“:::Configure a Cisco Router 857W for a ADSL2 Line with PPPoA, DHCP, CBAC, WiFi + WPA2 and a Dynamic IP Address:::”

Este es el inicio de una serie de post directamente sacados de otro blog que me parecen muy interesantes y que los pongo aquí para no perderlos. el sitio desde donde los he sacado es: ideasnet

Of following the configuration of a Router 857W where the Local Area Network in this case is a WLAN and as type of secret key use WPA2.

ROUTER-A

ip cef

ip inspect log drop-pkt

ip inspect max-incomplete low 300

ip inspect max-incomplete high 400

ip inspect one-minute low 300

ip inspect hashtable-size 2048

ip inspect tcp synwait-time 20

ip inspect tcp max-incomplete host 300 block-time 60

!

ip inspect name IDS tcp

ip inspect name IDS udp

!

ip domain name test.co.uk

ip name-server 82.x.x.1

ip name-server 82.x.x.2

!

!

ip dhcp excluded-address 192.168.0.250 192.168.0.254

!

ip dhcp pool wifi_pool

   network 192.168.0.0 255.255.255.0

   domain-name test.co.uk

   dns-server 82.x.x.1 82.x.x.2

   default-router 192.168.0.254

!

dot11 association mac-list MAC_PC_WIFI

dot11 syslog

dot11 vlan-name WiFi vlan 1

!

dot11 ssid YOURSSID

 vlan 1  

 authentication open  

 authentication key-management wpa  

 guest-mode  

 wpa-psk ascii 0 YOURKEY

!

bridge irb

!

interface ATM0/0/0

 description *** MAIN ADSL LINE ***

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode adsl2+

 hold-queue 224 in

!

interface ATM0/0/0.1 point-to-point

 description *** EXTERNAL LINK DATA FOR MAIN ADSL ***

 ip nat outside

 pvc 0/38

 encapsulation aal5mux ppp dialer

 dialer pool-member 1

 !

!

interface Dot11Radio0   

 no ip address

 ip nat inside

!

interface Dot11Radio0.1

 encapsulation dot1Q 1

 no ip route-cache

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 spanning-disabled

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

!

encryption vlan 10 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 45

!

ssid My_SSID_For_WiFi_LAN_Network

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

no cdp enable

!

interface Vlan1

 no ip address

 ip nat inside

 ip virtual-reassembly

 bridge-group 1

 bridge-group 1 spanning-disabled

!

interface Dialer0

 ip address negotiated

 ip access-group ACL_IDS_IN in

 ip inspect IDS out

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 no cdp enable

 no ppp chap wait

 ppp pap sent-username XXXUSER1 password YYYPWD1

 no ppp pap wait

!

interface BVI1

 description *** INTERNAL LINK DATA FOR WLAN ***

 ip address 192.168.0.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip nat inside source route-map NAT interface Dialer0 overload

!

ip access-list extended NAT

 remark *** ACL FOR NAT ON ATM0/0/0 ***

 permit ip 192.168.0.0 0.0.0.255 any

!

ip access-list extended MAC_PC_WIFI

 remark *** LIST OF THE WIFI MAC ADDRESSES THAT CAN USE THE WIRELESS ***

 permit  0015.1181.a949 0000.0000.0000

 permit  0215.0181.a925 0000.0000.0000

 deny 0000.0000.0000   ffff.ffff.ffff

!

ip access-list extended ACL_IDS_IN

 remark *** IDS FOR INBOUND TRAFFIC ***

 remark ************************************************

 remark *** STARTUP ACL IDS FOR INBOUND TRAFFIC ***

 remark ************************************************

 remark

 remark ************************************************

 remark *** PERMIT SSH AND TELNET INBOUND TRAFFIC ***

 permit tcp any any eq 22

 remark ************************************************

 remark *** PERMIT DNS INBOUND TRAFFIC ***

 permit udp host 82.x.x.1 eq domain any

 permit udp host 82.x.x.2 eq domain any

 remark ************************************************

 remark *** PERMIT ICMP INBOUND TRAFFIC ***

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit icmp any any unreachable

 permit icmp any any administratively-prohibited

 permit icmp any any packet-too-big

 permit icmp any any traceroute

 deny   icmp any any

 remark ************************************************

 remark *** DENY ANTI-SPOOFING INBOUND TRAFFIC ***

 deny   ip host 0.0.0.0 any log

 deny   ip 127.0.0.0 0.255.255.255 any log

 deny   ip 192.0.2.0 0.0.0.255 any log

 deny   ip 224.0.0.0 31.255.255.255 any log

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark ************************************************

 remark *** DENY VIRUS AND WORM INBOUND TRAFFIC ***

 deny   tcp any any eq 135

 deny   udp any any eq 135

 deny   udp any any eq netbios-ns

 deny   udp any any eq netbios-dgm

 deny   tcp any any eq 139

 deny   udp any any eq netbios-ss

 deny   tcp any any eq 445

 deny   tcp any any eq 593

 deny   tcp any any eq 2049

 deny   tcp any any range 6000 6010

 deny   udp any any eq 1433

 deny   udp any any eq 1434

 deny   udp any any eq 5554

 deny   udp any any eq 9996

 deny   udp any any eq 113

 deny   udp any any eq 3067

 remark ************************************************

 remark *** DENY UNAUTHORIZED ACCESS ***

 deny   ip any any log

 remark

 remark ********************************************

 remark *** END ACL IDS FOR INBOUND TRAFFIC ***

 remark ********************************************

!

dialer-list 1 protocol ip permit

!

bridge 1 protocol ieee

bridge 1 route ip

!

route-map NAT permit 10

 description *** MAP THE OUTBOUND TRAFFIC TO DIALER0***

 match ip address NAT

 set interface Dialer0