! SAVE COPY OF THIS FILE. ! REMOVE THE DOUBLE << AND THE NOTES FROM THE LINES PRIOR TO COPY TO THE ROUTER ! ! This config uses NAT ! ! copy config into the router ! copy run start ! ! setup ssh ! !--- Generate an SSH key to be used with SSH. ! 1. you must have host name and domain name first. ! ! 2. crypto key generate rsa ! 3. ip ssh time-out 60 ! 4. ip ssh authentication-retries 2 ! ! <<<<<<<<<< CONFIGURATION >>>>>>>>>>>>>>>>>> ! service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname DVSWITCH-CONFIG ! boot-start-marker boot-end-marker ! logging userinfo logging buffered 16384 enable secret 5 $1$u2e6$oRxYebWvCaa.roT32rakU0 << Enable password 'dvswitch' without qoutes ! no aaa new-model ! clock timezone EST -5 clock summer-time EDT date Mar 12 2017 2:00 Nov 5 2017 2:00 ! dot11 syslog ip source-route ! ! ip cef ip dhcp excluded-address 172.31.4.137 ! ip dhcp pool dvswitch network 172.31.4.136 255.255.255.252 dns-server 8.8.8.8 8.8.4.4 default-router 172.31.4.137 domain-name dvswitch.ham option 4 ip 64.113.44.54 69.195.159.158 162.210.110.4 198.58.110.84 lease 0 1 ! ip domain name ae4ml.ham ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 172.17.2.1 ! no ipv6 cef ntp max-associations 5 ! username dvswitch privilege 15 secret 5 $1$sxcy$da.xOboS8CS6rzM/KIG65/ << password 'dvswitch' without qoutes ! ip ssh authentication-retries 5 ip ssh source-interface FastEthernet0/0 ip ssh version 2 ! stun peer-name 172.31.4.137 stun protocol-group 137 basic ! interface FastEthernet0/0 description DMZ-Network-Interface ! Suggest a static IP Address on your internal network ip address dhcp or ip address 192.168.1.3 255.255.255.0 << Example static IP ip access-group dmz-test-in in ip access-group dmz-test-out out ip nat outside ip virtual-reassembly duplex full speed 100 ! interface FastEthernet0/1 description Dvswitch-Pi encapsulation dot1Q 20 ip address 172.31.4.137 255.255.255.252 ip access-group raspi-inbound in ip nat inside ip virtual-reassembly duplex full speed 100 ! interface Serial0/0/0 description Quantar-Interface mtu 2104 no ip address encapsulation stun clock rate 9600 stun group 137 stun route all tcp 172.31.4.138 ! ip forward-protocol nd no ip http server no ip http secure-server ! ! IP address in the static nat entries below must match the IP of interface Fa0/0 ! suggested that you use a static ip address. 192.168.1.3 is only an example ! example ports 65532 or 65535 you can use what ever you like above 60000 ! example ssh to the raspberry pi :: ssh -l dvswitch -p 65535 192.168.1.3 ! example http to the raspberry pi :: http://192.168.1.3:65532 ! ip nat inside source list INTERNET-ACCESS interface FastEthernet0/0 overload ip nat inside source static tcp 172.31.4.138 80 192.168.1.3 65532 extendable << IP forward to allow web access to the PI ip nat inside source static tcp 172.31.4.138 22 192.168.1.3 65535 extendable << IP forward to allow ssh access to the PI ip route 0.0.0.0 0.0.0.0 192.168.1.1 << default route to your ISP router ! ip access-list standard INTERNET-ACCESS permit 172.31.4.138 permit 172.31.4.137 ip access-list standard MANAGER permit 192.168.1.2 << IP Address of a laptop or computer on your network to manage the Router ! ip access-list extended dmz-test-in remark bad boy area remark normal-operations permit icmp any any permit udp any any eq domain permit udp any eq domain any permit udp any any eq bootpc permit udp any eq bootpc any permit udp any any eq ntp permit udp any eq ntp any permit udp any any eq netbios-dgm permit udp any eq netbios-dgm any permit udp any range snmp snmptrap any permit udp any any range snmp snmptrap permit udp any range 1 1023 any log permit udp any any range 1 1023 log remark radio stuff permit udp any any eq 5353 permit udp any eq 5353 any permit udp any any eq 32010 permit udp any eq 32010 any permit udp any any range 34000 39999 permit udp any range 34000 39999 any permit udp any eq 41000 any eq 41000 permit udp any range 41000 43000 any permit udp any any range 41000 43000 remark other permit udp any range 1024 65535 any permit udp any any range 1024 65535 permit tcp any any eq 22 log permit tcp any eq 22 any log permit tcp any any eq www permit tcp any eq www any permit tcp any any eq 443 permit tcp any eq 443 any permit tcp any any eq 587 permit tcp any eq 587 any permit tcp any any eq 1994 permit tcp any eq 1994 any permit tcp any range 1 1023 any log permit tcp any any range 1 1023 log permit tcp any any range 1024 40000 permit tcp any range 1024 40000 any permit tcp any range 40001 43000 any permit tcp any any range 40001 43000 permit tcp any range 43001 65535 any permit tcp any any range 43001 65535 permit ip any any log ! ip access-list extended dmz-test-out permit icmp any any permit udp any range 1 1023 any log permit udp any any range 1 1023 log permit udp any range 1024 40000 any permit udp any any range 1024 40000 permit udp any range 40001 43000 any permit udp any any range 40001 43000 permit udp any range 43001 65535 any permit udp any any range 43001 65535 permit tcp any any eq 587 permit tcp any eq 587 any permit tcp any range 1 1023 any permit tcp any any range 1 1023 permit tcp any any range 1024 40000 permit tcp any range 40001 43000 any permit tcp any any range 40001 43000 permit tcp any range 43001 65535 any permit tcp any any range 43001 65535 permit ip any any log ! ip access-list extended rasp-inbound permit udp any eq bootpc any eq bootps permit udp any eq bootps any eq bootpc permit udp any eq domain any permit udp any any eq domain permit udp any range 1 1023 any permit udp any any range 1 1023 permit tcp any any eq 587 log permit tcp any range 1 1023 any permit tcp any any range 1 1023 permit icmp any any permit udp any range 41000 43000 any permit udp any any range 41000 43000 permit udp any gt 1024 any permit udp any any gt 1024 permit tcp any range 41000 43000 any permit tcp any any range 41000 43000 permit tcp any gt 1024 any permit tcp any any gt 1024 permit ip any any log ! logging origin-id ip access-list 10 remark LOCKDOWN TO LOCAL SNMP ONLY access-list 10 permit 192.168.20.26 << your SNMP server access-list 10 deny any access-list 11 remark DENY SNMP WRITES access-list 11 deny any ! snmp-server community WaKyID RO 10 << if you want to monitor SNMP snmp-server community W00k1e RW 11 << block the ability to right to the router via SNMP ! banner motd ^CCC This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. ^C ! line con 0 line aux 0 no exec-banner exec-timeout 0 20 logging synchronous no exec transport output none stopbits 1 line vty 0 4 session-timeout 60 location Barn access-class MANAGER in << Lock down ssh access to a local PC . See the MANAGER Access-list exec-timeout 0 0 logout-warning 30 logging synchronous login local refuse-message ^CC ACCESS DECLINED ^C notify transport input telnet ssh line vty 5 15 access-class MANAGER in << Lock down ssh access to a local PC . See the MANAGER Access-list login local transport input ssh ! scheduler allocate 20000 1000 ntp source FastEthernet0/0 ntp master ntp update-calendar ntp server 128.138.140.44 ntp server 128.138.141.172 end