CiscoForums.it

ciao raga,
dopo vari giorni sono riuscito ad assemblare una config base (molto base) funzionante per il mio 877.qualcuno può darmi dirmi se ci sono errori e come posso migliorarla? vorrei anche proteggerlo, accedergli dall'esterno e config il server dns. vi allego uno sh ru

SPIDERNET#sh ru
Building configuration...

Current configuration : 1741 bytes
!
! Last configuration change at 18:36:11 UTC Thu May 27 2010
! NVRAM config last updated at 18:31:04 UTC Thu May 27 2010
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPIDERNET
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip dhcp smart-relay
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.32
!
ip dhcp pool interlan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 85.37.17.57 85.38.28.20
lease infinite
!
!
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
no ip mroute-cache
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
ppp pap sent-username aliceadsl password 7 00051F0F075E0A021C2D
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
password line doremifa
login
!
scheduler max-task-time 5000
end

grazie ragazzi.
ciao a tutti

Per il DDNS puoi usare la seguente sintassi:

ip ddns update method dyndns
HTTP
add http://nome:[email protected] ... dyndns.org
interval maximum 28 0 0 0


Il "?" lo scrivi premendo prima Crtl+V e poi il carattere ?

Successivamente nell'interfaccia es Dialer 0

ip ddns update hostname nome.dyndns.org
ip ddns update dyndns

se hai sotto la Dialer 0 un tag di un acl tipo : ip access-group 101 in
nell' access list devi mettere il permit dell'ip del sito dyndns

access-list 101 permit tcp host 63.208.196.96 eq www any log

per la sicurezza della tua rete interna potresti aggiungere delle ACL
tipo queste :

access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *************************************************************
access-list 131 remark *** traffico dns e ntp ***
access-list 131 permit udp host 208.67.222.222 eq domain any
access-list 131 permit udp host 151.99.125.1 eq domain any
access-list 131 permit udp host 207.46.197.32 eq ntp any
access-list 131 permit udp host 192.43.244.18 eq ntp any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log

e sotto l'ATM0.1 taggarle con il seguente comando:

ip access-group 131 in

ciao scusate se mi intrometto altre a quello che ti ha indicato crisalf nelle potresti aggiunrere nella modalità conf

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug date
service timestamps log dateti
service password-encryption
no cdp run
no service udp-small-servers
service udp-small-servers
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifi
logging console critical
logging monitor notifications

mentre sulle interfaccie

no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp adjust-mss 1460

notte