Configuring a Cisco 1700 series access router for an ADSL connection with tunneled IPv6

I decided to re-configure my home router from scratch so that I could tidy up the config and ACLs which had been messily generated over time.

The main reason being my old IPv6 ACLs pretty much where non-existent and before properly configuring my lan for auto assigning v6 IPs, I wanted to limit the incoming traffic.

I’ve included an example config below with comments

!! Basic stuff
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
hostname router1-man !! You probably want to change this to a relevant hostname
!
!! Security stuff
no cdp run
no ip http server
no ip http secure-server
no mmi auto-configure
no mmi pvc
banner exec ^C
Welcome to $(hostname) (:
^
!
banner login ^
##############################################
# THIS SYSTEM IS FOR AUTHORIZED USERS ONLY. #
# !! IF YOU DO NOT HAVE ACCESS DISCONNECT NOW !! #
##############################################
^C
!
!! Access stuff
snmp-server community thisisnotmysnmppassword RO admin !! You probably want to change this to a sensible password
ip domain-name router1-man.nodehost.co.uk !! You probably want to change this to a relevant hostname
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!
!! Logging stuff
logging on
logging 10.44.200.5 !! You probably want to change this to a server that is listening for syslog traffic
logging trap informational
logging console debug
logging monitor debug
no logging monitor
!
!! NTP stuff
ntp clock-period 17179944
ntp server 83.98.201.133 !! These are the fedora NTP servers, feel free to change them
ntp server 87.98.238.185
ntp server 147.231.100.5
ntp server 193.55.167.1
!
!! Login stuff
no aaa new-model !! I don't use a TACAS server for my house but you can!
enable password enable !! This clearly isn't my enable password but I don't feel like putting the hash of it in public.
username myuser privilege 15 password mypass !! This will login directly to enable access, feel free to change the privilege level.
!
!! IP settings
ipv6 cef
ipv6 unicast-routing
ip cef
ip forward-protocol nd
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!! DNS stuff
ip domain name nodehost.co.uk !! You probably want to change this to a domain name that is relevant to you
ip name-server 8.8.8.8 !! These are the google and HE nameservers, feel free to change them
ip name-server 8.8.4.4
ip name-server 2001:470:20::2
!
!! IPv6 Tunnel
interface Tunnel0
 description IPv6 HE Tunnel
 ip access-group IPV6_IN in
 ip access-group IPV6_OUT out
 no ip address
 ipv6 address 2001:470:xx:xx::2/64 !! Change this to your client IPv6 address
 ipv6 enable
 ipv6 virtual-reassembly
 tunnel source Dialer1 !! You can use an IP address here if you have a static IP, I do not.
 tunnel destination xx.xx.xx.xx !! Change this to your server IPv4 address
 tunnel mode ipv6ip
!
!! ADSL interface
interface ATM0
 description ADSL interface
 no shut
 mtu 1432
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 logging event atm pvc state
 logging event atm pvc autoppp
 dsl operating-mode auto
 pvc 0/38 !! Change this to the vpi / vci of your ISP
 encapsulation aal5mux ppp dialer !! Change this if your ISP uses different encapsulation
 dialer pool-member 1
 !
!
!! Dialer interface
interface Dialer1
 description Dialer interface
 ip access-group IPV4_IN in
 ip access-group IPV4_OUT out
 no shut
 mtu 1432
 ip address negotiated !! Change this if you have a static IP
 ip nat outside
 ip virtual-reassembly max-reassemblies 1024
 encapsulation ppp
 dialer pool 1
 ppp chap hostname 00000000000@myisp.com
 ppp chap password myubersecurepasswordhere
 ppp pap sent-username 00000000000@myisp.com password myubersecurepasswordhere
!
!! ISDN interface
interface BRI0
 description ISDN interface
 shut
 no ip address
!
!! Internal FE interface
interface FastEthernet0
 description Internal interface
 ip access-group IPV6_IN in
 ip access-group IPV6_OUT out
 no shut
 ip address 10.44.200.254 255.255.255.0 !! Change this to a relevant IP address
 ip nat inside
 ip virtual-reassembly
 speed 100
 ipv6 enable
 ipv6 nd ra-interval 60 !! You might want to change this, works for me though
 ipv6 nd ra-lifetime 180 !! You might want to change this, works for me though
 ipv6 nd other-config-flag !! You might want to change this, works for me though
 ipv6 address 2001:470:xx:xx::/64 eui-64
!
!! Routes
ipv6 route ::/0 Tunnel0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!! NAT rules
ip nat inside source list 1 interface Dialer1 overload !! You might want to change this if you have a pool if ips
ip nat inside source static tcp xx.xx.xx.xx 8080 interface Dialer1 8080 !! Probably want to delete this - it's a webserver for my house
ip nat inside source static tcp xx.xx.xx.xx 3406 interface Dialer1 3406 !! Probably want to delete this - it's a vpn endpoint for my house
ip nat inside source static tcp xx.xx.xx.xx 22 interface Dialer1 2020 !! Probably want to delete this - it's a ssh gateway for my house
!
!! ACLs
access-list 1 remark Default traffic
access-list 1 permit any !! You might want to change this to deny all depending on how you care to do your ACLs
dialer-list 1 protocol ip permit
!
ip access-list standard admin
 remark Admin traffic
 permit 10.44.200.0 0.0.0.255 !! Change this to a relevant IP address
 deny any log
!
ipv6 access-list IPV6_IN
 remark Incoming IPv6 Traffic
 permit icmp any any !! Allow ICMP (ping)
 permit tcp any any established !! Allow established TCP connections
 permit tcp any any eq domain !! Allow incoming TCP DNS stuff - might want to delete this
 permit udp any any eq domain !! Allow incoming UDP DNS stuff - might want to delete this
 deny ipv6 any any log !! Drop everything else
!
ipv6 access-list IPV6_OUT
 remark Outgoing IPv6 Traffic
 permit ipv6 any any !! Permit any outgoing traffic - yeah I'm lazy
!
ip access-list extended IPV4_IN
 remark Incoming IPv4 Traffic
permit GRE xx.xx.xx.xx 255.255.255.255 any !! Allow GRE from the IPv6 tunnel server
permit ESP xx.xx.xx.xx 255.255.255.255 any !! Allow ESP from the IPv6 tunnel server
permit 41 xx.xx.xx.xx 255.255.255.255 any !! Allow 41 from the IPv6 tunnel server
 permit icmp any any !! Allow ICMP (ping)
 permit tcp any any established !! Allow established TCP connections
 permit tcp any eq domain any !! Allow incoming TCP DNS stuff - might want to delete this
 permit udp any eq domain any !! Allow incoming UDP DNS stuff - might want to delete this
 permit tcp any any eq 3406 !! Probably want to delete this - it's a vpn endpoint for my house
 permit tcp any any eq 8080 !! Probably want to delete this - it's a webserver for my house
 permit tcp any any eq 2020 !! Probably want to delete this - it's a ssh gateway for my house
 deny ip any any log !! Drop everything else
!
ip access-list extended IPV4_OUT
 remark Outgoing IPv4 Traffic
 permit ip any any !! Permit any outgoing traffic - yeah I'm lazy
!
!! VTY lines
line vty 0 15
 access-class admin in
 privilege level 15
 password mysemiuberawesomepassword
 login local
 transport input ssh
!
end

I might update it to support VPN connections rather than tunnelling them though to a openvpn box, but openvpn + SSL certs just work for when I want lan access (not that often..). For the rest of the time just plain old SSH with a little tunnelling where needed does the job. One thing that does need doing is sending the system logs over to the syslog box - Currently things like NAT table overflow warnings just spam the console. Once I get a bit of time to re-configure rancid I’ll start playing with the configs, for now they work just fine.

Comments