Posted by: rolande | June 22, 2007

Secure Dynamic ISDN Dialup

Cisco ISDN 1B-U ModuleThe following is a configuration example taken from my own personal 2610 router that was used for Internet access at home. When I get a chance I will add a list of detailed comments on the relevant portions. It has been quite some time since I have worked with dialer configurations, so I had to basically reread Cisco’s documentation to get it right. I found that Cisco’s site was lacking a catch-all document for complete configuration of dynamic ISDN dialup using NAT, CBAC, and PPP etc. So hopefully I will cover the majority of frequently asked questions in one document here. I had to do plenty of debugging to get everything working 100% the way I wanted it, so I figured I’d put this document out here to help anyone else save some time.

The information supplied in this configuration is in no way guaranteed to work in every situation nor supported by the author. Every service provider has different default configurations and requirements so your mileage may vary. This document is meant to provide an example of generally accepted configuration practices for dialup ISDN to untrusted networks like the Internet. The ! signifies a commented line in Cisco’s notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router.


DISCLAIMER

No Warranty of any kind is expressed or implied with respect to the information contained in this document!

The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.

Use this information at your own risk!

Scott S. 2007


Example Configuration for Dynamic ISDN Dialup

version 12.2
service nagle
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname r583net-1
!
boot system flash c2600-jk9o3s-mz.122-12c.bin
logging buffered 50000 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username user1 password 7 xxxxxxxxxxxxxxxxxx
username user2 password 7 xxxxxxxxxxxxxxxxxx
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
!
!
ip domain-name thewaystation.com
ip name-server 204.147.128.78
ip name-server 166.60.12.11
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.250 192.168.1.255
ip dhcp ping packets 5
ip dhcp ping timeout 5000
!
ip dhcp pool Home
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 204.147.128.78 166.60.12.11
   netbios-node-type h-node
   domain-name thewaystation.com
   lease 30
!
ip dhcp pool Laptop
   host 192.168.1.10 255.255.255.0
   client-identifier 0100.0347.b757.3b
   client-name WorkLaptop
   default-router 192.168.1.1
   dns-server 204.147.128.78 166.60.12.11
   netbios-node-type h-node
   domain-name thewaystation.com
   lease infinite
!
ip inspect max-incomplete low 100
ip inspect max-incomplete high 300
ip inspect dns-timeout 8
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 8
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name Internet tcp alert on audit-trail on timeout 7200
ip inspect name Internet udp alert on audit-trail on timeout 60
ip inspect name Internet http alert on audit-trail on timeout 120
ip inspect name Internet smtp alert on audit-trail on timeout 30
ip inspect name Internet ftp alert on audit-trail on timeout 120
ip inspect name Internet fragment maximum 250 timeout 15
ip audit attack action alarm drop
ip audit notify log
ip audit po max-events 50
ip audit protected x.y.z.0 to x.y.x.255
ip audit smtp spam 100
ip audit name Internet attack action alarm drop
!
isdn switch-type basic-ni
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group inside-out in
 ip access-group inside-in out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 full-duplex
 no cdp enable
!
interface Serial0/0
 no ip address
 no ip mroute-cache
 shutdown
 no cdp enable
!
interface BRI0/0
 bandwidth 128
 no ip address
 no ip redirects
 no ip unreachables
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-ni
 isdn spid1 xxxxxxxxxx0101 xxxxxxx
 isdn spid2 xxxxxxxxxx0101 xxxxxxx
 no cdp enable
!
interface Serial0/1
 no ip address
 shutdown
 no cdp enable
!
interface Dialer0
 description IPass Internet Dialup
 ip address negotiated
 ip access-group internet-in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect Internet out
 ip audit Internet in
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer remote-name IPass
 dialer idle-timeout 600
 dialer string 1847xxxxxxx
 dialer hold-queue 5
 dialer load-threshold 1 either
 dialer-group 1
 no cdp enable
 ppp max-bad-auth 3
 ppp authentication chap pap callout optional
 ppp chap hostname user1
 ppp chap password 7 xxxxxxxxxxxxxxxxxx
 ppp pap sent-username user1 password 7 xxxxxxxxxxxxxxxxxx
 ppp ipcp accept-address
 ppp ipcp header-compression ack
 ppp ipcp dns accept
 ppp multilink
 ppp timeout authentication 20
 ppp timeout idle 600
!
ip nat inside source list 111 interface Dialer0 overload
ip nat inside source static esp 192.168.1.10 interface Dialer0
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
no ip http server
ip pim bidir-enable
!
!
ip access-list extended inside-in
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 deny   icmp any any
 permit ip host 192.168.1.1 any
 deny   tcp any range 0 65535 any range 0 65535 log-input
 deny   udp any range 0 65535 any range 0 65535 log-input
 deny   ip any any log-input
ip access-list extended inside-out
 permit ip any host 192.168.1.1
 deny   ip any 0.0.0.0 0.255.255.255 log-input
 deny   ip any 10.0.0.0 0.255.255.255 log-input
 deny   ip any 127.0.0.0 0.255.255.255 log-input
 deny   ip any 169.254.0.0 0.0.255.255 log-input
 deny   ip any 172.16.0.0 0.15.255.255 log-input
 deny   ip any 192.168.0.0 0.0.255.255 log-input
 deny   ip any 224.0.0.0 15.255.255.255 log-input
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq netbios-ss
 permit ip 192.168.1.0 0.0.0.255 any
 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log-input
ip access-list extended internet-in
 deny   53 any any log-input
 deny   55 any any log-input
 deny   77 any any log-input
 deny   pim any any log-input
 deny   ip 0.0.0.0 0.255.255.255 any log-input
 deny   ip 10.0.0.0 0.255.255.255 any log-input
 deny   ip 127.0.0.0 0.255.255.255 any log-input
 deny   ip 169.254.0.0 0.0.255.255 any log-input
 deny   ip 172.16.0.0 0.15.255.255 any log-input
 deny   ip 192.168.0.0 0.0.255.255 any log-input
 deny   ip host 255.255.255.255 any log-input
 deny   ip 224.0.0.0 15.255.255.255 any log-input
 deny   ip host 0.0.0.0 any log-input
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 deny   icmp any any
 deny   udp any any eq netbios-ns log
 deny   udp any any eq netbios-dgm log
 deny   udp any any eq netbios-ss log
 permit ip any any
access-list 10 permit 192.168.1.2
access-list 10 permit 192.168.1.254
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 50 permit 192.168.1.0 0.0.0.255 log
access-list 110 deny   ip any host 255.255.255.255
access-list 110 deny   tcp any any eq 137
access-list 110 deny   tcp any any eq 138
access-list 110 deny   tcp any any eq 139
access-list 110 deny   icmp any any
access-list 110 permit tcp any any eq ftp-data
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq 22
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq 443
access-list 110 permit udp any any eq domain
access-list 110 permit udp any any eq ntp
access-list 110 permit udp any any eq isakmp
access-list 110 permit esp any any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip any any
access-list 199 permit ip any any
dialer-list 1 protocol ip list 110
no cdp run
!
!
dial-peer cor custom
!
!
!
!
banner motd ^C

                                  Property of
                                   Scott S.
                         Unauthorized Use Is Prohibited

                       You should not be here unless you
                  have been given explicit permission to do so

^C
!
line con 0
 exec-timeout 0 0
 password 7 xxxxxxxxxxxxxx
 login
 transport preferred none
line aux 0
 exec-timeout 5 0
 password 7 xxxxxxxxxxxxxx
 login
 modem InOut
 no exec
 transport input all
 stopbits 1
 speed 19200
 flowcontrol hardware
line vty 0 4
 access-class 50 in
 exec-timeout 5 0
 password 7 xxxxxxxxxxxxxx
 login local
 transport preferred ssh
 transport input ssh
!
ntp clock-period 17208756
ntp source Ethernet0/0
ntp access-group peer 10
ntp access-group serve-only 11
ntp server 192.168.1.2
ntp peer 192.168.1.254
end

DISCLAIMER

No Warranty of any kind is expressed or implied with respect to the information contained in this document!

The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.

Use this information at your own risk!

Scott S. 2007


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: