In dit document beschrijf ik hoe je een Cisco 836 operationeel kan krijgen voor je ADSL verbinding met XS4ALL. De Cisco 836 is een ADSL over ISDN unit en in principe gaat alles in dit document ook op voor de Cisco 837 (ADSL over een analoge lijn). Bij mijn keuze voor deze router heb ik gezocht naar de volgende opties: IPv6, SNMP, SYSLOG, ACL's en een fatsoenlijke interface om de boel te configureren.
- Voorbereiding
- Zorg dat je een terminal (emulatie) hebt die op 9600 8N1 staat ingesteld. Je begint namelijk met een stuk configuratie via de console poort.
- Je begint NIET met de default installatie zoals Cisco je aan de hand meeneemt. Of je gaat die weer aanpassen met de informatie uit dit document.
- Je ADSL link werkt al. Liefst getest met een ander device.
- Zet een aantal basis zaken op
- We geven hem de hostnaam anfalas en koppelen hem in het domain vanderkooij.org.
Login in de unit en ga naar de configuratie mode.
Dit ga ik niet verder uitleggen.
Lees maar in de Cisco documentatie hoe je dat doet.
hostname anfalas ip domain name vanderkooij.org ip name-server 192.168.1.2
- Zet authenticatie op je unit met username en password en een enable secret.
aaa new-model aaa authentication login default local aaa session-id common username mijn-account secret mijn-secret enable secret enable-secret line con 0 no modem enable transport output none line aux 0 line vty 0 4 transport output none
Laat geen sessies met telnet of ssh toe vanaf de Cisco zelf!
- Enable SSH (Alleen versie 2)
crypto key generate rsa ip ssh timeout 60 ip ssh version 2
- Gooi wat services uit
no ip finger no ip http server no ip http secure-server no cdp run no ftp-server write-enable no service tcp-small-servers no service udp-small-servers
- We geven hem de hostnaam anfalas en koppelen hem in het domain vanderkooij.org.
Login in de unit en ga naar de configuratie mode.
Dit ga ik niet verder uitleggen.
Lees maar in de Cisco documentatie hoe je dat doet.
- Configureer je LAN
- Ethernet
interface Ethernet0 no shutdown ip address 192.168.1.1 255.255.255.0 ip nat inside no cdp enable
- DHCP server (ONGETEST!)
ip dhcp pool ipv4-dhcp network 192.168.1.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.1.1 netbios-node-type h-node domain-name vanderkooij.org dns-server 192.168.1.2 ip bootp server interface Ethernet0 ip dhcp server ipv4-dhcp
- Ethernet
- Configureer internet
- Zet ATM op
template adsl interface ATM0 no shutdown no ip address load-interval 30 no atm ilmi-keepalive dsl operating-mode auto pvc 8/48 encapsulation aal5mux ppp dialer dialer pool-member 1
- Zet je circuit op
interface Dialer0 no shutdown ip address negotiated no ip unreachables no cdp enable ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer-group 1 ppp pap sent-username XS4ALL-account@xs4all-basic-adsl password XS4ALL-password
- Zet je dialer list aan
dialer-list 1 protocol ip permit
- Zet routering aan
ip subnet-zero ip classless ip cef
- Default gateway
ip route 0.0.0.0 0.0.0.0 Dialer0
- NAT
ip nat inside source list 100 interface Dialer0 overload access-list 100 permit ip 192.168.1.0 0.0.0.255 any
- Zet ATM op
- Services
- Ik draai wat eigen servers en moet dus PAT regelen hiervoor.
- PAT
ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25 ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53 ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53 ip nat inside source static tcp 192.168.1.2 80 interface Dialer0 80 ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 44
- Nog meer PAT (Dialer0:2022 -> server:22)
ip nat inside source static tcp 192.168.1.2 22 interface Dialer0 2022
- PAT
- Dicht spijkeren
- Internet is een ongezonde plek zonder afscherming.
Dus daar gaan we maar wat aan doen.
- Access rule set
ip access-list extended ipv4-inet-in permit icmp any any echo-reply permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any unreachable permit tcp any any eq 22 log permit tcp any any eq smtp permit udp any any eq domain permit tcp any any eq domain permit tcp any any eq www permit tcp any any eq 443 permit 41 any any deny ip any any log
Die access-group regel voor IP protocol 41 is voor de IPv6 tunnel die we ook nog gaan bouwen.
- En koppel het aan de internet interface
interface Dialer0 ip access-group ipv4-inet-in in
- IP inspection aan. (Je betaalt niet voor niets voor de firewall feature set.)
ip inspect udp idle-time 3600 ip inspect dns-timeout 60 ip inspect tcp synwait-time 60 ip inspect name ipv4-FireWall tcp ip inspect name ipv4-FireWall udp no ip inspect name ipv4-FireWall http ip inspect name ipv4-FireWall ftp no ip inspect name ipv4-FireWall esmtp ip inspect name ipv4-FireWall h323 ip inspect name ipv4-FireWall skinny ip inspect name ipv4-FireWall icmp ip inspect name ipv4-FireWall fragment maximum 256 timeout 1 ip inspect name ipv4-FireWall realaudio ip ips po max-events 100 interface Ethernet0 ip inspect ipv4-FireWall in ip inspect ipv4-FireWall out interface Dialer0 ip inspect ipv4-FireWall in ip inspect ipv4-FireWall out
Let wel op. De meningen over de qualiteit van de IP inspection engine lopen uiteen. Maar opvallend veel mensen met ervaring hebben geen goed woord over wat Cisco hier voor elkaar prutst. Ik heb dan ook de ergste missers uitgezet want HTTP en SMTP content daar snapt zo'n Cisco router blijkbaar niets van.
- Access rule set
- Logging en tijd
- Meten is weten. En dus willen we de logging vastleggen en natuurlijk met een nauwkeurige tijd.
- Zet je tijdzone
clock timezone CET 1 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 clock save interval 8
- Zet NTP aan
ntp logging ntp server 194.109.22.18 ntp server 193.67.79.202 ntp server 194.109.20.18
- Zet logging aan
logging 192.168.1.2 service timestamps debug datetime msec service timestamps log datetime msec localtime show-timezone
- Niet te veel van het goede op de console
logging console warnings logging rate-limit console 5
- Log diverse andere zaken
security authentication failure rate 2 log logging count logging userinfo login on-failure log login on-success log
- SNMP traps
snmp-server host 192.168.1.2 public snmp-server trap link ietf snmp-server contact Hugo van der Kooij <snmptraps@vanderkooij.org> snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps cpu threshold
- Waarschuwing aan gebruikers
banner motd # *************************************************************************** NOTICE TO USERS This computer system is the private property of the owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** # - Blockade om (SSH) login gefreubel te stoppen.
login block-for 300 attempts 1 within 300 login delay 1 login quiet-mode access-class ssh-clients ip access-list extended ssh-clients remark -- Only local net remains after login failure --------- permit tcp 192.168.0.0 0.0.255.255 any eq 22 log remark -- Drop and log all other SSH attempts ---------------- deny tcp any any eq 22 log remark -- DONE -----------------------------------------------
- Zet je tijdzone
- IP versie 6
- Zorg eerst dat je tunnel geconfigureerd is in het service center bij XS4ALL!
Gebruik je een SixXS NET tunnel dan dien je eerst je tunnel aan te vragen.
- Ethernet
interface Ethernet0 ipv6 enable ipv6 address 2001:888:10FA::EFFE/64 ipv6 cef ipv6 nat ipv6 nd ra-interval 30 ipv6 nd prefix 2001:888:10FA::/64 86400 86400 ipv6 nd prefix FE80::/16 no-advertise ipv6 nd other-config-flag ipv6 dhcp server ipv6-dhcp rapid-commit preference 1 ipv6 inspect ipv6-FireWall in ipv6 inspect ipv6-FireWall out
Alleen een subnet mask /64 zal een werkende autonegotiate opleveren voor clients van IPv6. Het staat in de RFC's maar je leest er zo maar overheen.
- Tunnel
interface Tunnel0 no ip address no ip unreachables ipv6 enable ipv6 address 2001:888:10:FA::2/64 ipv6 cef ipv6 nat ipv6 traffic-filter ipv6-inet-in in ipv6 inspect ipv6-FireWall in ipv6 inspect ipv6-FireWall out tunnel source Dialer0 tunnel destination 194.109.5.241 tunnel mode ipv6ip
- Dialer
Interface Dialer0 ipv6 nat
- ACL
ipv6 access-list ipv6-inet-in permit icmp host 2001:888:10:FA::1 host 2001:888:10:FA::2 permit tcp any host 2001:888:10FA::1 eq 22 log permit tcp any host 2001:888:10FA::1 eq smtp log permit udp any host 2001:888:10FA::1 eq domain log permit tcp any host 2001:888:10FA::1 eq domain log permit tcp any host 2001:888:10FA::1 eq www log permit tcp any host 2001:888:10FA::1 eq 443 log permit icmp any 2001:888:10FA::/48 echo-reply log permit icmp any 2001:888:10FA::/48 unreachable log permit icmp any 2001:888:10FA::/48 time-exceeded log deny ipv6 any any log
- INSPECT
ipv6 inspect udp idle-time 3600 ipv6 inspect tcp synwait-time 60 ipv6 inspect name ipv6-FireWall tcp ipv6 inspect name ipv6-FireWall udp ipv6 inspect name ipv6-FireWall icmp ipv6 inspect name ipv6-FireWall ftp timeout 3600
- DHCP
ipv6 dhcp pool ipv6-dhcp prefix-delegation 2001:888:10FA::/64 00030001000D29EED13A dns-server 2001:888:10FA::1 domain-name hugo.vanderkooij.org
IP adressen uitdelen is niet meer aan DHCP. Dus alleen wat losse details hoeven nog maar naar de clients.
- Global
ipv6 unicast-routing ipv6 cef ipv6 route 2000::/3 2001:888:10:FA::1 ipv6 nat prefix 2001:888:10FA:FFFF:FFFF:FFFF::/96 ipv6 nat v6v4 source list ipv6-local interface Dialer0 overload
- IPv6 NAT ACL
ipv6 access-list ipv6-local permit ipv6 2001:888:10FA::/64 any permit ipv6 FE80::/10 any deny any any
- Ethernet
Bronnen:
- Using the Cisco (IOS) router with the MXStream ADSL lines
- Mxstream volgens Cisco (Uit een Cisco partner journal uit 2002)
- Cisco IOS Release 12.3 Master Indexes
- Cisco IOS Software Releases 12.3 T Command References
- Cisco IOS Software Releases 12.2 T Cisco IOS IPv6 Configuration Library
- How do I configure my machine to setup the IPv6 in IPv4 tunnel to the SixXS POP?
- Q & A: Cisco IOS Software Solutions: IPv6
In een notendop:
- Definieer ethernet (je lan)
- Definieer ATM + dialer (je internet)
- Zet ACL's en dergelijk aan
- IPv6 tunnel gaat via je dialer interface. Maar de dialer interface ziet alleen IP v4 data.
Deze configuratie is gebaseerd op mijn Cisco 836 met firewall feature set. Op dit moment draai ik 'Cisco IOS Software, C836 Software (C836-K9O3S8Y6-M), Version 12.3(11)T7, RELEASE SOFTWARE (fc3)' omdat het de laatste versie is die nog in 48MB RAM draait.
DISCLAIMER
- Vragen om de Cisco software zal ik stelselmatig negeren.
Dat zoek je maar uit met je leverancier van je Cisco router! - Ga er niet van uit dat je hier een perfect beveilgde cisco configuratie aantreft. Je zult deze moeten aanpassen aan je eigen situatie maar het kan je wel ideëen voor wat mogelijkheden geven.
This document will describe how to get a Cisco 836 router operational with XS4ALL. The Cisco 836 is a ADSL over ISDN router (Annex-B) and just about anything listed should work on the Cisco 837 or other routers. I have select this router based on the following criteria: IPv6, SNMP, SYSLOG, ACL's and an understandable user interface. (I just happen to hate those braindead menu interfcaes like you're stuck with on Zyxel and other el-cheapo routers.)
- Preparation
- Make sure your terminal emulation is set to 9600,8N1. The first part of your config needs to be done on the console.
- Do not start with the default install. But define your own setup step by step.
- You have a working DSL link.
- Basics
- Give it a hostname anfalas and use it in the domain hugo.vanderkooij.org.
Login to the unit and go to the config mode (conf t).
More details must be retrieved from the Cisco manual(s) if you do not know how to do this.
I will not bother to answer basic questions you can find in the manual.
hostname anfalas ip domain name hugo.vanderkooij.org ip name-server 192.168.1.2
- Setup authentication with username and password and an enable secret.
aaa new-model aaa authentication login default local aaa session-id common username my-account secret my-secret enable secret enable-secret line con 0 no modem enable transport output none line aux 0 line vty 0 4 transport output none
Do not allow telnet or ssh sessions from your router!
- Enable SSH (Just version 2)
crypto key generate rsa ip ssh timeout 60 ip ssh version 2
- Disable unneeded (and insecure) services
no ip finger no ip http server no ip http secure-server no cdp run no ftp-server write-enable no service tcp-small-servers no service udp-small-servers
- Give it a hostname anfalas and use it in the domain hugo.vanderkooij.org.
Login to the unit and go to the config mode (conf t).
More details must be retrieved from the Cisco manual(s) if you do not know how to do this.
I will not bother to answer basic questions you can find in the manual.
- Configure your LAN
- Ethernet
interface Ethernet0 no shutdown ip address 192.168.1.1 255.255.255.0 ip nat inside no cdp enable
- DHCP server (NO TESTED!)
ip dhcp pool ipv4-dhcp network 192.168.1.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.1.1 netbios-node-type h-node domain-name hugo.vanderkooij.org dns-server 192.168.1.2 ip bootp server interface Ethernet0 ip dhcp server ipv4-dhcp
- Ethernet
- Configure internet
- Setup ATM (KPN DSL networks only!)
template adsl interface ATM0 no shutdown no ip address load-interval 30 no atm ilmi-keepalive dsl operating-mode auto pvc 8/48 encapsulation aal5mux ppp dialer dialer pool-member 1
- Setup circuit
interface Dialer0 no shutdown ip address negotiated no ip unreachables no cdp enable ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer-group 1 ppp pap sent-username XS4ALL-account@xs4all-basic-adsl password XS4ALL-password
- Enable your dialer interface
dialer-list 1 protocol ip permit
- Enable routing
ip subnet-zero ip classless ip cef
- Default gateway
ip route 0.0.0.0 0.0.0.0 Dialer0
- NAT
ip nat inside source list 100 interface Dialer0 overload access-list 100 permit ip 192.168.1.0 0.0.0.255 any
- Setup ATM (KPN DSL networks only!)
- Services
- As I run some services I must setup PAT to translate traffic for these ports.
- PAT
ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25 ip nat inside source static udp 192.168.1.2 53 interface Dialer0 53 ip nat inside source static tcp 192.168.1.2 53 interface Dialer0 53 ip nat inside source static tcp 192.168.1.2 80 interface Dialer0 80 ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 44
- More PAT (Dialer0:2022 -> server:22)
ip nat inside source static tcp 192.168.1.2 22 interface Dialer0 2022
- PAT
- Shutting things down
- Internet is a bad place to be so make sure you are protected.
You will last only about 30 minutes without it.
- Access rule set
ip access-list extended ipv4-inet-in permit icmp any any echo-reply permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any unreachable permit tcp any any eq 22 log permit tcp any any eq smtp permit udp any any eq domain permit tcp any any eq domain permit tcp any any eq www permit tcp any any eq 443 permit 41 any any deny ip any any log
The access-group line for protocol 41 is for our IPv6 tunnel which we will build later.
- And use it on the internet interface
interface Dialer0 ip access-group ipv4-inet-in in
- IP inspection on.
(After all you are paying for the firewall feature set.)
ip inspect udp idle-time 3600 ip inspect dns-timeout 60 ip inspect tcp synwait-time 60 ip inspect name ipv4-FireWall tcp ip inspect name ipv4-FireWall udp no ip inspect name ipv4-FireWall http ip inspect name ipv4-FireWall ftp no ip inspect name ipv4-FireWall esmtp ip inspect name ipv4-FireWall h323 ip inspect name ipv4-FireWall skinny ip inspect name ipv4-FireWall icmp ip inspect name ipv4-FireWall fragment maximum 256 timeout 1 ip inspect name ipv4-FireWall realaudio ip ips po max-events 100 interface Ethernet0 ip inspect ipv4-FireWall in ip inspect ipv4-FireWall out interface Dialer0 ip inspect ipv4-FireWall in ip inspect ipv4-FireWall out
Please note that the quality of the IP inspection engine of Cisco is rather questionable. That is why I have disabled the (E)SMTP and HTTP engine parts. They are too much trouble to leave them enabled.
- Access rule set
- Logging and time
- You need an accurate time for you logs and should log everyting to a syslog server.
- Set your timezone
clock timezone CET 1 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 clock save interval 8
- Setup NTP
ntp logging ntp server 194.109.22.18 ntp server 193.67.79.202 ntp server 194.109.20.18
- Turn on logging
logging 192.168.1.2 service timestamps debug datetime msec service timestamps log datetime msec localtime show-timezone
- Reduce logging on the console
logging console warnings logging rate-limit console 5
- Log other issues
security authentication failure rate 2 log logging count logging userinfo login on-failure log login on-success log
- SNMP traps
snmp-server host 192.168.1.2 public snmp-server trap link ietf snmp-server contact Hugo van der Kooij <snmptraps@vanderkooij.org> snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps cpu threshold
- Warning to users
banner motd # *************************************************************************** NOTICE TO USERS This computer system is the private property of the owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** # - Blocking of SSH worms
login block-for 300 attempts 1 within 300 login delay 1 login quiet-mode access-class ssh-clients ip access-list extended ssh-clients remark -- Only local net remains after login failure --------- permit tcp 192.168.0.0 0.0.255.255 any eq 22 log remark -- Drop and log all other SSH attempts ---------------- deny tcp any any eq 22 log remark -- DONE -----------------------------------------------
- Set your timezone
- IP version 6
- make sure you did setup your tunnel at XS4ALL first.
If you use SixXS NET then you need to follow their procedures.
- Ethernet
interface Ethernet0 ipv6 enable ipv6 address 2001:888:10FA::EFFE/64 ipv6 cef ipv6 nat ipv6 nd ra-interval 30 ipv6 nd prefix 2001:888:10FA::/64 86400 86400 ipv6 nd prefix FE80::/16 no-advertise ipv6 nd other-config-flag ipv6 dhcp server ipv6-dhcp rapid-commit preference 1 ipv6 inspect ipv6-FireWall in ipv6 inspect ipv6-FireWall out
Only a /64 subnetmask will result in a working IPv6 setup for your clients in accordance to the RFCs. But it is east to miss.
- Tunnel
interface Tunnel0 no ip address no ip unreachables ipv6 enable ipv6 address 2001:888:10:FA::2/64 ipv6 cef ipv6 nat ipv6 traffic-filter ipv6-inet-in in ipv6 inspect ipv6-FireWall in ipv6 inspect ipv6-FireWall out tunnel source Dialer0 tunnel destination 194.109.5.241 tunnel mode ipv6ip
- Dialer
Interface Dialer0 ipv6 nat
- ACL
ipv6 access-list ipv6-inet-in permit icmp host 2001:888:10:FA::1 host 2001:888:10:FA::2 permit tcp any host 2001:888:10FA::1 eq 22 log permit tcp any host 2001:888:10FA::1 eq smtp log permit udp any host 2001:888:10FA::1 eq domain log permit tcp any host 2001:888:10FA::1 eq domain log permit tcp any host 2001:888:10FA::1 eq www log permit tcp any host 2001:888:10FA::1 eq 443 log permit icmp any 2001:888:10FA::/48 echo-reply log permit icmp any 2001:888:10FA::/48 unreachable log permit icmp any 2001:888:10FA::/48 time-exceeded log deny ipv6 any any log
- INSPECT
ipv6 inspect udp idle-time 3600 ipv6 inspect tcp synwait-time 60 ipv6 inspect name ipv6-FireWall tcp ipv6 inspect name ipv6-FireWall udp ipv6 inspect name ipv6-FireWall icmp ipv6 inspect name ipv6-FireWall ftp timeout 3600
- DHCP
ipv6 dhcp pool ipv6-dhcp prefix-delegation 2001:888:10FA::/64 00030001000D29EED13A dns-server 2001:888:10FA::1 domain-name hugo.vanderkooij.org
DHCP is not used to assign addresses anymore. So only the additional information needs to be handed out to the clients.
- Global
ipv6 unicast-routing ipv6 cef ipv6 route 2000::/3 2001:888:10:FA::1 ipv6 nat prefix 2001:888:10FA:FFFF:FFFF:FFFF::/96 ipv6 nat v6v4 source list ipv6-local interface Dialer0 overload
- IPv6 NAT ACL
ipv6 access-list ipv6-local permit ipv6 2001:888:10FA::/64 any permit ipv6 FE80::/10 any deny any any
- Ethernet
In a nutshell:
- Define ethernet (your lan)
- Define ATM + dialer (your internet)
- Setup ACL's
- IPv6 tunnel works through your dialer interface. But the dialer interface itself only sees IPv4 data. (IP protocol 41)
Related documents:
- Using the Cisco (IOS) router with the MXStream ADSL lines
- Mxstream volgens Cisco (Uit een Cisco partner journal uit 2002)
- Cisco IOS Release 12.3 Master Indexes
- Cisco IOS Software Releases 12.3 T Command References
- Cisco IOS Software Releases 12.2 T Cisco IOS IPv6 Configuration Library
- How do I configure my machine to setup the IPv6 in IPv4 tunnel to the SixXS POP?
- Q & A: Cisco IOS Software Solutions: IPv6
This config is based on my Cisco 836 with firewall feature set. At present it runs 'Cisco IOS Software, C836 Software (C836-K9O3S8Y6-M), Version 12.3(11)T7, RELEASE SOFTWARE (fc3)' as it is the most recent version that still runs well in 48MB.
DISCLAIMER
- Request for Cisco software will be completly ignored.
You have to get it from the company that sold you the router! - Do not assume this setup is perfectly secure. You need to adept it to your unique situation. It is only intended to give you a reference.