Codice: Seleziona tutto
version 12.4
service nagle
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ***
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 5 log
security passwords min-length 6
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 informational
logging console critical
enable secret ****
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect one-minute high 500
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name INSPECTION-OUT tcp
ip inspect name INSPECTION-OUT udp
!
!
ip ips sdf location flash:ips-store retries 5 wait-time 10
ip ips signature 2004 0 disable
ip ips signature 2001 0 disable
ip ips signature 2005 0 disable
ip ips signature 2000 0 disable
ip ips signature 6053 0 disable
ip ips name IPS-IN
no ip bootp server
ip name-server 208.67.222.222
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
username admin privilege 15 password ***
username user01 password ***
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
ip ssh time-out 60
ip scp server enable
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group ***-vpn
key ***
pool ****-pool
max-users 100
max-logins 10
!
!
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
!
crypto dynamic-map ***-dyn 1
set ip access-group 199 in
set transform-set VPN-CLI-SET
!
!
crypto map cellularmap local-address Loopback0
crypto map cellularmap client authentication list userauthen
crypto map cellularmap isakmp authorization list groupauthor
crypto map cellularmap client configuration address respond
crypto map cellularmap 65535 ipsec-isakmp dynamic cellular-dyn
!
!
!
interface Loopback0
description INTERFACCIA PER NAT E VPN
ip address *** 255.255.255.255
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description INTERFACCIA FISICA PER GESTIONE LAN
ip address 10.10.0.251 255.255.255.0
ip accounting output-packets
ip accounting access-violations
ip inspect INSPECTION-OUT in
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description ALICE IMPRESA HDSL 2Mbps - TGU: ***
bandwidth 2048
no ip address
encapsulation frame-relay IETF
load-interval 30
no fair-queue
frame-relay traffic-shaping
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description PUNTO-PUNTO HDSL
bandwidth 2048
ip address **** 255.255.255.252
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip ips IPS-IN in
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no cdp enable
no arp frame-relay
frame-relay class CIR1024
frame-relay interface-dlci 184
crypto map cellularmap
!
ip local pool ***-pool 10.10.1.0 10.10.1.200
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
ip route 10.10.1.0 255.255.255.0 Serial0/0/0.1
!
ip http server
no ip http secure-server
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 120
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list NAT interface Loopback0 overload
!
ip access-list extended NAT
deny ip 10.10.0.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip host 10.10.0.60 any
permit ip host 10.10.0.250 any
!
!
map-class frame-relay CIR1024
frame-relay cir 1536000
frame-relay mincir 1024000
logging history notifications
access-list 99 permit 10.10.0.14
access-list 99 permit 10.10.0.16
access-list 99 permit 10.10.0.26
access-list 99 permit 10.10.0.201
access-list 99 permit 10.10.0.230
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER TRAFFICO NTP ***
access-list 131 remark *************************************************************
access-list 131 permit udp any any eq ntp
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 remark *************************************************************
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 remark *************************************************************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark **************************************************************
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 remark **************************************************************
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 remark *************************************************************
access-list 131 deny ip any any log
access-list 158 remark *************************************************************
access-list 158 remark *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 158 remark *************************************************************
access-list 158 permit ip host 10.10.0.60 10.10.1.0 0.0.0.255
access-list 158 permit ip host 10.10.0.250 10.10.1.0 0.0.0.255
access-list 199 remark *************************************************************
access-list 199 remark *** ACL PER GESTIRE TRAFFICO VPN CLIENT ***
access-list 199 remark *************************************************************
access-list 199 deny tcp any any eq telnet log
access-list 199 permit tcp any any eq ftp-data
access-list 199 permit tcp any any eq ftp
access-list 199 permit tcp any any eq 6524
access-list 199 permit tcp any any eq 22
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any unreachable
access-list 199 permit icmp any any packet-too-big
access-list 199 permit ip 10.10.1.0 0.0.0.255 any
access-list 199 deny ip any any log
snmp-server community *** RO
snmp-server location CED ***
snmp-server contact ***
no cdp run
!
!
control-plane
!
banner motd ^C
---------------------------------------------------------------
---------------------------------------------------------------
FIREWALL PERIMETRALE ****
---------------------------------------------------------------
This system is for the use of authorized users only.
Individuals using this computer system without authority, or in
excess of their authority, are subject to having all of their
activities on this system monitored and recorded by system
personnel.
In the course of monitoring individuals improperly using this
system, or in the course of system maintenance, the activities
of authorized users may also be monitored.
Anyone using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the
evidence of such monitoring to law enforcement officials.
---------------------------------------------------------------
---------------------------------------------------------------
^C
!
line con 0
exec-timeout 0 0
login local
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
line vty 0 4
access-class 99 in
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178133
ntp server 193.204.114.232
ntp server 193.204.114.233
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end