log
access-list 101 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 log
access-list 101 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 log
access-list 101 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 log
access-list 101 deny ip 240.0.0.0 15.255.255.255 any log
access-list 101 permit ip any any
!
no access-list 96
access-list 96 permit 10.0.1.27 0.0.0.0
access-list 96 deny any
!
no access-list 97
access-list 97 permit 10.0.1.0 0.0.0.255
access-list 97 permit 10.0.2.0 0.0.0.255
access-list 97 deny any
!
no access-list 98
access-list 98 permit 10.0.2.200
access-list 98 permit 10.0.2.201
access-list 98 deny any
!
snmp-server engineID local 00000009020000507335F220
snmp-server community HardtoGuessPassword RO 98
snmp-server community HardToGuessPassword view v1default RO
snmp-server trap-source Loopback0
snmp-server packetsize 2048
snmp-server location Border Router 1 at Building 5
snmp-server contact Your Name Here [[EMAIL PROTECTED]]
snmp-server enable traps snmp
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server host 10.0.2.200 HardToGuessPassword
snmp-server host 10.0.2.201 HardToGuessPassword
!
line con 0
login
password ConsoleHardToGuessPassword
exec-timeout 5 0
transport input none
line aux 0
exec-timeout 10 0
line vty 0 3
access-class 97 in
exec-timeout 5 0
transport input telnet
transport output none
transport preferred none
login authentication Cisco-Lab
line vty 4
access-class 96 in
exec-timeout 5 0
transport input telnet
login
password LastChanceVty
!
end
At 07:42 PM 6/27/00 -0700, Erick wrote:
>I wish IOS had a option to display all the default
>settings at times... like 'show running all' or
>something.
>
>--- Chris Brenton <[EMAIL PROTECTED]> wrote:
> > "Brian J. Murrell" wrote:
> > >
> > > However, what I am interested in is disabling
> > *all* of the unnecessary
> > > services on the router. For example
> > >
> > > no cdp run
> > >
> > > Turns off CDP. Great. How about any others?
> >
> > It really depends on the version of IOS you are
> > running. For example
> > small-servers are enabled by default in 11.x but are
> > off by default in
> > 12.x.
> >
> > You really have to watch out for this because it can
> > bite you. For
> > example a "show running" will produce identical
> > config files on both IOS
> > versions even though small-servers is active on 11.x
> > but disable on
> > 12.x. The reason the files look the same is that the
> > config file only
> > shows _variations_ from the default settings. With
> > this in mind its
> > always a good idea to double check your config by
> > running a port scan of
> > the router once you have locked it down.
> >
> > With that said, try these:
> >
> > no service tcp-small-servers
> > no service udp-small-servers
> > no service finger
> > no ip bootp server
> > no ip http server
> >
> > Based on the above commentary, don't be concerned if
> > you run these
> > commands but "show running" does not display them.
> > Its that "default
> > setting" thing mentioned above. A port scan is still
> > a good sanity check
> > however.
> >
> > Additionally, you may also want to run these:
> > no ip source-route
> > banner incoming # Unauthorized access of this device
> > is prohibited #
> > no ip direct-broadcast (from interface config mode)
> >
> > HTH,
> > Chris
> > --
> > **************************************
> > [EMAIL PROTECTED]
>
>
>__________________________________________________
>Do You Yahoo!?
>Get Yahoo! Mail - Free email you can access from anywhere!
>http://mail.yahoo.com/
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Dario N. Ciccarone
Internship SE
Cisco Systems
Argentina, Paraguay, Uruguay y Bolivia
Ing. Enrique Butty 240 Piso 17
C1001ABF, Buenos Aires , Argentina
Phone/Vmail: 54-11-4341-0203
Fax: 54-11-4341-0149
mailto:[EMAIL PROTECTED]
Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
