Healthy Cisco router config with VLAN, DHCP, NAT, SSH, Port Forwarding

clock timezone KXXTime 8 0

ip dhcp excluded-address 172.168.1.1 172.168.1.110

!
ip dhcp pool vlan172
network 172.168.1.0 255.255.255.0
default-router 172.168.1.252
dns-server 192.168.1.x 8.8.8.8
domain-name xxx.com.sg
lease 0 0 30
!
ip dhcp pool vlan172-static-laptop
host 172.168.1.111 255.255.255.0
client-identifier 01xx.02xx.03xx.xx
client-name laptop172
default-router 172.168.1.252
dns-server 192.168.1.x 8.8.8.8
domain-name xxx.com.sg
lease 0 0 10
!
ip dhcp pool vlan172-static-host
host 172.168.1.112 255.255.255.0
client-identifier 01xx.15xx.01xx.xx
client-name hostxxx
default-router 172.168.1.252
dns-server 192.168.1.x 8.8.8.8
domain-name xxx.com.sg
lease 0 0 10
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCOXXXX/XX sn FGLXXXXXXCQ
!
!
username xxx privilege 15 secret 4 cFMxxxxKH9Vxxxxa1BxxxxDkbXb0xxxxZt3HB.5xxxx
!
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 2XX.XX.XX.XX 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.172
description “vlan for 172 network”
encapsulation dot1Q 172
ip address 172.168.1.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.192
description “vlan for 192 network”
encapsulation dot1Q 192
ip address 192.168.1.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 2XX.XX.XX.XX 3
ip route 0.0.0.0 0.0.0.0 192.168.1.254 4
ip route 0.0.0.0 0.0.0.0 192.168.1.1 5
ip route 192.168.2.0 255.255.255.0 192.168.1.254
ip route 192.168.5.0 255.255.255.0 192.168.1.254
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 172.168.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 720 0
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

 

Good console setting

!
ip access-list standard VTY_ACL
 permit x.x.x.x log
 permit 123.123.123.123 log
 permit 192.168.1.0 0.0.0.255 log
 permit 10.123.0.0 0.0.255.255 log
 permit 11X.X.X.X 0.0.0.31 log
!
line con 0
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class VTY_ACL in
 exec-timeout 5 0
 login local
 transport input ssh
line vty 5 15
 access-class VTY_ACL in
 exec-timeout 5 0
 login local
 transport input ssh
!

 

Port forwarding

ip nat inside source static tcp 192.168.x.x 22 interface gi0/0 22
ip nat inside source static tcp 192.168.x.x 3389 interface gi0/0 3389

Port forwarding with security

ip nat inside source static tcp 192.168.x.x 3389 interface WAN0/0 3389
ip nat inside source static udp 192.168.x.x 3389 interface WAN0/0 3389
R# conf t
R(config)# ip access-list extended OUTSIDE_IN
R(config-ext-nacl)# permit tcp any any established
R(config-ext-nacl)# permit icmp any any
R(config-ext-nacl)# permit ospf any any
R(config-ext-nacl)# permit udp host 8.8.8.8 any
R(config-ext-nacl)# permit udp host 8.8.4.4 any

# range /27
R(config-ext-nacl)# permit ip 116.xx.xx.xx 0.0.0.31 any

# range /28
R(config-ext-nacl)# permit ip 111.xx.xx.xx 0.0.0.15 any

# single host
R(config-ext-nacl)# permit ip host PUBLIC.CLIENT.IP any
R(config-ext-nacl)# permit tcp host PUBLIC.CLIENT.IP any eq 3389
R(config)# interface WAN0/0
R(config-if)# ip access-group OUTSIDE_IN in
R(config-if)# exit

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top