I've got it sort of working, but it's not secure, and not very polished. A mongrel of bits copied from around the net.
Here's what I have so far.
version 15.2no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco860router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
wan mode dsl
clock timezone NZST 12 0
!
!
!
ip dhcp excluded-address 192.168.1.240 192.168.1.254
!
ip dhcp pool dynamic
import all
! doesnt seem to import the Dialer0 isp DNS server, maybe pppoe doesnt count as dhcp
! show ip dhcp import
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 122.56.237.1 210.55.111.1
! manually entered
lease 0 2
!
ip dhcp pool staticphone
import all
host 192.168.1.246 255.255.255.0
client-identifier 0156.789c.c32a.29
default-router 192.168.1.254
dns-server 122.56.237.1 210.55.111.1
!
ip dhcp pool staticfirewall
import all
host 192.168.1.252 255.255.255.0
client-identifier 01d2.21cb.4567.89
default-router 192.168.1.254
dns-server 122.56.237.1 210.55.111.1
!
!
!
ip domain name dmz.somecompany.co.nz
ip name-server 122.56.237.1
ip name-server 210.55.111.1
ip cef
no ipv6 cef
!
!
!
!
crypto pki trustpoint TP-self-signed-3389330311
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2379459999
revocation-check none
rsakeypair TP-self-signed-233333333
!
!
crypto pki certificate chain TP-self-signed-23432352345
certificate self-signed 01
12456789 etc
quit
!
!
username supertrickyadminirator privilege 15 secret 4 2983479213874290837402837408237
!
controller VDSL 0
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description telecom
no ip address
!
interface Ethernet0.10
encapsulation dot1Q 10
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
description ToFirewall
no ip address
!
interface GigabitEthernet1
no ip address
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Vlan1
description Local LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
description Telecom VDSL
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username user@xtrabb.co.nz password 0 password
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool firewall 192.168.1.252 192.168.1.252 netmask 255.255.255.0 type rotary
ip nat pool phone 192.168.1.246 192.168.1.246 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.1.252 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.252 22 interface Dialer0 22
ip nat inside source list 199 interface Dialer0 overload
ip nat inside destination list 130 pool phone
ip nat inside destination list 131 pool firewall
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended outside
permit icmp any any echo-reply
permit ip any any
!
access-list 101 permit tcp any any eq smtp
access-list 101 permit ip any any
access-list 130 permit udp any any range 7000 7400
access-list 131 permit udp any any range 1194 1196
access-list 199 permit ip any any
dialer-list 1 protocol ip permit
mac-address-table aging-time 15
no cdp run
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 60000 1000
ntp update-calendar
ntp server nz.pool.ntp.org
!
end