!
! The MIT License (MIT)
!
! Copyright (c) 2016 Jason Adsit
!
! Permission is hereby granted, free of charge, to any person obtaining a copy
! of this software and associated documentation files (the "Software"), to deal
! in the Software without restriction, including without limitation the rights
! to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
! copies of the Software, and to permit persons to whom the Software is
! furnished to do so, subject to the following conditions:
!
! The above copyright notice and this permission notice shall be included in all
! copies or substantial portions of the Software.
!
! THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
! IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
! FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
! AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
! LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
! OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
! SOFTWARE.
!
!
! Email:   jason.l.adsit@gmail.com
! Twitter: @CipherScruples
! WebSite: http://cipher.sexy
! GitHub:  https://github.com/jasonadsit/NetworkDeviceConfigs
!
!
! Project: Basic Cisco Router Configuration
!
! Notes:   Wherever you see variables beginning with "$", replace them with
!          values that are relevant to your environment.
!
!          Comments use the usual Cisco "!" followed by "###" as an eye-catcher.
!
!
version 15.1
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
!
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
!
! ### Don't forget to secure you passwords in the config!
!
service password-encryption
!
hostname $hostname
!
boot-start-marker
boot system flash $imageFileName.bin
boot-end-marker
!
shell processing full
!
logging userinfo
no logging buffered
logging rate-limit console 2
logging console informational
!
aaa new-model
aaa local authentication attempts max-fail 5
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization console
aaa authorization exec default local if-authenticated 
aaa authorization commands 15 default local if-authenticated 
aaa authorization network default local if-authenticated 
!
aaa session-id common
!
clock timezone PST -8 0
clock summer-time PDT recurring
!
no ip source-route
!
ip cef
!
! ### Exclude some address space for static use.
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.254
ip dhcp excluded-address 10.4.0.1 10.4.0.99
ip dhcp excluded-address 10.4.0.200 10.4.0.255
!
ip dhcp pool LAN4
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1 
 domain-name cipher.sexy
 dns-server 75.75.75.75 8.8.8.8 
!
ip dhcp pool DMZ4
 network 10.4.0.0 255.255.255.0
 default-router 10.4.0.1 
 domain-name cipher.sexy
 dns-server 75.75.75.75 8.8.8.8 
!
no ip bootp server
!
ip domain retry 3
ip domain timeout 2
ip name-server 2001:558:FEED::1
ip name-server 8.8.8.8
ip name-server 75.75.75.75
!
ip multicast-routing 
ip multicast netflow output-counters
ip multicast netflow rpf-failure
!
ipv6 unicast-routing
ipv6 cef
!
! ### The DHCPv6 pool is just for giving hosts ipv6 DNS config.
! ### Addressing for ipv6 is handled by SLAAC
!
ipv6 dhcp pool DHCPv6
 dns-server 2001:4860:4860::8888
 dns-server 2001:558:FEED::2
!
ipv6 multicast-routing
!
password encryption aes
!
! ### For the following archive config to work, you must first create the
! ### directory. (see below)
!
! ### mkdir flash:/backup
!
archive
 log config
  logging enable
  logging size 1000
  hidekeys
 path flash:/backup/
 maximum 14
 rollback filter adaptive
 rollback retry timeout 600
 time-period 10080
!
! ### Object group used to control access to vty lines
! ### Mine is somewhat permissive. I log in from all over.
! ### It's just to keep a few d-bags out :-)
!
object-group network BLACKBALLED 
 host 1.1.1.1
 host 2.2.2.2
!
username $username privilege 15 secret 0 $password
!
! ### Resilient Config rocks
! ### [http://bit.ly/1VKLkAc]
!
secure boot-image
secure boot-config
!
ip ftp source-interface GigabitEthernet0/0.101
ip ftp username $ftpUser
ip ftp password 0 $ftpPassword
!
ip ssh maxstartups 10
ip ssh authentication-retries 5
ip ssh version 2
!
! ### This config was written on IOS 15.1 so we can't turn off keyboard
! ### authentication. If you have newer IOS, disable keyboard auth once
! ### you've set up keys. (see below)
!
! ### ip ssh server authenticate user publickey
! ### no ip ssh server authenticate user keyboard
!
ip ssh pubkey-chain
  username $username
   key-hash ssh-rsa $keyFingerPrint $keyComment
  quit
!
ip scp server enable
! 
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.100
 description NATIVE
 encapsulation dot1Q 100 native
!
interface GigabitEthernet0/0.101
 description LAN
 encapsulation dot1Q 101
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip virtual-reassembly out
 ipv6 address prefix-from-COMCAST ::1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server DHCPv6
!
interface GigabitEthernet0/0.104
 description DMZ
 encapsulation dot1Q 104
 ip address 10.4.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip virtual-reassembly out
 ipv6 address prefix-from-COMCAST ::1:0:0:0:1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server DHCPv6
!
! ### Took me forever to figure out a working ipv6 config.
! ### I finally got a /60 :-)
!
interface GigabitEthernet0/1
 description COMCAST
 ip address dhcp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 ip virtual-reassembly out
 duplex auto
 speed auto
 ipv6 address dhcp
 ipv6 enable
 ipv6 dhcp client pd hint ::/60
 ipv6 dhcp client pd prefix-from-COMCAST
 no cdp enable
!
ip forward-protocol nd
ip forward-protocol udp bootpc
no ip http server
no ip http secure-server
!
! ### I don't generally point my end hosts to the router for dns.
! ### This is just in case I need to test something in DNS.
!
ip dns view default
 logging
 domain name cipher.sexy
 domain list cipher.sexy
 domain multicast cipher.sexy
 domain timeout 2
 domain retry 3
 domain name-server  8.8.4.4
 domain resolver source-interface GigabitEthernet0/1
 domain round-robin
 dns forwarder 75.75.75.75
 dns forwarder 8.8.4.4
 dns forwarder 156.154.71.1
 dns forwarding source-interface GigabitEthernet0/1
ip dns server
ip dns spoofing 75.75.75.75
ip pim bidir-enable
!
! ### I hate NAT, but Comcast will only give me one ipv4 address :-(
! ### Maybe someday ipv6 will save us, but I doubt it. People are flawed.
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
! ### Here's one example NAT rule for letting Minecraft through to an internal server.
!
ip nat inside source static tcp 192.168.1.99 25565 interface GigabitEthernet0/1 25565
!
! ### The following static default route is because I'm exchanging routes with
! ### my service provider. If I was, this config would be a lot longer.
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
! ### This is a static host route to access the web console on my modem. 
!
ip route 192.168.100.1 255.255.255.255 GigabitEthernet0/1
!
!
ip access-list extended VTY_LINES
 deny   ip object-group BLACKBALLED any log
 permit ip any any
!
ip radius source-interface GigabitEthernet0/0.101 
!
logging history size 500
logging origin-id hostname
logging facility syslog
logging source-interface GigabitEthernet0/0.101
!
! ### Define the networks allowed for NAT
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 10.4.0.0 0.0.0.255
!
! ### My ipv6 default route
! ### This was pointing to a he.net tunnel before Comcast finally
! ### gave me native dual-stack.
! ### Shout-out to Chris Tuska [https://www.linkedin.com/in/christuska]
! ### His forum posts did wonders for my success in getting native ipv6 working.
!
ipv6 route ::/0 GigabitEthernet0/1
!
ipv6 access-list VTY_LINES_V6
 permit ipv6 any any log
!
sip-ua 
 no transport udp
 no transport tcp
!
line con 0
 logging synchronous
line vty 0 15
 access-class VTY_LINES in
 ipv6 access-class VTY_LINES_V6 in
 logging synchronous
 transport input ssh
 transport output ssh
!
ntp source GigabitEthernet0/1
ntp master 3
ntp update-calendar
ntp server 216.66.0.142
ntp server ntp1.glb.nist.gov
ntp server 216.218.254.202
end
!
! ### If you have questions or comments, feel free to hit me up online.
! ### It's by no means flawless. It's just a starting point.
!
! ### Cheers,
!
! ### Jason
!