877w problema x raggiungere server da ext

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
Avatar utente
whites07
Cisco fan
Messaggi: 42
Iscritto il: mer 23 feb , 2005 11:19 pm
Località: Varese

Ciao
ho una config un po' complicata:
4 VLAN e qualche servizio che deve essere raggiunto dall'esterno
Ho provato a configurare ip inspect per avere un firewall

Il problema è che non capisco come configurare ip inspect per aprirmi le porte per i server: 1ftps, 1ftp, 1http, 2https, 1ssh

Questi servizi sono tutti sulla VLAN1 (BVI1)

Con le acl solite funziona tutto tranne il server ftpoverssl che non riesco a raggiungere dall'ext (avevo già aperto un thread sul forum)

Non so nemmeno se si possa fare quello che voglio, che sarebbe fare una serie di regole ip inspect applicate al dialer0 in IN che mi lasciano passare il traffici che mi servono!
Che ne dite?Oppure posso fare solo acl?

Inoltre non mi funziona live messenger (client M$), gli altri client per IM di M$ vanno.


Vi incolla la configurazione per vedere se riuscite ad aiutarmi.

!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname lucart01
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 5 $1$SESr$wJDBF1TQ5tPOdJUoqCIB61
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3663086192
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3663086192
revocation-check none
rsakeypair TP-self-signed-3663086192
!
!
crypto pki certificate chain TP-self-signed-3663086192
certificate self-signed 01 nvram:IOS-Self-Sig#12.cer
!
!
!
dot11 ssid guest
vlan 2
max-associations 10
authentication open
authentication key-management wpa optional
wpa-psk ascii 7 06310A2D4F41041C571B07080D06262A2A2B0C3237161402
!
dot11 ssid home
vlan 1
max-associations 16
authentication open
authentication key-management wpa
wpa-psk ascii 7 153E1E0F0528272526300A151B0E020612060E
!
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip dhcp use vrf connected
!
[...DHCP config...]
!
no ip bootp server
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
!
ip inspect name VLAN1-IN appfw FW01
ip inspect name VLAN1-IN ftp timeout 120
ip inspect name VLAN1-IN ftps timeout 120
ip inspect name VLAN1-IN dns timeout 20
ip inspect name VLAN1-IN ntp timeout 30
ip inspect name VLAN1-IN http timeout 30
ip inspect name VLAN1-IN https timeout 30
ip inspect name VLAN1-IN pop3 timeout 60
ip inspect name VLAN1-IN pop3s timeout 60
ip inspect name VLAN1-IN imap timeout 90
ip inspect name VLAN1-IN imaps timeout 90
ip inspect name VLAN1-IN smtp timeout 90
ip inspect name VLAN1-IN gnutella timeout 180
ip inspect name VLAN1-IN edonkey timeout 180
ip inspect name VLAN1-IN bittorrent timeout 180
ip inspect name VLAN1-IN ssh timeout 30
ip inspect name VLAN1-IN icmp timeout 30
!
ip inspect name VLAN2-IN appfw FW01
ip inspect name VLAN2-IN dns timeout 20
ip inspect name VLAN2-IN ntp timeout 30
ip inspect name VLAN2-IN ftp timeout 120
ip inspect name VLAN2-IN ftps timeout 120
ip inspect name VLAN2-IN http timeout 30
ip inspect name VLAN2-IN https timeout 30
ip inspect name VLAN2-IN pop3 timeout 60
ip inspect name VLAN2-IN pop3s timeout 60
ip inspect name VLAN2-IN imap timeout 90
ip inspect name VLAN2-IN imaps timeout 90
ip inspect name VLAN2-IN smtp timeout 90
ip inspect name VLAN2-IN ssh timeout 30
ip inspect name VLAN2-IN icmp timeout 30
!
ip inspect name VLAN3-IN sip timeout 30
ip inspect name VLAN3-IN sip-tls timeout 30
ip inspect name VLAN3-IN dns timeout 20
ip inspect name VLAN3-IN ntp timeout 30
ip inspect name VLAN3-IN http timeout 30
ip inspect name VLAN3-IN https timeout 30
ip inspect name VLAN3-IN ftp timeout 120
ip inspect name VLAN3-IN ftps timeout 120
ip inspect name VLAN3-IN tftp timeout 30
ip inspect name VLAN3-IN icmp timeout 30
!
ip inspect name VLAN4-IN appfw FW01
ip inspect name VLAN4-IN ftp timeout 120
ip inspect name VLAN4-IN ftps timeout 120
ip inspect name VLAN4-IN dns timeout 20
ip inspect name VLAN4-IN ntp timeout 30
ip inspect name VLAN4-IN http timeout 30
ip inspect name VLAN4-IN https timeout 30
ip inspect name VLAN4-IN pop3 timeout 60
ip inspect name VLAN4-IN pop3s timeout 60
ip inspect name VLAN4-IN imap timeout 90
ip inspect name VLAN4-IN imaps timeout 90
ip inspect name VLAN4-IN smtp timeout 90
ip inspect name VLAN4-IN gnutella timeout 180
ip inspect name VLAN4-IN edonkey timeout 180
ip inspect name VLAN4-IN bittorrent timeout 180
ip inspect name VLAN4-IN ssh timeout 30
ip inspect name VLAN4-IN icmp timeout 30
!
ip ddns update method DYNDNS
HTTP
add http://XXXXXX:[email protected] ... ckmx=NOCHG
interval maximum 28 0 0 0
interval minimum 0 1 0 0
!
login block-for 1 attempts 3 within 30
login on-failure
login on-success
vlan ifdescr detail
!
multilink bundle-name authenticated
!
!
username user1 privilege 15 password 7 14001A021801397B73
username root privilege 15 password 7 0250570F525E56
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
ip ssh authentication-retries 2
!
appfw policy-name FW01
application im aol
service default action allow
service text-chat action allow
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow
service text-chat action allow
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow
port-misuse im action allow
port-misuse p2p action allow
port-misuse tunneling action allow
application im yahoo
service default action allow
service text-chat action allow
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
bridge irb
!
!
interface ATM0
description ALICE ADSL 2 Mbit/s
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet0
no cdp enable
spanning-tree portfast
!
interface FastEthernet1
no cdp enable
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 3
no cdp enable
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 4
no cdp enable
spanning-tree portfast
!
interface Dot11Radio0
no ip address
load-interval 30
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
encryption vlan 2 key 2 size 128bit 7 43EF61215AF784FBF6C0CB05E09C
encryption vlan 2 key 3 size 128bit 7 0CAFC833402921044CE8146982EB transmit-key
encryption vlan 2 mode ciphers tkip wep128
!
broadcast-key vlan 1 change 600
!
!
ssid guest
!
ssid home
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local cck 7
power local ofdm 7
power client maximum
channel least-congested 2447 2452 2457 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
description WLAN - WPA
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
description WLAN - WEP
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
description Home
no ip address
no ip mroute-cache
bridge-group 1
!
interface Vlan2
description Guests
no ip address
no ip mroute-cache
bridge-group 2
!
interface Vlan3
description VoIP
ip address 10.7.3.1 255.255.255.248
ip access-group 103 out
ip nat inside
ip inspect VLAN3-IN in
ip virtual-reassembly
!
interface Vlan4
description Bridge wireless
ip address 10.7.4.1 255.255.255.248
ip access-group 104 out
ip nat inside
ip inspect VLAN4-IN in
ip virtual-reassembly
!
interface Dialer0
ip ddns update hostname aaaaaaaaaaa.homeip.net
ip ddns update DYNDNS host aaaaaaaaaaa.homeip.net
ip address negotiated
ip access-group 2000 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer idle-timeout 30
dialer-group 1
no keepalive
no cdp enable
ppp chap hostname [email protected]
ppp chap password 7 091A1D5D405D4E
ppp pap sent-username [email protected] password 7 08771F1A50415C
!
interface BVI1
description Home LAN
ip address 10.7.1.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip inspect VLAN1-IN in
ip virtual-reassembly
!
interface BVI2
description Guests WLAN
ip address 10.7.2.1 255.255.255.240
ip access-group 102 out
ip nat inside
ip inspect VLAN2-IN in
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.12.0 255.255.255.0 10.7.4.6
!
!
no ip http server
ip http secure-server
ip nat translation timeout 3600
ip nat translation tcp-timeout 900
ip nat translation udp-timeout 600
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 20000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.12.65 13000 interface Dialer0 13000
ip nat inside source static udp 10.7.4.6 4674 interface Dialer0 4674
ip nat inside source static tcp 10.7.4.6 4664 interface Dialer0 4664
ip nat inside source static tcp 10.7.1.11 31015 interface Dialer0 31015
ip nat inside source static tcp 10.7.1.11 31014 interface Dialer0 31014
ip nat inside source static tcp 10.7.1.11 31013 interface Dialer0 31013
ip nat inside source static tcp 10.7.1.11 31012 interface Dialer0 31012
ip nat inside source static tcp 10.7.1.11 31011 interface Dialer0 31011
ip nat inside source static tcp 10.7.1.11 31010 interface Dialer0 31010
ip nat inside source static tcp 10.7.1.11 31009 interface Dialer0 31009
ip nat inside source static tcp 10.7.1.11 31008 interface Dialer0 31008
ip nat inside source static tcp 10.7.1.11 31007 interface Dialer0 31007
ip nat inside source static tcp 10.7.1.11 31006 interface Dialer0 31006
ip nat inside source static tcp 10.7.1.11 31005 interface Dialer0 31005
ip nat inside source static tcp 10.7.1.11 31004 interface Dialer0 31004
ip nat inside source static tcp 10.7.1.11 31003 interface Dialer0 31003
ip nat inside source static tcp 10.7.1.11 31002 interface Dialer0 31002
ip nat inside source static tcp 10.7.1.11 31001 interface Dialer0 31001
ip nat inside source static tcp 10.7.1.11 31000 interface Dialer0 31000
ip nat inside source static tcp 10.7.1.11 80 interface Dialer0 11080
ip nat inside source static tcp 10.7.1.11 21 interface Dialer0 11021
ip nat inside source static tcp 10.7.1.11 22 interface Dialer0 11022
ip nat inside source static udp 10.7.3.2 8001 interface Dialer0 8001
ip nat inside source static udp 10.7.3.2 8000 interface Dialer0 8000
ip nat inside source static udp 10.7.3.2 5061 interface Dialer0 5061
ip nat inside source static udp 10.7.3.2 5060 interface Dialer0 5060
ip nat inside source static tcp 10.7.1.21 30031 interface Dialer0 30031
ip nat inside source static tcp 10.7.1.21 30030 interface Dialer0 30030
ip nat inside source static tcp 10.7.1.21 30029 interface Dialer0 30029
ip nat inside source static tcp 10.7.1.21 30028 interface Dialer0 30028
ip nat inside source static tcp 10.7.1.21 30027 interface Dialer0 30027
ip nat inside source static tcp 10.7.1.21 30026 interface Dialer0 30026
ip nat inside source static tcp 10.7.1.21 30025 interface Dialer0 30025
ip nat inside source static tcp 10.7.1.21 30024 interface Dialer0 30024
ip nat inside source static tcp 10.7.1.21 30023 interface Dialer0 30023
ip nat inside source static tcp 10.7.1.21 30022 interface Dialer0 30022
ip nat inside source static tcp 10.7.1.21 30021 interface Dialer0 30021
ip nat inside source static tcp 10.7.1.21 30020 interface Dialer0 30020
ip nat inside source static tcp 10.7.1.21 30019 interface Dialer0 30019
ip nat inside source static tcp 10.7.1.21 30018 interface Dialer0 30018
ip nat inside source static tcp 10.7.1.21 30017 interface Dialer0 30017
ip nat inside source static tcp 10.7.1.21 30016 interface Dialer0 30016
ip nat inside source static tcp 10.7.1.21 30015 interface Dialer0 30015
ip nat inside source static tcp 10.7.1.21 30014 interface Dialer0 30014
ip nat inside source static tcp 10.7.1.21 30013 interface Dialer0 30013
ip nat inside source static tcp 10.7.1.21 30012 interface Dialer0 30012
ip nat inside source static tcp 10.7.1.21 30011 interface Dialer0 30011
ip nat inside source static tcp 10.7.1.21 30010 interface Dialer0 30010
ip nat inside source static tcp 10.7.1.21 30009 interface Dialer0 30009
ip nat inside source static tcp 10.7.1.21 30008 interface Dialer0 30008
ip nat inside source static tcp 10.7.1.21 30007 interface Dialer0 30007
ip nat inside source static tcp 10.7.1.21 30006 interface Dialer0 30006
ip nat inside source static tcp 10.7.1.21 30005 interface Dialer0 30005
ip nat inside source static tcp 10.7.1.21 30004 interface Dialer0 30004
ip nat inside source static tcp 10.7.1.21 30003 interface Dialer0 30003
ip nat inside source static tcp 10.7.1.21 30002 interface Dialer0 30002
ip nat inside source static tcp 10.7.1.21 30001 interface Dialer0 30001
ip nat inside source static tcp 10.7.1.21 30000 interface Dialer0 30000
ip nat inside source static udp 10.7.1.21 6881 interface Dialer0 6881
ip nat inside source static tcp 10.7.1.21 6881 interface Dialer0 6881
ip nat inside source static udp 10.7.4.6 6882 interface Dialer0 6882
ip nat inside source static tcp 10.7.4.6 6882 interface Dialer0 6882
ip nat inside source static tcp 10.7.1.21 4662 interface Dialer0 4662
ip nat inside source static udp 10.7.1.21 4672 interface Dialer0 4672
ip nat inside source static tcp 10.7.1.21 21 interface Dialer0 21
ip nat inside source static tcp 10.7.1.21 22 interface Dialer0 2222
ip nat inside source static tcp 10.7.1.21 80 interface Dialer0 80
ip nat inside source static tcp 10.7.1.21 443 interface Dialer0 443
!
access-list 1 remark ******************************
access-list 1 remark *** ACL for PAT and NAT0 ***
access-list 1 permit 10.7.1.0 0.0.0.255
access-list 1 permit 10.7.2.0 0.0.0.15
access-list 1 permit 10.7.3.0 0.0.0.7
access-list 1 permit 10.7.4.0 0.0.0.7
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 101 remark *************************************************************
access-list 101 remark *** ACL OUT towards VLAN1
access-list 101 permit tcp any host 10.7.1.21 eq ftp
access-list 101 permit tcp any host 10.7.1.21 eq 22
access-list 101 permit tcp any host 10.7.1.21 eq www
access-list 101 permit tcp any host 10.7.1.21 eq 443
!!access-list 101 permit tcp any host 10.7.1.21 eq 990
!access-list 101 permit tcp any host 10.7.1.21 range 30000 30031
access-list 101 permit tcp any host 10.7.1.21 eq 4662
access-list 101 permit udp any host 10.7.1.21 eq 4672
access-list 101 permit tcp any host 10.7.1.21 eq 6881
access-list 101 permit udp any host 10.7.1.21 eq 6881
access-list 101 permit tcp any host 10.7.1.11 eq ftp
access-list 101 permit tcp any host 10.7.1.11 eq 22
access-list 101 permit tcp any host 10.7.1.11 eq www
!access-list 101 permit tcp any host 10.7.1.11 range 31000 31015
access-list 102 remark *************************************************************
access-list 102 remark *** ACL OUT towards VLAN2
access-list 102 permit icmp 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.15
access-list 103 remark *************************************************************
access-list 103 remark *** ACL OUT towards VLAN3
access-list 103 permit tcp any 10.7.3.0 0.0.0.7 established
access-list 103 permit udp any host 10.7.3.2 eq 8000
access-list 103 permit udp any host 10.7.3.2 eq 8001
access-list 103 permit tcp 10.7.1.0 0.0.0.255 host 10.7.3.2 eq www
access-list 103 permit icmp 10.7.1.0 0.0.0.255 10.7.3.0 0.0.0.7
access-list 104 remark *************************************************************
access-list 104 remark *** ACL OUT towards VLAN4
access-list 104 permit tcp any host 192.168.12.65 eq 13000
access-list 104 permit tcp any host 10.7.4.6 eq 4664
access-list 104 permit udp any host 10.7.4.6 eq 4674
access-list 104 permit tcp any host 10.7.4.6 eq 6882
access-list 104 permit udp any host 10.7.4.6 eq 6882
access-list 104 permit tcp 10.7.1.0 0.0.0.255 host 10.7.4.2 eq www
access-list 104 permit tcp 10.7.1.0 0.0.0.255 host 10.7.4.6 eq 44333
access-list 104 permit tcp 10.7.1.0 0.0.0.255 host 10.7.4.6 eq 5978
access-list 104 permit tcp 10.7.1.0 0.0.0.255 host 10.7.4.6 eq ftp
!access-list 104 permit tcp 10.7.1.0 0.0.0.255 host 10.7.4.6 range 40000 40031
access-list 104 permit icmp 10.7.1.0 0.0.0.255 10.7.4.0 0.0.0.7
access-list 104 permit tcp 10.7.1.0 0.0.0.255 host 192.168.12.65 eq 22
access-list 104 permit icmp 10.7.1.0 0.0.0.255 host 192.168.12.65
access-list 2000 remark *************************************************************
access-list 2000 remark ***** ACL Dialer0 IN *****
access-list 2000 remark *** ACL ANTI-SPOOFING ***
access-list 2000 deny ip host 0.0.0.0 any log
access-list 2000 deny ip 127.0.0.0 0.255.255.255 any log
access-list 2000 deny ip 192.0.2.0 0.0.0.255 any log
access-list 2000 deny ip 224.0.0.0 31.255.255.255 any log
access-list 2000 deny ip 10.0.0.0 0.255.255.255 any log
access-list 2000 deny ip 172.16.0.0 0.15.255.255 any log
access-list 2000 deny ip 192.168.0.0 0.0.255.255 any log
access-list 2000 remark *************************************************************
access-list 2000 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 2000 permit icmp any any echo
access-list 2000 permit icmp any any echo-reply
access-list 2000 permit icmp any any time-exceeded
access-list 2000 permit icmp any any unreachable
access-list 2000 permit icmp any any administratively-prohibited
access-list 2000 permit icmp any any packet-too-big
access-list 2000 permit icmp any any traceroute
access-list 2000 deny icmp any any
access-list 2000 remark *************************************************************
access-list 2000 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 2000 deny tcp any any eq 135
access-list 2000 deny udp any any eq 135
access-list 2000 deny udp any any eq netbios-ns
access-list 2000 deny udp any any eq netbios-dgm
access-list 2000 deny tcp any any eq 139
access-list 2000 deny udp any any eq netbios-ss
access-list 2000 deny tcp any any eq 445
access-list 2000 deny tcp any any eq 593
access-list 2000 deny tcp any any eq 2049
access-list 2000 deny udp any any eq 2049
access-list 2000 deny tcp any any eq 2000
access-list 2000 deny tcp any any range 6000 6010
access-list 2000 deny udp any any eq 1433
access-list 2000 deny udp any any eq 1434
access-list 2000 deny udp any any eq 5554
access-list 2000 deny udp any any eq 9996
access-list 2000 deny udp any any eq 113
access-list 2000 deny udp any any eq 3067
access-list 2000 remark *************************************************************
access-list 2000 remark *** ACL PER PERMETTERE o BLOCCARE l'ACCESSO AI SERVERS
access-list 2000 deny tcp any any eq telnet
access-list 2000 permit udp host 193.204.114.232 eq ntp any
access-list 2000 permit udp host 193.204.114.233 eq ntp any
access-list 2000 permit udp host 130.149.17.8 eq ntp any
access-list 2000 permit udp host 18.103.0.198 eq ntp any
access-list 2000 permit udp host 208.67.222.222 eq domain any
access-list 2000 permit udp host 208.67.220.220 eq domain any
access-list 2000 permit tcp any any eq 22
access-list 2000 permit tcp any any eq ftp
access-list 2000 permit tcp any any eq www
access-list 2000 permit tcp any any eq 443
access-list 2000 permit tcp any any eq 2222
access-list 2000 permit tcp any any eq 11021
access-list 2000 permit tcp any any eq 11022
access-list 2000 permit tcp any any eq 11080
!access-list 2000 permit tcp any any range 30000 30031
!access-list 2000 permit tcp any any range 31000 31015
access-list 2000 permit tcp any any eq 4662
access-list 2000 permit udp any any eq 4672
access-list 2000 permit tcp any any eq 4664
access-list 2000 permit udp any any eq 4674
access-list 2000 permit tcp any any eq 6881
access-list 2000 permit udp any any eq 6881
access-list 2000 permit tcp any any eq 6882
access-list 2000 permit udp any any eq 6882
access-list 2000 permit udp any any eq 8000
access-list 2000 permit udp any any eq 8001
access-list 2000 permit tcp any any eq 13000
access-list 2000 deny ip any any
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
line con 0
login local
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
privilege level 15
login local
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp clock-period 17178947
ntp max-associations 16
ntp server 193.204.114.232 prefer
ntp server 193.204.114.233
ntp server 130.149.17.8
ntp server 18.103.0.198
!
webvpn cef
end
Top
Rispondi

Torna a “Configurazioni”