! Listing 8.15: Single connection to the internet with router protection configured ! !Copyright (C) 2001 by Vincent C Jones. All Rights Reserved. version 11.0 ! hostname ExternalRouter ! no service finger ! "no ip finger" in later IOS releases service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service udp-small-servers ! 12.0 default no service tcp-small-servers ! 12.0 default ! enable secret no ip bootp server ip subnet-zero no ip source-route no ip domain-lookup ! interface Ethernet0/0 description No Man's Land LAN ip address 100.0.0.33 255.255.255.224 ip access-group 193 in no ip directed-broadcast ! interface Serial0/0 description Link to the Internet via ISP ip address 110.0.0.1 255.255.255.252 ip access-group 191 in ip access-group 192 out no ip unreachables no ip directed-broadcast no ip proxy-arp bandwidth 1544 ntp disable ! no ip http server ! Add for IOS releases with HTTP access ip classless ip route 100.0.0.8 255.255.255.248 100.0.0.46 ip route 100.0.0.16 255.255.255.240 100.0.0.46 ip route 100.0.0.64 255.255.255.192 100.0.0.46 ip route 100.0.0.0 255.255.255.0 Null0 ip route 0.0.0.0 0.0.0.0 110.0.0.2 no logging console logging trap debugging logging 100.0.0.9 ! ! Filter to block all access access-list 90 deny any ! Filter defining systems in 100.0.0.8/29 allowed telnet access access-list 91 permit 100.0.0.10 access-list 91 permit 100.0.0.11 ! Filter defining systems in 100.0.0.8/29 allowed SNMP access access-list 92 permit 100.0.0.10 ! Definition of Acceptable traffic from the Internet access-list 191 deny ip 192.168.0.0 0.0.255.255 any log access-list 191 deny ip 172.16.0.0 0.15.255.255 any log access-list 191 deny ip 10.0.0.0 0.255.255.255 any log access-list 191 deny ip 127.0.0.0 0.255.255.255 any log access-list 191 deny ip 255.0.0.0 0.255.255.255 any log access-list 191 deny ip 224.0.0.0 7.255.255.255 any log access-list 191 deny ip host 0.0.0.0 any log access-list 191 deny ip 100.0.0.0 0.0.0.255 any log access-list 191 permit ip host 110.0.0.2 100.0.0.8 0.0.0.7 access-list 191 deny ip 110.0.0.0 0.0.0.3 any log access-list 191 deny ip any host 100.0.0.33 log access-list 191 deny ip any 100.0.0.8 0.0.0.7 log access-list 191 permit ip any 100.0.0.0 0.0.0.255 access-list 191 deny ip any any log ! Definition of acceptable traffic to the Internet access-list 192 deny ip any 192.168.0.0 0.0.255.255 log access-list 192 deny ip any 172.16.0.0 0.15.255.255 log access-list 192 deny ip any 10.0.0.0 0.255.255.255 log access-list 192 deny ip host 100.0.0.33 any log access-list 192 permit ip 100.0.0.8 0.0.0.7 host 110.0.0.2 access-list 192 deny ip 100.0.0.8 0.0.0.7 any log access-list 192 permit ip 100.0.0.0 0.0.0.255 any access-list 192 deny ip any any log ! Definition of acceptable traffic from the inside access-list 193 permit ip 100.0.0.8 0.0.0.7 host 100.0.0.33 access-list 193 deny ip any 100.0.0.0 0.0.0.255 log access-list 193 permit ip 100.0.0.8 0.0.0.7 host 110.0.0.1 access-list 193 permit ip 100.0.0.8 0.0.0.7 host 110.0.0.2 access-list 193 deny ip any 110.0.0.0 0.0.0.3 log access-list 193 deny ip 100.0.0.8 0.0.0.7 any log access-list 193 permit ip 100.0.0.0 0.0.0.255 any access-list 193 deny ip any any log ! no cdp run ! snmp-server community AccessCommunity RO 92 snmp-server trap-authentication snmp-server enable traps snmp-server host 100.0.0.11 TrapCommunity ! line aux 0 access-class 90 in transport input all line vty 0 4 access-class 91 in password PickAGoodOne login ! end