Configurazione 1801 per VPN e VOIP
Inviato: mar 16 ott , 2012 3:04 pm
Ciao a tutti,
sono il responsabile informatico di una media impresa con però molte piccole sedi distaccate per l'italia e ho una grossa difficoltà nel collegare tutte queste sedi con quella principale in voip.
Al momento la struttura della rete è la seguente :
- una sede principale cosi strutturata
* linea HDSL 2Mb 16 ip statici
*router CISCO2800(Telecom)per connessione internet e creazione delle linee telefoniche
*CISCO 1801(nostro) usato come firewal e posizionato tra il 2800 e la mia lan
*centralino VOIP (Promeli o LG che dir si voglia)
- una filiale piu grande connessa in VPN alla precedente tramite una ADSL telecom 20Mb 8 ip statici (CISCO 877 usato come router e firewall)
- 20 piccole filiali con connessione ADSL e un telefono remoto
Al momento ho creato la connessione VPN tra la sede principale e la filiale piu grande in maniera da connettere linee telefoniche e dati. La VPN è Creata tra il CISCO 1801 e il CISCO 877 e funziona in maniera soddisfacente.
In piu sempre con il CISCO 1801 ho effettuato anche una serie di NAT statici su alcuni degli ip pubblici a disposizione per rendere visibili dall'esterno un paio di nostri web server, per delle applicazioni di Assistenza remota tramite UltraVNC, e su un ip in particolare anche per dare la visione al portale di configurazione via web del centralino telefonico.
Fin qui a parte qualche difficoltà iniziale tutto a posto e ora perfettamente funzionante.
Il problema lo ho quando cerco di collegare i telefoni VOIP delle sedi remote....i tecnici del centralino mi hanno detto che devo aprire una serie di porte sul mio firewall in ingresso e in uscita dirette sull'indirizzo IP del centralino telefonico.
Il problema è che non ho idea come fare.ho infatti provato a fare un NAT dall'indirizzo pubblico del firewall a quello del centralino in maniera da renderlo visibile all'esterno. il problema è che cosi facendo, oltre a non funzionare i telefoni di tutte le 20 filiali, non mi funzionano piu nemmeno i telefoni della sede collegata in VPN....
di seguito vi posto la configurazione del mio 1801 qualcuno mi sa dire dove sbaglio nell'apertura (forse non la ho nemmeno fatta) delle porte in ingresso e uscita per la parte voip????
sono il responsabile informatico di una media impresa con però molte piccole sedi distaccate per l'italia e ho una grossa difficoltà nel collegare tutte queste sedi con quella principale in voip.
Al momento la struttura della rete è la seguente :
- una sede principale cosi strutturata
* linea HDSL 2Mb 16 ip statici
*router CISCO2800(Telecom)per connessione internet e creazione delle linee telefoniche
*CISCO 1801(nostro) usato come firewal e posizionato tra il 2800 e la mia lan
*centralino VOIP (Promeli o LG che dir si voglia)
- una filiale piu grande connessa in VPN alla precedente tramite una ADSL telecom 20Mb 8 ip statici (CISCO 877 usato come router e firewall)
- 20 piccole filiali con connessione ADSL e un telefono remoto
Al momento ho creato la connessione VPN tra la sede principale e la filiale piu grande in maniera da connettere linee telefoniche e dati. La VPN è Creata tra il CISCO 1801 e il CISCO 877 e funziona in maniera soddisfacente.
In piu sempre con il CISCO 1801 ho effettuato anche una serie di NAT statici su alcuni degli ip pubblici a disposizione per rendere visibili dall'esterno un paio di nostri web server, per delle applicazioni di Assistenza remota tramite UltraVNC, e su un ip in particolare anche per dare la visione al portale di configurazione via web del centralino telefonico.
Fin qui a parte qualche difficoltà iniziale tutto a posto e ora perfettamente funzionante.
Il problema lo ho quando cerco di collegare i telefoni VOIP delle sedi remote....i tecnici del centralino mi hanno detto che devo aprire una serie di porte sul mio firewall in ingresso e in uscita dirette sull'indirizzo IP del centralino telefonico.
Il problema è che non ho idea come fare.ho infatti provato a fare un NAT dall'indirizzo pubblico del firewall a quello del centralino in maniera da renderlo visibile all'esterno. il problema è che cosi facendo, oltre a non funzionare i telefoni di tutte le 20 filiali, non mi funzionano piu nemmeno i telefoni della sede collegata in VPN....
di seguito vi posto la configurazione del mio 1801 qualcuno mi sa dire dove sbaglio nell'apertura (forse non la ho nemmeno fatta) delle porte in ingresso e uscita per la parte voip????
Codice: Seleziona tutto
Building configuration...
Current configuration : 19289 bytes
!
! Last configuration change at 10:53:28 PCTime Tue Oct 16 2012 by Admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 15000
logging console critical
enable secret 5 $1$12FF$cTYEtiTsIOgcSARoZMpQn1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 1
!
crypto pki trustpoint TP-self-signed-421050077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-421050077
revocation-check none
rsakeypair TP-self-signed-421050077
!
!
crypto pki certificate chain TP-self-signed-421050077
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323130 35303037 37301E17 0D313231 30313231 31303733
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3432 31303530
30373730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C1982B2D AB93FEC8 A6F858A3 5D9D1A97 018552C7 93CBB660 79CD384D E54B38D0
5A8598E0 5C8EEC7F DE9E9A6C 485E31C6 7A2F2A5C 5349D922 BE5CD114 B8E918B2
6BE7F86C 9BFFC941 E9A3B152 F1EB471A A9A1BD00 65744926 E110104F B7586616
834DDDAA 44752ECC 8E3ECA0B 0BFE8412 FC2C065D D70BEF5D 31AF983E 169EF6D7
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820943 6973636F 31383031 301F0603 551D2304 18301680 1412EA0B
1EF21943 8DCB5E27 F74ACB34 2E91B6BC 19301D06 03551D0E 04160414 12EA0B1E
F219438D CB5E27F7 4ACB342E 91B6BC19 300D0609 2A864886 F70D0101 04050003
81810032 BAFC8CD6 43919392 0512BC58 4372D9FD BD272DD4 13412800 19373ABC
61AE202A C6B11576 498EA965 5FE4FD34 A8CEC7C5 05EE62DD 4BB8D39F 5F8F0C9F
4FC5A863 15718767 255EE42B E5EAE887 FA121D59 2CEF451D 644B5461 4E1BEE63
1BCC9769 E133E033 3C82F014 4624E622 9787922D 5CD4E6DF A2DAFEDF 966E5B41 B69F72
quit
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.199
ip dhcp excluded-address 192.168.0.211 192.168.3.254
!
ip dhcp pool DHCPMO
import all
network 192.168.0.0 255.255.252.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
!
!
ip cef
no ip bootp server
ip name-server 151.99.125.2
ip name-server 62.211.69.150
ip port-map http port tcp 85 list 3 description Portali
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM cuseeme
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM http
ip inspect name CCP_MEDIUM sip-tls
ip urlfilter exclusive-domain deny facebook
no ipv6 cef
!
appfw policy-name CCP_MEDIUM
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXXXXX address 85.42.XXX.YY8
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to85.42.XXX.YY8
set peer 85.42.XXX.YY8
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no atm ilmi-keepalive
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
!
interface FastEthernet0
description WAN-Interface$FW_INSIDE$$ETH-WAN$
ip address 5.96.X.Y2 255.255.255.240
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
!
!
interface Virtual-Template2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
!
interface Vlan1
description LAN-interface
ip address 192.168.0.1 255.255.252.0
ip access-group sdm_vlan1_in in
ip nat inside
ip virtual-reassembly
!
!
ip local pool SDM_POOL_1 192.168.9.100 192.168.9.105
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool IPpubTI 5.96.X.Y2 5.96.X.Y2 netmask 255.255.255.240
ip nat inside source route-map SDM_RMAP_2 pool IPpubTI overload
ip nat inside source static tcp 192.168.3.1 8080 5.96.X.Y5 443 extendable
ip nat inside source static udp 192.168.3.1 5588 5.96.X.Y5 5588 extendable
ip nat inside source static udp 192.168.3.1 6254 5.96.X.Y5 6254 extendable
ip nat inside source static udp 192.168.3.1 8002 5.96.X.Y5 8002 extendable
ip nat inside source static udp 192.168.3.1 8003 5.96.X.Y55 8003 extendable
ip nat inside source static udp 192.168.3.1 8004 5.96.X.Y5 8004 extendable
ip nat inside source static udp 192.168.3.1 8005 5.96.X.Y5 8005 extendable
ip nat inside source static tcp 192.168.2.19 5501 5.96.X.Y8 5501 extendable
ip nat inside source static tcp 192.168.2.18 5502 5.96.X.Y8 5502 extendable
ip nat inside source static tcp 192.168.1.5 5905 5.96.X.Y8 5905 extendable
ip nat inside source static tcp 192.168.2.117 5917 5.96.X.Y8 5917 extendable
ip nat inside source static tcp 192.168.2.18 5918 5.96.X.Y8 5918 extendable
ip nat inside source static tcp 192.168.2.19 5919 5.96.X.Y8 5919 extendable
ip nat inside source static tcp 192.168.1.6 85 5.96.X.Y0 80 extendable
ip nat inside source static tcp 192.168.1.200 81 5.96.X.Y2 81 extendable
ip nat inside source static tcp 192.168.1.200 3388 5.96.X.Y2 3388 extendable
ip nat inside source static tcp 192.168.1.200 4550 5.96.X.Y2 4550 extendable
ip nat inside source static tcp 192.168.1.200 5550 5.96.X.Y2 5550 extendable
ip nat inside source static tcp 192.168.1.200 5552 5.96.X.Y2 5552 extendable
ip nat inside source static tcp 192.168.1.200 5611 5.96.X.Y2 5611 extendable
ip nat inside source static tcp 192.168.1.200 8554 5.96.X.Y2 8554 extendable
ip nat inside source static tcp 192.168.1.200 8866 5.96.X.Y2 8866 extendable
ip nat inside source static tcp 192.168.1.200 17300 5.96.X.Y2 17300 extendable
ip route 0.0.0.0 0.0.0.0 5.96.4.81
!
ip access-list extended sdm_vlan1_in
remark CCP_ACL Category=1
permit udp any any
permit ip any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.3.1
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.0.150
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.6
access-list 4 remark CCP_ACL Category=1
access-list 4 permit 192.168.3.1
access-list 5 remark CCP_ACL Category=1
access-list 5 permit 192.168.3.1
access-list 100 remark CCP_ACL Category=2
access-list 100 deny tcp host 192.168.3.1 eq 8080 any
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.3.255
access-list 100 deny ip any host 192.168.9.100
access-list 100 deny ip any host 192.168.9.101
access-list 100 deny ip any host 192.168.9.102
access-list 100 deny ip any host 192.168.9.103
access-list 100 deny ip any host 192.168.9.104
access-list 100 deny ip any host 192.168.9.105
access-list 100 permit ip 192.168.0.0 0.0.3.255 any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit udp host 85.42.XXX.YY8 host 85.42.XX.YY0 eq non500-isakmp
access-list 101 permit udp host 85.42.XXX.YY8 host 85.42.XX.YY0 eq isakmp
access-list 101 permit esp host 85.42.XXX.YY8 host 85.42.XX.YY0
access-list 101 permit ahp host 85.42.XXX.YY8 host 85.42.XX.YY0
access-list 101 permit udp host 62.211.XX.BB0 eq domain host 85.42.XX.YY0
access-list 101 permit udp host 151.99.VVV.2 eq domain host 85.42.XX.YY0
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit icmp any host 85.42.XX.YY0 echo-reply
access-list 101 permit icmp any host 85.42.XX.YY0 time-exceeded
access-list 101 permit icmp any host 85.42.XX.YY0 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.3.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.3.255
access-list 103 permit ip 192.168.0.0 0.0.3.255 any
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp any host 5.96.X.Y5 eq 7311
access-list 104 permit tcp any host 5.96.X.Y5 eq 1720
access-list 104 permit udp any host 5.96.X.Y5 eq 7310
access-list 104 permit udp any host 5.96.X.Y5 eq 7309
access-list 104 permit udp any host 5.96.X.Y5 eq 7308
access-list 104 permit udp any host 5.96.X.Y5 eq 7307
access-list 104 permit udp any host 5.96.X.Y5 eq 7306
access-list 104 permit udp any host 5.96.X.Y5 eq 7305
access-list 104 permit udp any host 5.96.X.Y5 eq 7304
access-list 104 permit udp any host 5.96.X.Y5 eq 7303
access-list 104 permit udp any host 5.96.X.Y5 eq 7302
access-list 104 permit udp any host 5.96.X.Y5 eq 7301
access-list 104 permit udp any host 5.96.X.Y5 eq 7300
access-list 104 permit udp any host 5.96.X.Y5 eq 7111
access-list 104 permit udp any host 5.96.X.Y5 eq 7110
access-list 104 permit udp any host 5.96.X.Y5 eq 7109
access-list 104 permit udp any host 5.96.X.Y5 eq 7108
access-list 104 permit udp any host 5.96.X.Y5 eq 7107
access-list 104 permit udp any host 5.96.X.Y5 eq 7106
access-list 104 permit udp any host 5.96.X.Y5 eq 7105
access-list 104 permit udp any host 5.96.X.Y5 eq 7104
access-list 104 permit udp any host 5.96.X.Y5 eq 7103
access-list 104 permit udp any host 5.96.X.Y5 eq 7102
access-list 104 permit udp any host 5.96.X.Y5 eq 7101
access-list 104 permit udp any host 5.96.X.Y5 eq 7100
access-list 104 permit udp any host 5.96.X.Y5 eq 7015
access-list 104 permit udp any host 5.96.X.Y5 eq 7014
access-list 104 permit udp any host 5.96.X.Y5 eq 7013
access-list 104 permit udp any host 5.96.X.Y5 eq 7012
access-list 104 permit udp any host 5.96.X.Y5 eq 7011
access-list 104 permit udp any host 5.96.X.Y5 eq 7010
access-list 104 permit udp any host 5.96.X.Y5 eq 7009
access-list 104 permit udp any host 5.96.X.Y5 eq 7008
access-list 104 permit udp any host 5.96.X.Y5 eq 7007
access-list 104 permit udp any host 5.96.X.Y5 eq 7006
access-list 104 permit udp any host 5.96.X.Y5 eq 7005
access-list 104 permit udp any host 5.96.X.Y5 eq 7004
access-list 104 permit udp any host 5.96.X.Y5 eq 7003
access-list 104 permit udp any host 5.96.X.Y5 eq 7002
access-list 104 permit udp any host 5.96.X.Y5 eq 7001
access-list 104 permit udp any host 5.96.X.Y5 eq 7000
access-list 104 permit tcp any host 5.96.X.Y2 eq 81
access-list 104 permit tcp any host 5.96.X.Y2 eq 5550
access-list 104 permit tcp any host 5.96.X.Y2 eq 4550
access-list 104 permit tcp any host 5.96.X.Y2 eq 17300
access-list 104 permit tcp any host 5.96.X.Y2 eq 8554
access-list 104 permit tcp any host 5.96.X.Y2 eq 5552
access-list 104 permit tcp any host 5.96.X.Y2 eq 5611
access-list 104 permit tcp any host 5.96.X.Y2 eq 3388
access-list 104 permit tcp any host 5.96.X.Y2 eq 8866
access-list 104 permit tcp any host 5.96.X.Y8 eq 5918
access-list 104 permit tcp any host 5.96.X.Y8 eq 5917
access-list 104 permit tcp any host 5.96.X.Y8 eq 5905
access-list 104 permit tcp any host 5.96.X.Y8 eq 5919
access-list 104 permit tcp any host 5.96.X.Y8 eq 5502
access-list 104 permit tcp any host 5.96.X.Y8 eq 5501
access-list 104 permit udp any host 5.96.X.Y5 eq 8005
access-list 104 permit udp any host 5.96.X.Y5 eq 8004
access-list 104 permit udp any host 5.96.X.Y5 eq 8003
access-list 104 permit udp any host 5.96.X.Y5 eq 8002
access-list 104 permit udp any host 5.96.X.Y5 eq 6254
access-list 104 permit udp any host 5.96.X.Y5 eq 5588
access-list 104 permit tcp any host 5.96.X.Y0 eq www
access-list 104 permit tcp any host 5.96.X.Y5 eq 443
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.4.0 0.0.3.255 192.168.0.0 0.0.3.255
access-list 104 permit udp host 85.42.177.198 host 5.96.X.Y2 eq non500-isakmp
access-list 104 permit udp host 85.42.177.198 host 5.96.X.Y2 eq isakmp
access-list 104 permit esp host 85.42.177.198 host 5.96.X.Y2
access-list 104 permit ahp host 85.42.177.198 host 5.96.X.Y2
access-list 104 deny ip 85.42.XX.YY8 0.0.0.3 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.4.0 0.0.3.255 192.168.0.0 0.0.3.255
access-list 105 deny ip 192.168.0.0 0.0.3.255 any
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 106 remark CCP_ACL Category=2
access-list 106 deny tcp host 192.168.3.1 eq 8080 any
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.3.255
access-list 106 permit ip 192.168.0.0 0.0.3.255 any
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 100
!
route-map SDM_RMAP_3 permit 1
match ip address 106
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CBenvenuto!! Morosini Giochi - Cisco1801 Firewall
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
