La configurazione utilizzata è un router cisco 1720 48D/8F con una seconda scheda di rete. Per maggiore comodità vi posto il risultato dell'sh conf
Codice: Seleziona tutto
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 24-Jan-07 15:39 by ccai
Image text-base: 0x8000816C, data-base: 0x811068E0
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-Y-M), Version 12.3(23), RELEASE SOFTWARE (fc5)
giano uptime is 3 hours, 36 minutes
System returned to ROM by reload at 20:34:17 GTM Thu Nov 29 2007
System restarted at 20:37:48 GTM Thu Nov 29 2007
System image file is "ftp://192.168.1.252/c1700-k9o3sy7-mz.123-22.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco 1720 (MPC860T) processor (revision 0x601) with 40675K/8477K bytes of memory.
Processor board ID JAD054102VV (2189712219), with hardware revision 0000
MPC860T processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Ovvero agli utenti è concesso di accedere ai seguenti servizi
80 (web), 443 (https), 110 (pop), 25 (smtp), 995 (pop3 tipo gmail), 465 (smtp tipo gmail), 53 (dns), 21( ftp) e 1863 (messenger).
il tutto ad una velocità di 30KB/s in download ed 8KB/s in upload.
Ecco la configurazione
Codice: Seleziona tutto
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname giano
!
boot-start-marker
boot system ftp c1700-k9o3sy7-mz.123-22.bin 192.168.1.252
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
memory-size iomem 25
clock timezone GTM 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local group CLIENTI
aaa accounting auth-proxy default start-stop group CLIENTI
aaa session-id common
ip subnet-zero
!
!
ip domain name mshome.net
ip name-server 212.216.172.62
!
ip cef
ip auth-proxy name CLIENTI http auth-cache-time 5
ip audit po max-events 100
!
!
username root privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXX
!
!
ip ftp username anonymous
ip ssh authentication-retries 2
!
!
!
!
interface Ethernet0
description RETE CLIENTI
ip address 192.168.2.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip auth-proxy CLIENTI
rate-limit input 64000 64000 64000 conform-action transmit exceed-action drop
rate-limit output 256000 256000 256000 conform-action transmit exceed-action drop
full-duplex
!
interface FastEthernet0
description RETE INTERNA
ip address 192.168.1.99 255.255.255.0
ip nat outside
speed auto
!
ip nat inside source list 101 interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip http server
ip http authentication aaa
no ip http secure-server
!
!
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 443
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq pop3
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq smtp
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 995
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 465
access-list 101 permit udp 192.168.2.0 0.0.0.255 any eq domain
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 1863
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 102 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXXXXXXX
transport input ssh
line vty 5 15
!
ntp clock-period 17208494
ntp source FastEthernet0
ntp server 193.204.114.232
end
La scelta di utilizzare un autenticazione locale è pensata a chi non ha un server radius o TACACS+.
I contro di questa configurazione sono la necessità di dover inserire gli utenti direttamente nel router e il fatto che è facile spoofare le password degli altri utenti.
Attendo consigli e suggerimenti.
saluti
