Cisco 877 - ACL problem

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
verlucca
n00b
Messaggi: 2
Iscritto il: ven 07 dic , 2007 11:55 am

Un Salve a tutti,

premetto che sono un neofita appassionato di Cisco. Così passo le nottate a sbattere la testa su conf, router ed access point ma da quando ho l'877 sto diventando matto!

Vi spiego:
vorrei che il Router fosse raggiungibile dall'esterno tramite Terminale (SSH) e via https così come tre IP Camera (via web) ma assolutamente non ci riesco. Ho paura che le ACL siano non del tutto corrette.

Chiedo se qualcuno gentilmente può darmi qualche dritta.

Grazie mille

Posto la mia attuale conf:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname gw
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-15.T4.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable password ********
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-404110987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-404110987
revocation-check none
rsakeypair TP-self-signed-404110987
!
!
crypto pki certificate chain TP-self-signed-404110987
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303431 31303938 37301E17 0D303731 32303830 33333232
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3430 34313130
39383730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9B3C53A9 408D7B70 0EC37673 9184C4F5 1CAD0382 6D1FC79A 0CE3CEA2 97650FDA
E888A5F7 36AC244C FB0A1370 140BE5AA 7710CD64 8F6142DE 2DAEEEB3 E563D398
5AB1EBF8 9C82287B B1936D17 5BA841CE 20B841A4 F09F2466 7CC89741 E273511A
B3720B5E DBA73A2E B23422F0 07C08384 EE9A394C 45CFDA87 6D629C3A 1912E529
02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D
11041530 13821167 772E796F 7572646F 6D61696E 2E636F6D 301F0603 551D2304
18301680 140BDE3D FC17355F 54D3F348 E2154D3A 02F3AB79 51301D06 03551D0E
04160414 0BDE3DFC 17355F54 D3F348E2 154D3A02 F3AB7951 300D0609 2A864886
F70D0101 04050003 81810015 AFB27BA3 82B6B296 89138374 4BE63A3E E3430DF7
7C991764 E552A30F 616AA79E FDD0D8F9 1E96D690 80087142 43846D56 19DFF3A6
44A3E2D9 523FCC25 3AD971A0 AC686550 CD5B43B9 355744B8 0905C825 2EB11540
6D721B42 2F2E2338 8258C4DC 88D542E8 7B98C9DD 7ADFC59C 889708C1 1BBF44ED
8C32FCD0 5BB795B9 97BCA4
quit
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.19
ip dhcp excluded-address 10.10.10.31 10.10.10.254
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
dns-server 194.20.8.1 194.20.8.4
default-router 10.10.10.1
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 194.20.8.1
ip name-server 194.20.8.4
ip inspect log drop-pkt
ip inspect name FW-OUT tcp
ip inspect name FW-OUT udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method myDNS
HTTP
add http://UTENTE:[email protected] ... NOME&myip=
interval maximum 0 6 0 0
!
!
multilink bundle-name authenticated
!
!
username Router privilege 15 secret 5 $1$rjP9$uGep1ceWy5BBHwX75qRaX0
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip virtual-reassembly
pvc 9/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect FW-OUT in
ip virtual-reassembly
ip route-cache flow
!
interface Dialer0
ip ddns update hostname NOME
ip ddns update myDNS
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname LOGIN_NAME@PROVIDER
ppp chap password 0 ******
ppp pap sent-username LOGIN_NAME@PROVIDER password 0 ******
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-top-talkers
top 50
sort-by bytes
!
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.15 80 interface Dialer0 8080
ip nat inside source static tcp 10.10.10.1 443 interface Dialer0 443
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 22
ip nat inside source static tcp 10.10.10.5 80 interface Dialer0 8181
ip nat inside source static tcp 10.10.10.6 80 interface Dialer0 8282
!
logging trap critical
access-list 23 remark *** ACL PER ACCESSO DA TERMINALE ***
access-list 23 permit 10.10.10.0 0.0.0.255 log
access-list 23 permit 151.9.164.0 0.0.0.255 log
access-list 23 deny any log
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark *** ACL ANTI-SPOOFING ***
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip 192.0.2.0 0.0.0.255 any log
access-list 102 deny ip 224.0.0.0 31.255.255.255 any log
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 remark *** ACL PER CONTROLLARE TRAFFICO DNS ***
access-list 102 permit udp host 194.20.8.1 eq domain any log
access-list 102 permit udp host 194.20.8.4 eq domain any log
access-list 102 remark *** ACL PER CONTROLLARE DYNDNS ***
access-list 102 permit tcp host 63.208.196.96 eq www any log
access-list 102 remark *** ACL PER CONTROLLARE TRAFFICO NTP ***
access-list 102 permit udp host 193.204.114.232 eq ntp any log
access-list 102 remark *** ACL PER CONTROLLARE TRAFFICO NAT ***
access-list 102 permit ip host 10.10.10.1 any log
access-list 102 permit ip host 10.10.10.5 any log
access-list 102 permit ip host 10.10.10.6 any log
access-list 102 permit ip host 10.10.10.15 any log
access-list 102 permit tcp any any eq 22 log
access-list 102 permit tcp any any eq 443 log
access-list 102 permit tcp any any eq 8080 log
access-list 102 permit udp any any eq 8080 log
access-list 102 permit tcp any any eq 8181 log
access-list 102 permit udp any any eq 8181 log
access-list 102 permit tcp any any eq 8282 log
access-list 102 permit udp any any eq 8282 log
access-list 102 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any traceroute
access-list 102 deny icmp any any
access-list 102 remark *** ACL PER BLOCCARE WORM ***
access-list 102 deny tcp any any eq 135
access-list 102 deny udp any any eq 135
access-list 102 deny udp any any eq netbios-ns
access-list 102 deny udp any any eq netbios-dgm
access-list 102 deny tcp any any eq 139
access-list 102 deny udp any any eq netbios-ss
access-list 102 deny tcp any any eq 445
access-list 102 deny tcp any any eq 8888
access-list 102 deny tcp any any eq 8594
access-list 102 deny tcp any any eq 8563
access-list 102 deny tcp any any eq 7778
access-list 102 deny tcp any any eq 593
access-list 102 deny tcp any any eq 2049
access-list 102 deny udp any any eq 2049
access-list 102 deny tcp any any eq 2000
access-list 102 deny tcp any any range 6000 6010
access-list 102 deny udp any any eq 1433
access-list 102 deny udp any any eq 1434
access-list 102 deny udp any any eq 5554
access-list 102 deny udp any any eq 9996
access-list 102 deny udp any any eq 113
access-list 102 deny udp any any eq 3067
access-list 102 remark *** ACL PER BLOCCARE ACCESSI ***
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
login local
length 0
transport preferred none
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175037
ntp server 193.204.114.232 prefer
end
Top
verlucca
n00b
Messaggi: 2
Iscritto il: ven 07 dic , 2007 11:55 am

Risolto
Top
Rispondi

Torna a “Configurazioni”