Configurazione 877

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
ltatas
n00b
Messaggi: 1
Iscritto il: dom 27 nov , 2016 2:13 pm

Salve a tutti.
Vorrei avere una mano per poter configurare il router in oggetto in modo da poter avere la seguente configurazione
Un IP come DMZ ( e qui non so come fare) e un secondo IP dove mettere un PC con asterisk per potermi connettere al mio ufficio.
Come rete interna ho 192.68.0.1 e l'IP con 192.168.0.3 dovrebbe essere la DMZ ( e qui non so come fare), un secondo indirizzo dovrebbe avere la porta 4569 UTP/TCP e la porta 1010 per SSH (per potermi connettere alla macchina asterisk in ufficio) e il terzo dovrebbe aver aperto la 5060 per il SIP e 1212 per SSH.
Ho trovato questa che ho editato ma non so se è corretta
Tutta la ACL è invariata ma non so effettivamente se è giusta
Grazie a chiunque mi da una mano

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 association mac-list 700
dot11 syslog
!
!Abilito il DHCP dal 0.10 a 0.15
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.10 192.168.0.15
!
!Imposto i DNS
ip dhcp pool sdm-pool1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 20.8.67.222.222
lease infinite
!
ip dhcp pool STATIC-1
host 192.168.0.3 255.255.255.0
client-identifier 0100:08:9b:f8:11:6a
client-name DMZ
!
ip name-server 8.8.8.8
ip name-server 208.67.222.222
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
!
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 0 admin
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country IT both
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip inspect Firewall out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname aliceadsl
ppp chap password 0 aliceadsl
!
interface BVI1
ip address 192.168.0.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!Telefono VOIP
ip nat inside source static udp 192.168.0.250 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.0.250 5060 interface Dialer0 5060
!Telefono SSH
ip nat inside source static tcp 192.168.0.250 1010 interface Dialer0 22
ip nat inside source static udp 192.168.0.250 1010 interface Dialer0 22
!ASTERISK IAX
ip nat inside source static udp 192.168.0.250 4569 interface Dialer0 4569
ip nat inside source static tcp 192.168.0.250 4569 interface Dialer0 4569
!ASTERISK SSH e HTTP
ip nat inside source static tcp 192.168.0.250 1212 interface Dialer0 22
ip nat inside source static udp 192.168.0.250 1212 interface Dialer0 22
ip nat inside source static tcp 192.168.0.250 9090 interface Dialer0 80
ip nat inside source static udp 192.168.0.250 9090 interface Dialer0 80
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 204.13.248.112 eq www any log
access-list 101 permit udp host 8.8.8.8 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit gre any any
access-list 101 remark *************************************************************
access-list 101 remark *** ACL port forwarding ***
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq 4711
access-list 101 permit tcp any any eq 7395
access-list 101 permit tcp any any eq 35238
access-list 101 permit tcp any any eq 81
access-list 101 permit udp any any eq 80
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 8080
access-list 101 permit udp any any eq 5938
access-list 101 permit tcp any any eq 5900
access-list 101 permit tcp any any eq 6346
access-list 101 permit tcp any any eq 5800
access-list 101 permit tcp any any eq 36433
access-list 101 permit tcp any any eq 6348
access-list 101 permit tcp any any eq 15698
access-list 101 permit tcp any any eq 6347
access-list 101 permit tcp any any eq 5060
access-list 101 permit udp any any eq 5060
access-list 101 permit tcp any any eq 4712
access-list 101 permit tcp any any eq 5662
access-list 101 permit udp any any eq 5672
access-list 101 permit udp any any eq 4665
access-list 101 permit udp any any eq discard
access-list 101 permit udp any any eq 8457
access-list 101 permit udp any any eq 35238
access-list 101 permit udp any any eq 6346
access-list 101 permit udp any any eq 6348
access-list 101 permit udp any any eq 15698
access-list 101 permit udp any any eq 6347
access-list 101 remark *************************************************************
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark *************************************************************
access-list 102 remark Traffico abilitato ad entrare dalla ethernet
access-list 102 permit ip any host 192.168.0.1
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 remark *************************************************************
access-list 102 deny ip any host 192.168.0.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 deny ip any any log
access-list 700 permit 0017.31c2.ee97 0000.0000.0000
access-list 700 permit 0810.730d.cdb0 0000.0000.0000
access-list 700 permit 0021.0065.937f 0000.0000.0000
access-list 700 permit 0016.fe7b.4370 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 207.46.197.32
sntp server 192.43.244.18
end
Rispondi