boot-start-marker boot-end-marker no service pad no ip source-route no scheduler allocate no ip forward-protocol udp tftp no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs no ftp-server write-enable no scripting tcl init no scripting tcl encdir no ip http server no ip http secure-server no ip bootp server no ip finger service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service tcp-keepalives-in logging buffered 4096 debugging logging console warnings ip tcp synwait-time 15 ip cef ip audit notify log ip audit po max-events 100 no cdp run ! hostname 9014MD ! enable secret 5 ! username JonDoe privilege 15 password 7 clock timezone EST -5 clock summer-time EDT recurring ! aaa new-model aaa authentication ppp default local aaa authorization network default if-authenticated aaa session-id common ip subnet-zero ! ! ip dhcp excluded-address 172.16.0.1 172.16.0.10 ! ip dhcp pool INTERNAL network 172.16.0.0 255.255.255.0 default-router 172.16.0.1 dns-server 68.87.73.242 68.87.71.226 ! interface Ethernet0 description WAN Interface to Comcast ip address dhcp ip access-group 100 in ip access-group 101 out no shutdown no ip redirects no ip unreachables no ip proxy-arp ip nat outside full-duplex no cdp enable ! interface FastEthernet0 description LAN Interface to Private Network ip address 172.16.0.1 255.255.255.0 no shutdown no ip redirects no ip unreachables no ip proxy-arp ip nat inside speed 100 full-duplex ! ip nat inside source list 110 interface Ethernet0 overload ip classless ! ip route 0.0.0.0 0.0.0.0 Ethernet0 ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ! access-list 100 remark Basic Firewall to protect from Internet intruders access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input access-list 100 deny ip host 0.0.0.0 any log-input access-list 100 deny ip any any log-input ! access-list 101 remark Deny Illegitimate Traffic go outbound access-list 101 deny tcp any any eq 135 log-input access-list 101 deny tcp any eq 135 any log-input access-list 101 deny udp any any eq 135 log-input access-list 101 deny udp any eq 135 any log-input access-list 101 deny tcp any any range 137 139 log-input access-list 101 deny tcp any range 137 139 any log-input access-list 101 deny udp any any range netbios-ns netbios-ss log-input access-list 101 deny udp any range netbios-ns netbios-ss any log-input access-list 101 deny tcp any any eq 445 log-input access-list 101 deny tcp any eq 445 any log-input access-list 101 deny udp any any eq 445 log-input access-list 101 deny udp any eq 445 any log-input access-list 101 deny tcp any any eq 593 log-input access-list 101 deny tcp any eq 593 any log-input access-list 101 deny tcp any any eq 707 log-input access-list 101 deny tcp any eq 707 any log-input access-list 101 deny tcp any any eq 4444 log-input access-list 101 deny tcp any eq 4444 any log-input access-list 101 deny ip host 0.0.0.0 any log-input access-list 101 deny ip host 255.255.255.255 any log-input access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input access-list 101 deny udp any any eq netbios-ns access-list 101 deny udp any any eq netbios-dgm access-list 101 deny udp any any eq netbios-ss access-list 101 deny ip any any log-input ! access-list 110 remark Deny NAT/PAT for Illegitimate Traffic access-list 110 permit ip 172.16.0.0 0.0.0.255 any access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input access-list 110 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input access-list 110 deny ip 10.0.0.0 0.0.0.255 any access-list 110 deny ip any any log-input ! ! control-plane ! banner motd # **********THIS SYSTEM IS FOR AUTHORIZED USERS ONLY********** Individuals using this computer system are subject to monitoring for compliance with applicable policies and laws. Anyone using this system expressly consents to such monitoring, and is advised that if monitoring reveals evidence of what could constitute illegal activity under federal and/or applicable state law, system personnel may refer this evidence to appropriate law enforcement officials.# ! line con 0 exec-timeout 0 0 password 7 logging synchronous exec-timeout 5 0 line aux 0 password 7 no exec line vty 0 4 access-class 25 in exec-timeout 5 0 password 7 ! ntp server 207.211.160.111 prefer ! end