Config "pronta" ADSL 20 Mbps su c857 - senza NAT
Inviato: mer 19 nov , 2008 7:15 pm
Salve, volevo farvi controllare la configurazione che ho ipotizzato, ho aggiunto delle note subito dopo i comandi che mi sono meno chiari:
Specifico che la configurazione che vorrei ottenere è quella di avere:
WAN ROUTER: IP PUNTO PUNTO
LAN ROUTER: PRIMO IP PUBBLICO UTILIZZABILE
WAN FIREWALL: SECONDO IP PUBLICO UTLIZZABILE
LAN FIREWALL: IP PRIVATO LAN
---------------------------------------------------
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname ***
boot-start-marker
boot-end-marker
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret ***
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
no ip bootp server
ip domain name cisco.com
ip name-server 151.99.125.1
ip name-server 208.67.222.222
login block-for 1 attempts 3 within 30
login on-failure
login on-success
username admin password ***
archive
log config
hidekeys
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
interface Loopback0
description INTERFACCIA VIRTUALE END-POINT VPN
ip address *** 255.255.255.255 <---- CHE IP DEVO METTERE QUI? (punto punto, o un ip pubblico?)
interface Null0
no ip unreachables
interface ATM0
description ALICE BUSINESS 20 Mbps - TGU: ***
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
mtu 1500
ip address *** 255.255.255.252 <--- QUI DEVO METTERE L'IP PUNTO PUNTO. GIUSTO?
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect IDS out
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description CONNESSIONE LAN ***
ip address 192.168.0.254 255.255.255.0 <---- QUI METTO IL PRIMO IP PUBBLICO UTILIZZABILE. GIUSTO?
ip accounting output-packets
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
ip nat pool INTERNET *.*.*.* *.*.*.* netmask 255.255.255.248 <----QUESTA REGOLA DEVO LASCIARLA? CHE IP DEVO INDICARE???
ip nat inside source list 100 pool INTERNET overload <----QUESTA REGOLA DEVO LASCIARLA?
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log
control-plane
banner motd ^C
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE ---- *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************
^C
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end
Thanks
Specifico che la configurazione che vorrei ottenere è quella di avere:
WAN ROUTER: IP PUNTO PUNTO
LAN ROUTER: PRIMO IP PUBBLICO UTILIZZABILE
WAN FIREWALL: SECONDO IP PUBLICO UTLIZZABILE
LAN FIREWALL: IP PRIVATO LAN
---------------------------------------------------
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname ***
boot-start-marker
boot-end-marker
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret ***
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
no ip bootp server
ip domain name cisco.com
ip name-server 151.99.125.1
ip name-server 208.67.222.222
login block-for 1 attempts 3 within 30
login on-failure
login on-success
username admin password ***
archive
log config
hidekeys
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
interface Loopback0
description INTERFACCIA VIRTUALE END-POINT VPN
ip address *** 255.255.255.255 <---- CHE IP DEVO METTERE QUI? (punto punto, o un ip pubblico?)
interface Null0
no ip unreachables
interface ATM0
description ALICE BUSINESS 20 Mbps - TGU: ***
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
mtu 1500
ip address *** 255.255.255.252 <--- QUI DEVO METTERE L'IP PUNTO PUNTO. GIUSTO?
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect IDS out
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description CONNESSIONE LAN ***
ip address 192.168.0.254 255.255.255.0 <---- QUI METTO IL PRIMO IP PUBBLICO UTILIZZABILE. GIUSTO?
ip accounting output-packets
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
ip nat pool INTERNET *.*.*.* *.*.*.* netmask 255.255.255.248 <----QUESTA REGOLA DEVO LASCIARLA? CHE IP DEVO INDICARE???
ip nat inside source list 100 pool INTERNET overload <----QUESTA REGOLA DEVO LASCIARLA?
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log
control-plane
banner motd ^C
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE ---- *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************
^C
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end
Thanks