Salve, ho creato questa acl che purtroppo non funziona....mi blocca tutto il traffico anche verso lo stesso gatway
access-list 125 remark Dario Notebook
access-list 125 permit ip host 192.168.100.28 192.168.100.128 0.0.0.31
access-list 125 remark Uni 3
access-list 125 permit ip host 192.168.100.41 192.168.100.128 0.0.0.31
access-list 125 remark Uni 2
access-list 125 permit ip host 192.168.100.40 192.168.100.128 0.0.0.31
access-list 125 remark Uni 1
access-list 125 permit ip host 192.168.100.39 192.168.100.128 0.0.0.31
access-list 125 remark Carlo
access-list 125 permit ip host 192.168.100.11 any
access-list 125 remark Giovanni
access-list 125 permit ip host 192.168.100.20 any
access-list 125 remark Sala Riunioni
access-list 125 permit ip host 192.168.100.70 192.168.100.128 0.0.0.31
access-list 125 remark Dario
access-list 125 permit ip host 192.168.100.38 192.168.100.128 0.0.0.31
access-list 125 remark Printer
access-list 125 permit ip host 192.168.100.124 any
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.128 0.0.0.31
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.192 0.0.0.15
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.160 0.0.0.31
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.224 0.0.0.15
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.208 0.0.0.15
access-list 125 remark HTTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq www
access-list 125 remark HTTPS
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 443
access-list 125 remark DNS
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq domain
access-list 125 remark DNS
access-list 125 permit udp 192.168.100.0 0.0.0.128 any eq domain
access-list 125 remark POP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq pop3
access-list 125 remark SMTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq smtp
access-list 125 remark FTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq ftp
access-list 125 remark SSH
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 22
access-list 125 remark MSN messaggi
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 1863
access-list 125 remark MSN Files
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 6891
access-list 125 deny ip host 255.255.255.255 any
access-list 125 deny ip 127.0.0.0 0.255.255.255 any
access-list 125 deny ip any any
Qualcuno mi saprebbe aiutare ?
Grazie
P.s: se nell'ultima riga inserisco un permit ip any any la rete funziona....ma ovviamente non ho il risultato sperato impostato con le regole dell'acl.
Grazie.
Problema ACL
Moderatore: Federico.Lagni
-
MaiO
- Messianic Network master
- Messaggi: 1083
- Iscritto il: sab 15 ott , 2005 10:55 am
- Località: Milano
- Contatta:
Dove l'hai applicata?
Su che interfaccia e in che direzione?
L'acl in se per se non significa niente, non ha senso.
Ciao
Su che interfaccia e in che direzione?
L'acl in se per se non significa niente, non ha senso.
Ciao
-=] MaiO [=-
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Posta la config intera
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
acarlo
- n00b
- Messaggi: 12
- Iscritto il: mar 01 nov , 2005 7:50 pm
eccola :
Io vorrei abilitare solo determinati servizi in uscita...visto che in ingresso è abilitato il firewall, operazione fatta tramite sdm che a mio avviso ha anche sporcato la config.
Qualcuno può aiutarmi nel ripulirla un pò e magari risolvere questo mio problema ?
Grazie.
Building configuration...
Current configuration : 38077 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-4.T2.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.161
!
ip dhcp pool guest-vlan
network 192.168.100.160 255.255.255.224
default-router 192.168.100.161
dns-server 151.99.125.1 151.99.125.3
!
!
no ip bootp server
ip name-server 192.168.100.4
ip name-server 213.92.5.54
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect udp idle-time 60
ip inspect dns-timeout 60
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 60
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
ip urlfilter exclusive-domain deny www.ogame.it
!
appfw policy-name SDM_LOW
application http
port-misuse p2p action reset alarm
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4101280706
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4101280706
revocation-check none
rsakeypair TP-self-signed-4101280706
!
!
crypto pki certificate chain TP-self-signed-4101280706
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313031 32383037 3036301E 170D3036 30343231 31313230
31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31303132
38303730 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009BD3 FE5C84D7 B910F9AA 458AB56F 34491033 403D59B1 E64C2924 1FC1B541
F4B0142D 19BDDF52 0DFCF400 9C8A4D69 BBB2A71F 00C4B51E 1A4E024E AE2D2000
DFD47032 A7855F9F 69C948D5 0092345B 1AAE6B90 E91B2EB3 1A02A960 C3E0091B
D15E9EE8 7CD987E9 705D776C B0A0ADF9 75E0B597 EBDC725D 710CD4B4 25465812
332D0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 149EE8B7
65708D64 D5321D75 E8449F39 4ED56087 79301D06 03551D0E 04160414 9EE8B765
708D64D5 321D75E8 449F394E D5608779 300D0609 2A864886 F70D0101 04050003
81810012 303C1CED 4C73D281 93D0B20E 9E52E153 FB51985B FC82C8FD 31EF9921
F723E0C5 669AB447 CF1B46E9 CA4258B9 83BF8597 3AAB20A1 C8E3332E 323A899D
01910CCD 15FD3787 50F81A98 6588CE67 901B4FB3 22C479F8 D0EAEBC1 281BE8C5
F0AEC336 1A8F6816 92D133E8 6D6C263B 0F834EAA 064C8CE4 D73CFF5A 73A1CC29 321330
quit
username
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_LOW
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
class sdm_p2p_kazaa
drop
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
description $FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.100.193 255.255.255.240
ip access-group 124 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.100.1 255.255.255.128
ip access-group 125 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 192.168.100.129 255.255.255.224
ip access-group 126 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.4
description $FW_INSIDE$
encapsulation dot1Q 4
ip address 192.168.100.161 255.255.255.224
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.5
description $FW_INSIDE$
encapsulation dot1Q 5
ip address 192.168.100.209 255.255.255.240
ip access-group 132 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.6
description $FW_INSIDE$
encapsulation dot1Q 6
ip address 192.168.100.225 255.255.255.240
ip access-group 134 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address 88.45.132.114 255.255.255.248
ip access-group 137 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
interface Serial0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
clock rate 2000000
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 88.45.132.113 permanent
!
!
no ip http server
ip http access-class 1
ip http secure-server
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.100.4 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.100.5 1000 interface GigabitEthernet0/1 1000
ip nat inside source static tcp 192.168.100.4 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.100.5 21 interface GigabitEthernet0/1 21
ip nat inside source static tcp 192.168.100.5 1001 interface GigabitEthernet0/1 1001
ip nat inside source static tcp 192.168.100.5 80 88.45.132.114 80 extendable
ip nat inside source static tcp 192.168.100.20 4662 88.45.132.114 4662 extendable
ip nat inside source static udp 192.168.100.20 4672 88.45.132.114 4672 extendable
ip nat inside source static tcp 192.168.100.139 22 88.45.132.115 22 extendable
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.100.0 0.0.0.127
access-list 1 permit 192.168.100.192 0.0.0.15
access-list 1 permit 192.168.100.224 0.0.0.15
access-list 1 permit 192.168.100.208 0.0.0.15
access-list 1 permit 192.168.100.160 0.0.0.31
access-list 1 permit 192.168.100.128 0.0.0.31
access-list 1 deny any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.128 0.0.0.31
access-list 2 permit 192.168.100.160 0.0.0.31
access-list 2 permit 192.168.100.208 0.0.0.15
access-list 2 permit 192.168.100.224 0.0.0.15
access-list 2 permit 192.168.100.192 0.0.0.15
access-list 2 permit 192.168.100.0 0.0.0.127
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.100.0 0.0.0.127 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip 192.168.100.224 0.0.0.15 any
access-list 100 deny ip 192.168.100.208 0.0.0.15 any
access-list 100 deny ip 192.168.100.160 0.0.0.31 any
access-list 100 deny ip 192.168.100.128 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.100.192 0.0.0.15 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.100.224 0.0.0.15 any
access-list 101 deny ip 192.168.100.208 0.0.0.15 any
access-list 101 deny ip 192.168.100.160 0.0.0.31 any
access-list 101 deny ip 192.168.100.128 0.0.0.31 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 192.168.100.0 0.0.0.127 any
access-list 102 deny ip 192.168.100.192 0.0.0.15 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.100.224 0.0.0.15 any
access-list 102 deny ip 192.168.100.208 0.0.0.15 any
access-list 102 deny ip 192.168.100.160 0.0.0.31 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 192.168.100.0 0.0.0.127 any
access-list 103 deny ip 192.168.100.192 0.0.0.15 any
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 deny ip 192.168.100.224 0.0.0.15 any
access-list 103 deny ip 192.168.100.208 0.0.0.15 any
access-list 103 deny ip 192.168.100.128 0.0.0.31 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 192.168.100.0 0.0.0.127 any
access-list 104 deny ip 192.168.100.192 0.0.0.15 any
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.100.224 0.0.0.15 any
access-list 104 deny ip 192.168.100.160 0.0.0.31 any
access-list 104 deny ip 192.168.100.128 0.0.0.31 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny ip 192.168.100.0 0.0.0.127 any
access-list 105 deny ip 192.168.100.192 0.0.0.15 any
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip 192.168.100.208 0.0.0.15 any
access-list 105 deny ip 192.168.100.160 0.0.0.31 any
access-list 105 deny ip 192.168.100.128 0.0.0.31 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 deny ip 192.168.100.0 0.0.0.127 any
access-list 106 deny ip 192.168.100.192 0.0.0.15 any
access-list 106 deny ip 192.168.100.224 0.0.0.15 any
access-list 106 deny ip 192.168.100.208 0.0.0.15 any
access-list 106 deny ip 192.168.100.160 0.0.0.31 any
access-list 106 deny ip 192.168.100.128 0.0.0.31 any
access-list 106 permit icmp any host 192.168.1.42 echo-reply
access-list 106 permit icmp any host 192.168.1.42 time-exceeded
access-list 106 permit icmp any host 192.168.1.42 unreachable
access-list 106 deny ip 10.0.0.0 0.255.255.255 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 any
access-list 106 deny ip 192.168.0.0 0.0.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip host 0.0.0.0 any
access-list 106 deny ip any any log
access-list 107 remark VTY Access-class list
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.100.0 0.0.0.127 any
access-list 107 permit ip 192.168.100.192 0.0.0.15 any
access-list 107 permit ip 192.168.100.224 0.0.0.15 any
access-list 107 permit ip 192.168.100.208 0.0.0.15 any
access-list 107 permit ip 192.168.100.160 0.0.0.31 any
access-list 107 permit ip 192.168.100.128 0.0.0.31 any
access-list 107 deny ip any any
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 deny ip 192.168.1.0 0.0.0.255 any
access-list 108 deny ip host 255.255.255.255 any
access-list 108 deny ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 remark SDM_ACL Category=1
access-list 109 deny ip 192.168.100.0 0.0.0.127 any
access-list 109 permit icmp any host 192.168.1.42 echo-reply
access-list 109 permit icmp any host 192.168.1.42 time-exceeded
access-list 109 permit icmp any host 192.168.1.42 unreachable
access-list 109 deny ip 10.0.0.0 0.255.255.255 any
access-list 109 deny ip 172.16.0.0 0.15.255.255 any
access-list 109 deny ip 192.168.0.0 0.0.255.255 any
access-list 109 deny ip 127.0.0.0 0.255.255.255 any
access-list 109 deny ip host 255.255.255.255 any
access-list 109 deny ip host 0.0.0.0 any
access-list 109 deny ip any any log
access-list 110 remark auto generated by SDM firewall configuration
access-list 110 remark SDM_ACL Category=1
access-list 110 deny ip 192.168.100.192 0.0.0.15 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.100.224 0.0.0.15 any
access-list 110 deny ip 192.168.100.208 0.0.0.15 any
access-list 110 deny ip 192.168.100.160 0.0.0.31 any
access-list 110 deny ip 192.168.100.128 0.0.0.31 any
access-list 110 deny ip host 255.255.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 permit ip any any
access-list 111 remark auto generated by SDM firewall configuration
access-list 111 remark SDM_ACL Category=1
access-list 111 deny ip 192.168.100.0 0.0.0.127 any
access-list 111 deny ip 192.168.100.192 0.0.0.15 any
access-list 111 deny ip 192.168.100.224 0.0.0.15 any
access-list 111 deny ip 192.168.100.208 0.0.0.15 any
access-list 111 deny ip 192.168.100.160 0.0.0.31 any
access-list 111 deny ip 192.168.100.128 0.0.0.31 any
access-list 111 permit icmp any host 192.168.1.42 echo-reply
access-list 111 permit icmp any host 192.168.1.42 time-exceeded
access-list 111 permit icmp any host 192.168.1.42 unreachable
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip host 255.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip any any log
access-list 112 remark auto generated by SDM firewall configuration
access-list 112 remark SDM_ACL Category=1
access-list 112 deny ip 192.168.100.0 0.0.0.127 any
access-list 112 deny ip host 255.255.255.255 any
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark auto generated by SDM firewall configuration
access-list 113 remark SDM_ACL Category=1
access-list 113 permit udp host 192.168.100.4 eq domain host 192.168.100.1
access-list 113 deny ip 192.168.100.192 0.0.0.15 any
access-list 113 permit icmp any host 192.168.100.1 echo-reply
access-list 113 permit icmp any host 192.168.100.1 time-exceeded
access-list 113 permit icmp any host 192.168.100.1 unreachable
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 deny ip any any log
access-list 114 remark auto generated by SDM firewall configuration
access-list 114 remark SDM_ACL Category=1
access-list 114 deny ip 192.168.1.0 0.0.0.255 any
access-list 114 deny ip 192.168.100.224 0.0.0.15 any
access-list 114 deny ip 192.168.100.208 0.0.0.15 any
access-list 114 deny ip 192.168.100.160 0.0.0.31 any
access-list 114 deny ip 192.168.100.128 0.0.0.31 any
access-list 114 deny ip host 255.255.255.255 any
access-list 114 deny ip 127.0.0.0 0.255.255.255 any
access-list 114 permit ip any any
access-list 115 remark auto generated by SDM firewall configuration
access-list 115 remark SDM_ACL Category=1
access-list 115 deny ip 192.168.100.192 0.0.0.15 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.100.224 0.0.0.15 any
access-list 115 deny ip 192.168.100.208 0.0.0.15 any
access-list 115 deny ip 192.168.100.160 0.0.0.31 any
access-list 115 deny ip host 255.255.255.255 any
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 permit ip any any
access-list 116 remark auto generated by SDM firewall configuration
access-list 116 remark SDM_ACL Category=1
access-list 116 deny ip 192.168.100.192 0.0.0.15 any
access-list 116 deny ip 192.168.1.0 0.0.0.255 any
access-list 116 deny ip 192.168.100.224 0.0.0.15 any
access-list 116 deny ip 192.168.100.208 0.0.0.15 any
access-list 116 deny ip 192.168.100.128 0.0.0.31 any
access-list 116 deny ip host 255.255.255.255 any
access-list 116 deny ip 127.0.0.0 0.255.255.255 any
access-list 116 permit ip any any
access-list 117 remark auto generated by SDM firewall configuration
access-list 117 remark SDM_ACL Category=1
access-list 117 deny ip 192.168.100.192 0.0.0.15 any
access-list 117 deny ip 192.168.1.0 0.0.0.255 any
access-list 117 deny ip 192.168.100.224 0.0.0.15 any
access-list 117 deny ip 192.168.100.160 0.0.0.31 any
access-list 117 deny ip 192.168.100.128 0.0.0.31 any
access-list 117 deny ip host 255.255.255.255 any
access-list 117 deny ip 127.0.0.0 0.255.255.255 any
access-list 117 permit ip any any
access-list 118 remark auto generated by SDM firewall configuration
access-list 118 remark SDM_ACL Category=1
access-list 118 deny ip 192.168.100.192 0.0.0.15 any
access-list 118 deny ip 192.168.1.0 0.0.0.255 any
access-list 118 deny ip 192.168.100.208 0.0.0.15 any
access-list 118 deny ip 192.168.100.160 0.0.0.31 any
access-list 118 deny ip 192.168.100.128 0.0.0.31 any
access-list 118 deny ip host 255.255.255.255 any
access-list 118 deny ip 127.0.0.0 0.255.255.255 any
access-list 118 permit ip any any
access-list 119 remark auto generated by SDM firewall configuration
access-list 119 remark SDM_ACL Category=1
access-list 119 deny ip 192.168.100.192 0.0.0.15 any
access-list 119 deny ip 192.168.100.224 0.0.0.15 any
access-list 119 deny ip 192.168.100.208 0.0.0.15 any
access-list 119 deny ip 192.168.100.160 0.0.0.31 any
access-list 119 deny ip 192.168.100.128 0.0.0.31 any
access-list 119 permit icmp any host 192.168.1.42 echo-reply
access-list 119 permit icmp any host 192.168.1.42 time-exceeded
access-list 119 permit icmp any host 192.168.1.42 unreachable
access-list 119 deny ip 10.0.0.0 0.255.255.255 any
access-list 119 deny ip 172.16.0.0 0.15.255.255 any
access-list 119 deny ip 192.168.0.0 0.0.255.255 any
access-list 119 deny ip 127.0.0.0 0.255.255.255 any
access-list 119 deny ip host 255.255.255.255 any
access-list 119 deny ip host 0.0.0.0 any
access-list 119 deny ip any any log
access-list 120 remark auto generated by SDM firewall configuration
access-list 120 remark SDM_ACL Category=1
access-list 120 deny ip 192.168.100.0 0.0.0.127 any
access-list 120 deny ip 192.168.1.0 0.0.0.255 any
access-list 120 deny ip 192.168.100.224 0.0.0.15 any
access-list 120 deny ip 192.168.100.208 0.0.0.15 any
access-list 120 deny ip 192.168.100.160 0.0.0.31 any
access-list 120 deny ip 192.168.100.128 0.0.0.31 any
access-list 120 deny ip host 255.255.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 permit ip any any
access-list 121 remark auto generated by SDM firewall configuration
access-list 121 remark SDM_ACL Category=1
access-list 121 deny ip 192.168.100.192 0.0.0.15 any
access-list 121 deny ip 192.168.1.0 0.0.0.255 any
access-list 121 deny ip 192.168.100.224 0.0.0.15 any
access-list 121 deny ip 192.168.100.208 0.0.0.15 any
access-list 121 deny ip 192.168.100.160 0.0.0.31 any
access-list 121 deny ip 192.168.100.128 0.0.0.31 any
access-list 121 deny ip host 255.255.255.255 any
access-list 121 deny ip 127.0.0.0 0.255.255.255 any
access-list 121 permit ip any any
access-list 122 remark auto generated by SDM firewall configuration
access-list 122 remark SDM_ACL Category=1
access-list 122 remark Printer 4550
access-list 122 permit ip any host 192.168.100.126
access-list 122 remark Printer 1300n
access-list 122 permit ip any host 192.168.100.124
access-list 122 remark Vlan Printer
access-list 122 deny ip any 192.168.100.208 0.0.0.15
access-list 122 remark Vlan Experimental
access-list 122 deny ip any 192.168.100.224 0.0.0.15
access-list 122 remark Vlan Guest
access-list 122 deny ip any 192.168.100.160 0.0.0.31
access-list 122 remark Vlan Management
access-list 122 deny ip any 192.168.100.192 0.0.0.15
access-list 122 remark Vlan Sesm
access-list 122 deny ip any 192.168.100.0 0.0.0.127
access-list 122 deny ip host 255.255.255.255 any
access-list 122 deny ip 127.0.0.0 0.255.255.255 any
access-list 122 permit ip any any
access-list 123 remark auto generated by SDM firewall configuration
access-list 123 remark SDM_ACL Category=1
access-list 123 remark Printer 4550
access-list 123 permit ip any host 192.168.100.126
access-list 123 remark Printer 1300n
access-list 123 permit ip any host 192.168.100.124
access-list 123 remark Vlan Printer
access-list 123 deny ip any 192.168.100.208 0.0.0.15
access-list 123 remark Vlan Experimental
access-list 123 deny ip any 192.168.100.224 0.0.0.15
access-list 123 remark Vlan Management
access-list 123 deny ip any 192.168.100.192 0.0.0.15
access-list 123 remark Vlan Lab
access-list 123 deny ip any 192.168.100.128 0.0.0.31
access-list 123 remark Vlan Sesm
access-list 123 deny ip any 192.168.100.0 0.0.0.127
access-list 123 deny ip host 255.255.255.255 any
access-list 123 deny ip 127.0.0.0 0.255.255.255 any
access-list 123 permit ip any any
access-list 124 remark auto generated by SDM firewall configuration
access-list 124 remark SDM_ACL Category=1
access-list 124 deny ip 192.168.100.0 0.0.0.127 any
access-list 124 deny ip 192.168.1.0 0.0.0.255 any
access-list 124 deny ip 192.168.100.224 0.0.0.15 any
access-list 124 deny ip 192.168.100.208 0.0.0.15 any
access-list 124 deny ip 192.168.100.160 0.0.0.31 any
access-list 124 deny ip 192.168.100.128 0.0.0.31 any
access-list 124 deny ip host 255.255.255.255 any
access-list 124 deny ip 127.0.0.0 0.255.255.255 any
access-list 124 permit ip any any
access-list 125 remark auto generated by SDM firewall configuration
access-list 125 remark SDM_ACL Category=1
access-list 125 remark Dario Notebook
access-list 125 permit ip host 192.168.100.28 192.168.100.128 0.0.0.31
access-list 125 remark Uni 3
access-list 125 permit ip host 192.168.100.41 192.168.100.128 0.0.0.31
access-list 125 remark Uni 2
access-list 125 permit ip host 192.168.100.40 192.168.100.128 0.0.0.31
access-list 125 remark Uni 1
access-list 125 permit ip host 192.168.100.39 192.168.100.128 0.0.0.31
access-list 125 remark Carlo
access-list 125 permit ip host 192.168.100.11 any
access-list 125 remark Giovanni
access-list 125 permit ip host 192.168.100.20 any
access-list 125 remark Sala Riunioni
access-list 125 permit ip host 192.168.100.70 192.168.100.128 0.0.0.31
access-list 125 remark Dario
access-list 125 permit ip host 192.168.100.38 192.168.100.128 0.0.0.31
access-list 125 remark Printer
access-list 125 permit ip host 192.168.100.124 any
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.128 0.0.0.31
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.192 0.0.0.15
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.160 0.0.0.31
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.224 0.0.0.15
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.208 0.0.0.15
access-list 125 remark HTTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq www
access-list 125 remark HTTPS
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 443
access-list 125 remark DNS
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq domain
access-list 125 remark DNS
access-list 125 permit udp 192.168.100.0 0.0.0.128 any eq domain
access-list 125 remark POP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq pop3
access-list 125 remark SMTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq smtp
access-list 125 remark FTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq ftp
access-list 125 remark SSH
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 22
access-list 125 remark MSN messaggi
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 1863
access-list 125 remark MSN Files
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 6891
access-list 125 remark SIP
access-list 125 permit udp 192.168.100.0 0.0.0.128 any eq 5060
access-list 125 deny ip host 255.255.255.255 any
access-list 125 deny ip 127.0.0.0 0.255.255.255 any
access-list 125 permit ip any any
access-list 126 remark auto generated by SDM firewall configuration
access-list 126 remark SDM_ACL Category=1
access-list 126 remark Dario Notebook
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.28
access-list 126 remark Uni 3
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.41
access-list 126 remark Uni 2
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.40
access-list 126 remark Uni 1
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.39
access-list 126 remark Carlo
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.11
access-list 126 remark Sala Riunioni
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.70
access-list 126 remark Dario
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.38
access-list 126 remark Printer
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.124
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.192 0.0.0.15
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.224 0.0.0.15
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.208 0.0.0.15
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.160 0.0.0.31
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.0 0.0.0.127
access-list 126 remark HTTP
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq www
access-list 126 remark HTTPS
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq 443
access-list 126 remark DNS
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq domain
access-list 126 remark DNS
access-list 126 permit udp 192.168.100.128 0.0.0.31 any eq domain
access-list 126 remark POP
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq pop3
access-list 126 remark SMTP
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq smtp
access-list 126 remark SSH
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq 22
access-list 126 deny ip host 255.255.255.255 any
access-list 126 deny ip 127.0.0.0 0.255.255.255 any
access-list 126 permit ip any any
access-list 127 remark auto generated by SDM firewall configuration
access-list 127 remark SDM_ACL Category=1
access-list 127 deny ip 192.168.100.192 0.0.0.15 any
access-list 127 deny ip host 255.255.255.255 any
access-list 127 deny ip 127.0.0.0 0.255.255.255 any
access-list 127 permit ip any any
access-list 128 remark auto generated by SDM firewall configuration
access-list 128 remark SDM_ACL Category=1
access-list 128 deny ip 192.168.100.0 0.0.0.127 any
access-list 128 permit icmp any host 192.168.100.193 echo-reply
access-list 128 permit icmp any host 192.168.100.193 time-exceeded
access-list 128 permit icmp any host 192.168.100.193 unreachable
access-list 128 deny ip 10.0.0.0 0.255.255.255 any
access-list 128 deny ip 172.16.0.0 0.15.255.255 any
access-list 128 deny ip 192.168.0.0 0.0.255.255 any
access-list 128 deny ip 127.0.0.0 0.255.255.255 any
access-list 128 deny ip host 255.255.255.255 any
access-list 128 deny ip host 0.0.0.0 any
access-list 128 deny ip any any log
access-list 129 remark auto generated by SDM firewall configuration
access-list 129 remark SDM_ACL Category=1
access-list 129 remark Pc Carlo
access-list 129 permit ip host 192.168.100.11 any
access-list 129 deny ip any any
access-list 130 remark auto generated by SDM firewall configuration
access-list 130 remark SDM_ACL Category=1
access-list 130 remark Pc Carlo
access-list 130 permit ip host 192.168.100.11 192.168.100.192 0.0.0.15
access-list 130 remark Vlan Printer
access-list 130 deny ip any 192.168.100.208 0.0.0.15
access-list 130 remark Vlan Experimental
access-list 130 deny ip any 192.168.100.224 0.0.0.15
access-list 130 remark Vlan Guest
access-list 130 deny ip any 192.168.100.160 0.0.0.31
access-list 130 remark Vlan Management
access-list 130 deny ip any 192.168.100.192 0.0.0.15
access-list 130 remark Vlan Lab
access-list 130 deny ip any 192.168.100.128 0.0.0.31
access-list 130 deny ip host 255.255.255.255 any
access-list 130 deny ip 127.0.0.0 0.255.255.255 any
access-list 130 permit ip any any
access-list 131 remark auto generated by SDM firewall configuration
access-list 131 remark SDM_ACL Category=1
access-list 131 permit ip 192.168.100.160 0.0.0.31 host 192.168.100.124
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.128 0.0.0.31
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.192 0.0.0.15
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.224 0.0.0.15
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.208 0.0.0.15
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.0 0.0.0.127
access-list 131 remark HTTP
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq www
access-list 131 remark HTTPS
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq 443
access-list 131 remark DNS
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq domain
access-list 131 remark DNS
access-list 131 permit udp 192.168.100.160 0.0.0.31 any eq domain
access-list 131 remark POP
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq pop3
access-list 131 remark SMTP
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq smtp
access-list 131 deny ip host 255.255.255.255 any
access-list 131 deny ip 127.0.0.0 0.255.255.255 any
access-list 131 deny ip any any
access-list 132 remark auto generated by SDM firewall configuration
access-list 132 remark SDM_ACL Category=1
access-list 132 deny ip 192.168.100.0 0.0.0.127 any
access-list 132 deny ip 192.168.100.192 0.0.0.15 any
access-list 132 deny ip 192.168.1.0 0.0.0.255 any
access-list 132 deny ip 192.168.100.224 0.0.0.15 any
access-list 132 deny ip 192.168.100.160 0.0.0.31 any
access-list 132 deny ip 192.168.100.128 0.0.0.31 any
access-list 132 deny ip host 255.255.255.255 any
access-list 132 deny ip 127.0.0.0 0.255.255.255 any
access-list 132 permit ip any any
access-list 133 remark auto generated by SDM firewall configuration
access-list 133 remark SDM_ACL Category=1
access-list 133 permit ip any host 192.168.100.10
access-list 133 permit ip any host 192.168.100.126
access-list 133 permit ip any host 192.168.100.124
access-list 133 deny ip any 192.168.100.224 0.0.0.15
access-list 133 deny ip any 192.168.100.208 0.0.0.15
access-list 133 deny ip any 192.168.100.160 0.0.0.31
access-list 133 deny ip any 192.168.100.192 0.0.0.15
access-list 133 deny ip any 192.168.100.0 0.0.0.127
access-list 133 deny ip host 255.255.255.255 any
access-list 133 deny ip 127.0.0.0 0.255.255.255 any
access-list 133 permit ip any any
access-list 134 remark auto generated by SDM firewall configuration
access-list 134 remark SDM_ACL Category=1
access-list 134 deny ip 192.168.100.0 0.0.0.127 any
access-list 134 deny ip 192.168.100.192 0.0.0.15 any
access-list 134 deny ip 192.168.1.0 0.0.0.255 any
access-list 134 deny ip 192.168.100.208 0.0.0.15 any
access-list 134 deny ip 192.168.100.160 0.0.0.31 any
access-list 134 deny ip 192.168.100.128 0.0.0.31 any
access-list 134 deny ip host 255.255.255.255 any
access-list 134 deny ip 127.0.0.0 0.255.255.255 any
access-list 134 permit ip any any
access-list 135 remark auto generated by SDM firewall configuration
access-list 135 remark SDM_ACL Category=1
access-list 135 permit udp host 213.92.5.54 eq domain host 192.168.1.2
access-list 135 deny ip 192.168.100.0 0.0.0.127 any
access-list 135 deny ip 192.168.100.192 0.0.0.15 any
access-list 135 deny ip 192.168.100.224 0.0.0.15 any
access-list 135 deny ip 192.168.100.208 0.0.0.15 any
access-list 135 deny ip 192.168.100.160 0.0.0.31 any
access-list 135 deny ip 192.168.100.128 0.0.0.31 any
access-list 135 permit icmp any host 192.168.1.2 echo-reply
access-list 135 permit icmp any host 192.168.1.2 time-exceeded
access-list 135 permit icmp any host 192.168.1.2 unreachable
access-list 135 deny ip 10.0.0.0 0.255.255.255 any
access-list 135 deny ip 172.16.0.0 0.15.255.255 any
access-list 135 deny ip 192.168.0.0 0.0.255.255 any
access-list 135 deny ip 127.0.0.0 0.255.255.255 any
access-list 135 deny ip host 255.255.255.255 any
access-list 135 deny ip host 0.0.0.0 any
access-list 135 deny ip any any log
access-list 136 remark auto generated by SDM firewall configuration
access-list 136 remark SDM_ACL Category=1
access-list 136 permit udp host 192.168.1.1 eq domain host 192.168.1.2
access-list 136 deny ip 192.168.100.0 0.0.0.127 any
access-list 136 deny ip 192.168.100.192 0.0.0.15 any
access-list 136 deny ip 192.168.100.224 0.0.0.15 any
access-list 136 deny ip 192.168.100.208 0.0.0.15 any
access-list 136 deny ip 192.168.100.160 0.0.0.31 any
access-list 136 deny ip 192.168.100.128 0.0.0.31 any
access-list 136 permit icmp any host 192.168.1.2 echo-reply
access-list 136 permit icmp any host 192.168.1.2 time-exceeded
access-list 136 permit icmp any host 192.168.1.2 unreachable
access-list 136 deny ip 10.0.0.0 0.255.255.255 any
access-list 136 deny ip 172.16.0.0 0.15.255.255 any
access-list 136 deny ip 192.168.0.0 0.0.255.255 any
access-list 136 deny ip 127.0.0.0 0.255.255.255 any
access-list 136 deny ip host 255.255.255.255 any
access-list 136 deny ip host 0.0.0.0 any
access-list 136 deny ip any any log
access-list 137 remark auto generated by SDM firewall configuration
access-list 137 remark SDM_ACL Category=1
access-list 137 permit udp any host 88.45.132.114 eq 4672
access-list 137 permit tcp any host 88.45.132.114 eq 4662
access-list 137 remark SSH Newnet
access-list 137 permit tcp any host 88.45.132.114 eq 22
access-list 137 remark SSH Cardamom
access-list 137 permit tcp any host 88.45.132.115 eq 22
access-list 137 permit gre any host 88.45.132.114
access-list 137 remark HTTP SERVER
access-list 137 permit tcp any host 88.45.132.114 eq www
access-list 137 permit tcp any host 88.45.132.114 eq 1723
access-list 137 permit tcp any host 88.45.132.114 eq 1000
access-list 137 permit tcp any host 88.45.132.114 eq 1001
access-list 137 permit tcp any host 88.45.132.114 eq ftp
access-list 137 permit udp host 88.45.132.113 eq domain host 88.45.132.114
access-list 137 deny ip 192.168.100.0 0.0.0.127 any
access-list 137 deny ip 192.168.100.192 0.0.0.15 any
access-list 137 deny ip 192.168.100.224 0.0.0.15 any
access-list 137 deny ip 192.168.100.208 0.0.0.15 any
access-list 137 deny ip 192.168.100.160 0.0.0.31 any
access-list 137 deny ip 192.168.100.128 0.0.0.31 any
access-list 137 permit icmp any host 88.45.132.114 echo-reply
access-list 137 permit icmp any host 88.45.132.114 time-exceeded
access-list 137 permit icmp any host 88.45.132.114 unreachable
access-list 137 deny ip 10.0.0.0 0.255.255.255 any
access-list 137 deny ip 172.16.0.0 0.15.255.255 any
access-list 137 deny ip 192.168.0.0 0.0.255.255 any
access-list 137 deny ip 127.0.0.0 0.255.255.255 any
access-list 137 deny ip host 255.255.255.255 any
access-list 137 deny ip host 0.0.0.0 any
access-list 137 deny ip any any log
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CArea Protetta^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Io vorrei abilitare solo determinati servizi in uscita...visto che in ingresso è abilitato il firewall, operazione fatta tramite sdm che a mio avviso ha anche sporcato la config.
Qualcuno può aiutarmi nel ripulirla un pò e magari risolvere questo mio problema ?
Grazie.
Building configuration...
Current configuration : 38077 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-4.T2.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.161
!
ip dhcp pool guest-vlan
network 192.168.100.160 255.255.255.224
default-router 192.168.100.161
dns-server 151.99.125.1 151.99.125.3
!
!
no ip bootp server
ip name-server 192.168.100.4
ip name-server 213.92.5.54
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect udp idle-time 60
ip inspect dns-timeout 60
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 60
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
ip urlfilter exclusive-domain deny www.ogame.it
!
appfw policy-name SDM_LOW
application http
port-misuse p2p action reset alarm
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4101280706
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4101280706
revocation-check none
rsakeypair TP-self-signed-4101280706
!
!
crypto pki certificate chain TP-self-signed-4101280706
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313031 32383037 3036301E 170D3036 30343231 31313230
31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31303132
38303730 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009BD3 FE5C84D7 B910F9AA 458AB56F 34491033 403D59B1 E64C2924 1FC1B541
F4B0142D 19BDDF52 0DFCF400 9C8A4D69 BBB2A71F 00C4B51E 1A4E024E AE2D2000
DFD47032 A7855F9F 69C948D5 0092345B 1AAE6B90 E91B2EB3 1A02A960 C3E0091B
D15E9EE8 7CD987E9 705D776C B0A0ADF9 75E0B597 EBDC725D 710CD4B4 25465812
332D0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 149EE8B7
65708D64 D5321D75 E8449F39 4ED56087 79301D06 03551D0E 04160414 9EE8B765
708D64D5 321D75E8 449F394E D5608779 300D0609 2A864886 F70D0101 04050003
81810012 303C1CED 4C73D281 93D0B20E 9E52E153 FB51985B FC82C8FD 31EF9921
F723E0C5 669AB447 CF1B46E9 CA4258B9 83BF8597 3AAB20A1 C8E3332E 323A899D
01910CCD 15FD3787 50F81A98 6588CE67 901B4FB3 22C479F8 D0EAEBC1 281BE8C5
F0AEC336 1A8F6816 92D133E8 6D6C263B 0F834EAA 064C8CE4 D73CFF5A 73A1CC29 321330
quit
username
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_LOW
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
class sdm_p2p_kazaa
drop
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
description $FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.100.193 255.255.255.240
ip access-group 124 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.100.1 255.255.255.128
ip access-group 125 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 192.168.100.129 255.255.255.224
ip access-group 126 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.4
description $FW_INSIDE$
encapsulation dot1Q 4
ip address 192.168.100.161 255.255.255.224
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.5
description $FW_INSIDE$
encapsulation dot1Q 5
ip address 192.168.100.209 255.255.255.240
ip access-group 132 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.6
description $FW_INSIDE$
encapsulation dot1Q 6
ip address 192.168.100.225 255.255.255.240
ip access-group 134 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address 88.45.132.114 255.255.255.248
ip access-group 137 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
interface Serial0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
clock rate 2000000
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 88.45.132.113 permanent
!
!
no ip http server
ip http access-class 1
ip http secure-server
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.100.4 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.100.5 1000 interface GigabitEthernet0/1 1000
ip nat inside source static tcp 192.168.100.4 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.100.5 21 interface GigabitEthernet0/1 21
ip nat inside source static tcp 192.168.100.5 1001 interface GigabitEthernet0/1 1001
ip nat inside source static tcp 192.168.100.5 80 88.45.132.114 80 extendable
ip nat inside source static tcp 192.168.100.20 4662 88.45.132.114 4662 extendable
ip nat inside source static udp 192.168.100.20 4672 88.45.132.114 4672 extendable
ip nat inside source static tcp 192.168.100.139 22 88.45.132.115 22 extendable
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.100.0 0.0.0.127
access-list 1 permit 192.168.100.192 0.0.0.15
access-list 1 permit 192.168.100.224 0.0.0.15
access-list 1 permit 192.168.100.208 0.0.0.15
access-list 1 permit 192.168.100.160 0.0.0.31
access-list 1 permit 192.168.100.128 0.0.0.31
access-list 1 deny any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.128 0.0.0.31
access-list 2 permit 192.168.100.160 0.0.0.31
access-list 2 permit 192.168.100.208 0.0.0.15
access-list 2 permit 192.168.100.224 0.0.0.15
access-list 2 permit 192.168.100.192 0.0.0.15
access-list 2 permit 192.168.100.0 0.0.0.127
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.100.0 0.0.0.127 any
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip 192.168.100.224 0.0.0.15 any
access-list 100 deny ip 192.168.100.208 0.0.0.15 any
access-list 100 deny ip 192.168.100.160 0.0.0.31 any
access-list 100 deny ip 192.168.100.128 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.100.192 0.0.0.15 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.100.224 0.0.0.15 any
access-list 101 deny ip 192.168.100.208 0.0.0.15 any
access-list 101 deny ip 192.168.100.160 0.0.0.31 any
access-list 101 deny ip 192.168.100.128 0.0.0.31 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 192.168.100.0 0.0.0.127 any
access-list 102 deny ip 192.168.100.192 0.0.0.15 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.100.224 0.0.0.15 any
access-list 102 deny ip 192.168.100.208 0.0.0.15 any
access-list 102 deny ip 192.168.100.160 0.0.0.31 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 192.168.100.0 0.0.0.127 any
access-list 103 deny ip 192.168.100.192 0.0.0.15 any
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 deny ip 192.168.100.224 0.0.0.15 any
access-list 103 deny ip 192.168.100.208 0.0.0.15 any
access-list 103 deny ip 192.168.100.128 0.0.0.31 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 192.168.100.0 0.0.0.127 any
access-list 104 deny ip 192.168.100.192 0.0.0.15 any
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.100.224 0.0.0.15 any
access-list 104 deny ip 192.168.100.160 0.0.0.31 any
access-list 104 deny ip 192.168.100.128 0.0.0.31 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny ip 192.168.100.0 0.0.0.127 any
access-list 105 deny ip 192.168.100.192 0.0.0.15 any
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip 192.168.100.208 0.0.0.15 any
access-list 105 deny ip 192.168.100.160 0.0.0.31 any
access-list 105 deny ip 192.168.100.128 0.0.0.31 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 deny ip 192.168.100.0 0.0.0.127 any
access-list 106 deny ip 192.168.100.192 0.0.0.15 any
access-list 106 deny ip 192.168.100.224 0.0.0.15 any
access-list 106 deny ip 192.168.100.208 0.0.0.15 any
access-list 106 deny ip 192.168.100.160 0.0.0.31 any
access-list 106 deny ip 192.168.100.128 0.0.0.31 any
access-list 106 permit icmp any host 192.168.1.42 echo-reply
access-list 106 permit icmp any host 192.168.1.42 time-exceeded
access-list 106 permit icmp any host 192.168.1.42 unreachable
access-list 106 deny ip 10.0.0.0 0.255.255.255 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 any
access-list 106 deny ip 192.168.0.0 0.0.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip host 0.0.0.0 any
access-list 106 deny ip any any log
access-list 107 remark VTY Access-class list
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.100.0 0.0.0.127 any
access-list 107 permit ip 192.168.100.192 0.0.0.15 any
access-list 107 permit ip 192.168.100.224 0.0.0.15 any
access-list 107 permit ip 192.168.100.208 0.0.0.15 any
access-list 107 permit ip 192.168.100.160 0.0.0.31 any
access-list 107 permit ip 192.168.100.128 0.0.0.31 any
access-list 107 deny ip any any
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 deny ip 192.168.1.0 0.0.0.255 any
access-list 108 deny ip host 255.255.255.255 any
access-list 108 deny ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 remark SDM_ACL Category=1
access-list 109 deny ip 192.168.100.0 0.0.0.127 any
access-list 109 permit icmp any host 192.168.1.42 echo-reply
access-list 109 permit icmp any host 192.168.1.42 time-exceeded
access-list 109 permit icmp any host 192.168.1.42 unreachable
access-list 109 deny ip 10.0.0.0 0.255.255.255 any
access-list 109 deny ip 172.16.0.0 0.15.255.255 any
access-list 109 deny ip 192.168.0.0 0.0.255.255 any
access-list 109 deny ip 127.0.0.0 0.255.255.255 any
access-list 109 deny ip host 255.255.255.255 any
access-list 109 deny ip host 0.0.0.0 any
access-list 109 deny ip any any log
access-list 110 remark auto generated by SDM firewall configuration
access-list 110 remark SDM_ACL Category=1
access-list 110 deny ip 192.168.100.192 0.0.0.15 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.100.224 0.0.0.15 any
access-list 110 deny ip 192.168.100.208 0.0.0.15 any
access-list 110 deny ip 192.168.100.160 0.0.0.31 any
access-list 110 deny ip 192.168.100.128 0.0.0.31 any
access-list 110 deny ip host 255.255.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 permit ip any any
access-list 111 remark auto generated by SDM firewall configuration
access-list 111 remark SDM_ACL Category=1
access-list 111 deny ip 192.168.100.0 0.0.0.127 any
access-list 111 deny ip 192.168.100.192 0.0.0.15 any
access-list 111 deny ip 192.168.100.224 0.0.0.15 any
access-list 111 deny ip 192.168.100.208 0.0.0.15 any
access-list 111 deny ip 192.168.100.160 0.0.0.31 any
access-list 111 deny ip 192.168.100.128 0.0.0.31 any
access-list 111 permit icmp any host 192.168.1.42 echo-reply
access-list 111 permit icmp any host 192.168.1.42 time-exceeded
access-list 111 permit icmp any host 192.168.1.42 unreachable
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip host 255.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip any any log
access-list 112 remark auto generated by SDM firewall configuration
access-list 112 remark SDM_ACL Category=1
access-list 112 deny ip 192.168.100.0 0.0.0.127 any
access-list 112 deny ip host 255.255.255.255 any
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark auto generated by SDM firewall configuration
access-list 113 remark SDM_ACL Category=1
access-list 113 permit udp host 192.168.100.4 eq domain host 192.168.100.1
access-list 113 deny ip 192.168.100.192 0.0.0.15 any
access-list 113 permit icmp any host 192.168.100.1 echo-reply
access-list 113 permit icmp any host 192.168.100.1 time-exceeded
access-list 113 permit icmp any host 192.168.100.1 unreachable
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 deny ip any any log
access-list 114 remark auto generated by SDM firewall configuration
access-list 114 remark SDM_ACL Category=1
access-list 114 deny ip 192.168.1.0 0.0.0.255 any
access-list 114 deny ip 192.168.100.224 0.0.0.15 any
access-list 114 deny ip 192.168.100.208 0.0.0.15 any
access-list 114 deny ip 192.168.100.160 0.0.0.31 any
access-list 114 deny ip 192.168.100.128 0.0.0.31 any
access-list 114 deny ip host 255.255.255.255 any
access-list 114 deny ip 127.0.0.0 0.255.255.255 any
access-list 114 permit ip any any
access-list 115 remark auto generated by SDM firewall configuration
access-list 115 remark SDM_ACL Category=1
access-list 115 deny ip 192.168.100.192 0.0.0.15 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.100.224 0.0.0.15 any
access-list 115 deny ip 192.168.100.208 0.0.0.15 any
access-list 115 deny ip 192.168.100.160 0.0.0.31 any
access-list 115 deny ip host 255.255.255.255 any
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 permit ip any any
access-list 116 remark auto generated by SDM firewall configuration
access-list 116 remark SDM_ACL Category=1
access-list 116 deny ip 192.168.100.192 0.0.0.15 any
access-list 116 deny ip 192.168.1.0 0.0.0.255 any
access-list 116 deny ip 192.168.100.224 0.0.0.15 any
access-list 116 deny ip 192.168.100.208 0.0.0.15 any
access-list 116 deny ip 192.168.100.128 0.0.0.31 any
access-list 116 deny ip host 255.255.255.255 any
access-list 116 deny ip 127.0.0.0 0.255.255.255 any
access-list 116 permit ip any any
access-list 117 remark auto generated by SDM firewall configuration
access-list 117 remark SDM_ACL Category=1
access-list 117 deny ip 192.168.100.192 0.0.0.15 any
access-list 117 deny ip 192.168.1.0 0.0.0.255 any
access-list 117 deny ip 192.168.100.224 0.0.0.15 any
access-list 117 deny ip 192.168.100.160 0.0.0.31 any
access-list 117 deny ip 192.168.100.128 0.0.0.31 any
access-list 117 deny ip host 255.255.255.255 any
access-list 117 deny ip 127.0.0.0 0.255.255.255 any
access-list 117 permit ip any any
access-list 118 remark auto generated by SDM firewall configuration
access-list 118 remark SDM_ACL Category=1
access-list 118 deny ip 192.168.100.192 0.0.0.15 any
access-list 118 deny ip 192.168.1.0 0.0.0.255 any
access-list 118 deny ip 192.168.100.208 0.0.0.15 any
access-list 118 deny ip 192.168.100.160 0.0.0.31 any
access-list 118 deny ip 192.168.100.128 0.0.0.31 any
access-list 118 deny ip host 255.255.255.255 any
access-list 118 deny ip 127.0.0.0 0.255.255.255 any
access-list 118 permit ip any any
access-list 119 remark auto generated by SDM firewall configuration
access-list 119 remark SDM_ACL Category=1
access-list 119 deny ip 192.168.100.192 0.0.0.15 any
access-list 119 deny ip 192.168.100.224 0.0.0.15 any
access-list 119 deny ip 192.168.100.208 0.0.0.15 any
access-list 119 deny ip 192.168.100.160 0.0.0.31 any
access-list 119 deny ip 192.168.100.128 0.0.0.31 any
access-list 119 permit icmp any host 192.168.1.42 echo-reply
access-list 119 permit icmp any host 192.168.1.42 time-exceeded
access-list 119 permit icmp any host 192.168.1.42 unreachable
access-list 119 deny ip 10.0.0.0 0.255.255.255 any
access-list 119 deny ip 172.16.0.0 0.15.255.255 any
access-list 119 deny ip 192.168.0.0 0.0.255.255 any
access-list 119 deny ip 127.0.0.0 0.255.255.255 any
access-list 119 deny ip host 255.255.255.255 any
access-list 119 deny ip host 0.0.0.0 any
access-list 119 deny ip any any log
access-list 120 remark auto generated by SDM firewall configuration
access-list 120 remark SDM_ACL Category=1
access-list 120 deny ip 192.168.100.0 0.0.0.127 any
access-list 120 deny ip 192.168.1.0 0.0.0.255 any
access-list 120 deny ip 192.168.100.224 0.0.0.15 any
access-list 120 deny ip 192.168.100.208 0.0.0.15 any
access-list 120 deny ip 192.168.100.160 0.0.0.31 any
access-list 120 deny ip 192.168.100.128 0.0.0.31 any
access-list 120 deny ip host 255.255.255.255 any
access-list 120 deny ip 127.0.0.0 0.255.255.255 any
access-list 120 permit ip any any
access-list 121 remark auto generated by SDM firewall configuration
access-list 121 remark SDM_ACL Category=1
access-list 121 deny ip 192.168.100.192 0.0.0.15 any
access-list 121 deny ip 192.168.1.0 0.0.0.255 any
access-list 121 deny ip 192.168.100.224 0.0.0.15 any
access-list 121 deny ip 192.168.100.208 0.0.0.15 any
access-list 121 deny ip 192.168.100.160 0.0.0.31 any
access-list 121 deny ip 192.168.100.128 0.0.0.31 any
access-list 121 deny ip host 255.255.255.255 any
access-list 121 deny ip 127.0.0.0 0.255.255.255 any
access-list 121 permit ip any any
access-list 122 remark auto generated by SDM firewall configuration
access-list 122 remark SDM_ACL Category=1
access-list 122 remark Printer 4550
access-list 122 permit ip any host 192.168.100.126
access-list 122 remark Printer 1300n
access-list 122 permit ip any host 192.168.100.124
access-list 122 remark Vlan Printer
access-list 122 deny ip any 192.168.100.208 0.0.0.15
access-list 122 remark Vlan Experimental
access-list 122 deny ip any 192.168.100.224 0.0.0.15
access-list 122 remark Vlan Guest
access-list 122 deny ip any 192.168.100.160 0.0.0.31
access-list 122 remark Vlan Management
access-list 122 deny ip any 192.168.100.192 0.0.0.15
access-list 122 remark Vlan Sesm
access-list 122 deny ip any 192.168.100.0 0.0.0.127
access-list 122 deny ip host 255.255.255.255 any
access-list 122 deny ip 127.0.0.0 0.255.255.255 any
access-list 122 permit ip any any
access-list 123 remark auto generated by SDM firewall configuration
access-list 123 remark SDM_ACL Category=1
access-list 123 remark Printer 4550
access-list 123 permit ip any host 192.168.100.126
access-list 123 remark Printer 1300n
access-list 123 permit ip any host 192.168.100.124
access-list 123 remark Vlan Printer
access-list 123 deny ip any 192.168.100.208 0.0.0.15
access-list 123 remark Vlan Experimental
access-list 123 deny ip any 192.168.100.224 0.0.0.15
access-list 123 remark Vlan Management
access-list 123 deny ip any 192.168.100.192 0.0.0.15
access-list 123 remark Vlan Lab
access-list 123 deny ip any 192.168.100.128 0.0.0.31
access-list 123 remark Vlan Sesm
access-list 123 deny ip any 192.168.100.0 0.0.0.127
access-list 123 deny ip host 255.255.255.255 any
access-list 123 deny ip 127.0.0.0 0.255.255.255 any
access-list 123 permit ip any any
access-list 124 remark auto generated by SDM firewall configuration
access-list 124 remark SDM_ACL Category=1
access-list 124 deny ip 192.168.100.0 0.0.0.127 any
access-list 124 deny ip 192.168.1.0 0.0.0.255 any
access-list 124 deny ip 192.168.100.224 0.0.0.15 any
access-list 124 deny ip 192.168.100.208 0.0.0.15 any
access-list 124 deny ip 192.168.100.160 0.0.0.31 any
access-list 124 deny ip 192.168.100.128 0.0.0.31 any
access-list 124 deny ip host 255.255.255.255 any
access-list 124 deny ip 127.0.0.0 0.255.255.255 any
access-list 124 permit ip any any
access-list 125 remark auto generated by SDM firewall configuration
access-list 125 remark SDM_ACL Category=1
access-list 125 remark Dario Notebook
access-list 125 permit ip host 192.168.100.28 192.168.100.128 0.0.0.31
access-list 125 remark Uni 3
access-list 125 permit ip host 192.168.100.41 192.168.100.128 0.0.0.31
access-list 125 remark Uni 2
access-list 125 permit ip host 192.168.100.40 192.168.100.128 0.0.0.31
access-list 125 remark Uni 1
access-list 125 permit ip host 192.168.100.39 192.168.100.128 0.0.0.31
access-list 125 remark Carlo
access-list 125 permit ip host 192.168.100.11 any
access-list 125 remark Giovanni
access-list 125 permit ip host 192.168.100.20 any
access-list 125 remark Sala Riunioni
access-list 125 permit ip host 192.168.100.70 192.168.100.128 0.0.0.31
access-list 125 remark Dario
access-list 125 permit ip host 192.168.100.38 192.168.100.128 0.0.0.31
access-list 125 remark Printer
access-list 125 permit ip host 192.168.100.124 any
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.128 0.0.0.31
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.192 0.0.0.15
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.160 0.0.0.31
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.224 0.0.0.15
access-list 125 deny ip 192.168.100.0 0.0.0.127 192.168.100.208 0.0.0.15
access-list 125 remark HTTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq www
access-list 125 remark HTTPS
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 443
access-list 125 remark DNS
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq domain
access-list 125 remark DNS
access-list 125 permit udp 192.168.100.0 0.0.0.128 any eq domain
access-list 125 remark POP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq pop3
access-list 125 remark SMTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq smtp
access-list 125 remark FTP
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq ftp
access-list 125 remark SSH
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 22
access-list 125 remark MSN messaggi
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 1863
access-list 125 remark MSN Files
access-list 125 permit tcp 192.168.100.0 0.0.0.128 any eq 6891
access-list 125 remark SIP
access-list 125 permit udp 192.168.100.0 0.0.0.128 any eq 5060
access-list 125 deny ip host 255.255.255.255 any
access-list 125 deny ip 127.0.0.0 0.255.255.255 any
access-list 125 permit ip any any
access-list 126 remark auto generated by SDM firewall configuration
access-list 126 remark SDM_ACL Category=1
access-list 126 remark Dario Notebook
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.28
access-list 126 remark Uni 3
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.41
access-list 126 remark Uni 2
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.40
access-list 126 remark Uni 1
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.39
access-list 126 remark Carlo
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.11
access-list 126 remark Sala Riunioni
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.70
access-list 126 remark Dario
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.38
access-list 126 remark Printer
access-list 126 permit ip 192.168.100.128 0.0.0.31 host 192.168.100.124
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.192 0.0.0.15
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.224 0.0.0.15
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.208 0.0.0.15
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.160 0.0.0.31
access-list 126 deny ip 192.168.100.128 0.0.0.31 192.168.100.0 0.0.0.127
access-list 126 remark HTTP
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq www
access-list 126 remark HTTPS
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq 443
access-list 126 remark DNS
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq domain
access-list 126 remark DNS
access-list 126 permit udp 192.168.100.128 0.0.0.31 any eq domain
access-list 126 remark POP
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq pop3
access-list 126 remark SMTP
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq smtp
access-list 126 remark SSH
access-list 126 permit tcp 192.168.100.128 0.0.0.31 any eq 22
access-list 126 deny ip host 255.255.255.255 any
access-list 126 deny ip 127.0.0.0 0.255.255.255 any
access-list 126 permit ip any any
access-list 127 remark auto generated by SDM firewall configuration
access-list 127 remark SDM_ACL Category=1
access-list 127 deny ip 192.168.100.192 0.0.0.15 any
access-list 127 deny ip host 255.255.255.255 any
access-list 127 deny ip 127.0.0.0 0.255.255.255 any
access-list 127 permit ip any any
access-list 128 remark auto generated by SDM firewall configuration
access-list 128 remark SDM_ACL Category=1
access-list 128 deny ip 192.168.100.0 0.0.0.127 any
access-list 128 permit icmp any host 192.168.100.193 echo-reply
access-list 128 permit icmp any host 192.168.100.193 time-exceeded
access-list 128 permit icmp any host 192.168.100.193 unreachable
access-list 128 deny ip 10.0.0.0 0.255.255.255 any
access-list 128 deny ip 172.16.0.0 0.15.255.255 any
access-list 128 deny ip 192.168.0.0 0.0.255.255 any
access-list 128 deny ip 127.0.0.0 0.255.255.255 any
access-list 128 deny ip host 255.255.255.255 any
access-list 128 deny ip host 0.0.0.0 any
access-list 128 deny ip any any log
access-list 129 remark auto generated by SDM firewall configuration
access-list 129 remark SDM_ACL Category=1
access-list 129 remark Pc Carlo
access-list 129 permit ip host 192.168.100.11 any
access-list 129 deny ip any any
access-list 130 remark auto generated by SDM firewall configuration
access-list 130 remark SDM_ACL Category=1
access-list 130 remark Pc Carlo
access-list 130 permit ip host 192.168.100.11 192.168.100.192 0.0.0.15
access-list 130 remark Vlan Printer
access-list 130 deny ip any 192.168.100.208 0.0.0.15
access-list 130 remark Vlan Experimental
access-list 130 deny ip any 192.168.100.224 0.0.0.15
access-list 130 remark Vlan Guest
access-list 130 deny ip any 192.168.100.160 0.0.0.31
access-list 130 remark Vlan Management
access-list 130 deny ip any 192.168.100.192 0.0.0.15
access-list 130 remark Vlan Lab
access-list 130 deny ip any 192.168.100.128 0.0.0.31
access-list 130 deny ip host 255.255.255.255 any
access-list 130 deny ip 127.0.0.0 0.255.255.255 any
access-list 130 permit ip any any
access-list 131 remark auto generated by SDM firewall configuration
access-list 131 remark SDM_ACL Category=1
access-list 131 permit ip 192.168.100.160 0.0.0.31 host 192.168.100.124
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.128 0.0.0.31
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.192 0.0.0.15
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.224 0.0.0.15
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.208 0.0.0.15
access-list 131 deny ip 192.168.100.160 0.0.0.31 192.168.100.0 0.0.0.127
access-list 131 remark HTTP
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq www
access-list 131 remark HTTPS
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq 443
access-list 131 remark DNS
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq domain
access-list 131 remark DNS
access-list 131 permit udp 192.168.100.160 0.0.0.31 any eq domain
access-list 131 remark POP
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq pop3
access-list 131 remark SMTP
access-list 131 permit tcp 192.168.100.160 0.0.0.31 any eq smtp
access-list 131 deny ip host 255.255.255.255 any
access-list 131 deny ip 127.0.0.0 0.255.255.255 any
access-list 131 deny ip any any
access-list 132 remark auto generated by SDM firewall configuration
access-list 132 remark SDM_ACL Category=1
access-list 132 deny ip 192.168.100.0 0.0.0.127 any
access-list 132 deny ip 192.168.100.192 0.0.0.15 any
access-list 132 deny ip 192.168.1.0 0.0.0.255 any
access-list 132 deny ip 192.168.100.224 0.0.0.15 any
access-list 132 deny ip 192.168.100.160 0.0.0.31 any
access-list 132 deny ip 192.168.100.128 0.0.0.31 any
access-list 132 deny ip host 255.255.255.255 any
access-list 132 deny ip 127.0.0.0 0.255.255.255 any
access-list 132 permit ip any any
access-list 133 remark auto generated by SDM firewall configuration
access-list 133 remark SDM_ACL Category=1
access-list 133 permit ip any host 192.168.100.10
access-list 133 permit ip any host 192.168.100.126
access-list 133 permit ip any host 192.168.100.124
access-list 133 deny ip any 192.168.100.224 0.0.0.15
access-list 133 deny ip any 192.168.100.208 0.0.0.15
access-list 133 deny ip any 192.168.100.160 0.0.0.31
access-list 133 deny ip any 192.168.100.192 0.0.0.15
access-list 133 deny ip any 192.168.100.0 0.0.0.127
access-list 133 deny ip host 255.255.255.255 any
access-list 133 deny ip 127.0.0.0 0.255.255.255 any
access-list 133 permit ip any any
access-list 134 remark auto generated by SDM firewall configuration
access-list 134 remark SDM_ACL Category=1
access-list 134 deny ip 192.168.100.0 0.0.0.127 any
access-list 134 deny ip 192.168.100.192 0.0.0.15 any
access-list 134 deny ip 192.168.1.0 0.0.0.255 any
access-list 134 deny ip 192.168.100.208 0.0.0.15 any
access-list 134 deny ip 192.168.100.160 0.0.0.31 any
access-list 134 deny ip 192.168.100.128 0.0.0.31 any
access-list 134 deny ip host 255.255.255.255 any
access-list 134 deny ip 127.0.0.0 0.255.255.255 any
access-list 134 permit ip any any
access-list 135 remark auto generated by SDM firewall configuration
access-list 135 remark SDM_ACL Category=1
access-list 135 permit udp host 213.92.5.54 eq domain host 192.168.1.2
access-list 135 deny ip 192.168.100.0 0.0.0.127 any
access-list 135 deny ip 192.168.100.192 0.0.0.15 any
access-list 135 deny ip 192.168.100.224 0.0.0.15 any
access-list 135 deny ip 192.168.100.208 0.0.0.15 any
access-list 135 deny ip 192.168.100.160 0.0.0.31 any
access-list 135 deny ip 192.168.100.128 0.0.0.31 any
access-list 135 permit icmp any host 192.168.1.2 echo-reply
access-list 135 permit icmp any host 192.168.1.2 time-exceeded
access-list 135 permit icmp any host 192.168.1.2 unreachable
access-list 135 deny ip 10.0.0.0 0.255.255.255 any
access-list 135 deny ip 172.16.0.0 0.15.255.255 any
access-list 135 deny ip 192.168.0.0 0.0.255.255 any
access-list 135 deny ip 127.0.0.0 0.255.255.255 any
access-list 135 deny ip host 255.255.255.255 any
access-list 135 deny ip host 0.0.0.0 any
access-list 135 deny ip any any log
access-list 136 remark auto generated by SDM firewall configuration
access-list 136 remark SDM_ACL Category=1
access-list 136 permit udp host 192.168.1.1 eq domain host 192.168.1.2
access-list 136 deny ip 192.168.100.0 0.0.0.127 any
access-list 136 deny ip 192.168.100.192 0.0.0.15 any
access-list 136 deny ip 192.168.100.224 0.0.0.15 any
access-list 136 deny ip 192.168.100.208 0.0.0.15 any
access-list 136 deny ip 192.168.100.160 0.0.0.31 any
access-list 136 deny ip 192.168.100.128 0.0.0.31 any
access-list 136 permit icmp any host 192.168.1.2 echo-reply
access-list 136 permit icmp any host 192.168.1.2 time-exceeded
access-list 136 permit icmp any host 192.168.1.2 unreachable
access-list 136 deny ip 10.0.0.0 0.255.255.255 any
access-list 136 deny ip 172.16.0.0 0.15.255.255 any
access-list 136 deny ip 192.168.0.0 0.0.255.255 any
access-list 136 deny ip 127.0.0.0 0.255.255.255 any
access-list 136 deny ip host 255.255.255.255 any
access-list 136 deny ip host 0.0.0.0 any
access-list 136 deny ip any any log
access-list 137 remark auto generated by SDM firewall configuration
access-list 137 remark SDM_ACL Category=1
access-list 137 permit udp any host 88.45.132.114 eq 4672
access-list 137 permit tcp any host 88.45.132.114 eq 4662
access-list 137 remark SSH Newnet
access-list 137 permit tcp any host 88.45.132.114 eq 22
access-list 137 remark SSH Cardamom
access-list 137 permit tcp any host 88.45.132.115 eq 22
access-list 137 permit gre any host 88.45.132.114
access-list 137 remark HTTP SERVER
access-list 137 permit tcp any host 88.45.132.114 eq www
access-list 137 permit tcp any host 88.45.132.114 eq 1723
access-list 137 permit tcp any host 88.45.132.114 eq 1000
access-list 137 permit tcp any host 88.45.132.114 eq 1001
access-list 137 permit tcp any host 88.45.132.114 eq ftp
access-list 137 permit udp host 88.45.132.113 eq domain host 88.45.132.114
access-list 137 deny ip 192.168.100.0 0.0.0.127 any
access-list 137 deny ip 192.168.100.192 0.0.0.15 any
access-list 137 deny ip 192.168.100.224 0.0.0.15 any
access-list 137 deny ip 192.168.100.208 0.0.0.15 any
access-list 137 deny ip 192.168.100.160 0.0.0.31 any
access-list 137 deny ip 192.168.100.128 0.0.0.31 any
access-list 137 permit icmp any host 88.45.132.114 echo-reply
access-list 137 permit icmp any host 88.45.132.114 time-exceeded
access-list 137 permit icmp any host 88.45.132.114 unreachable
access-list 137 deny ip 10.0.0.0 0.255.255.255 any
access-list 137 deny ip 172.16.0.0 0.15.255.255 any
access-list 137 deny ip 192.168.0.0 0.0.255.255 any
access-list 137 deny ip 127.0.0.0 0.255.255.255 any
access-list 137 deny ip host 255.255.255.255 any
access-list 137 deny ip host 0.0.0.0 any
access-list 137 deny ip any any log
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CArea Protetta^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Allora, tu dici "io vorrei abilitare solo determinati servizi in uscita..."
access-l 199 permit tcp any any eq 80 (per il web)
access-l 199 permit udp any any eq 53 (dns)
etc etc
Alla fine fai un bel
access-l 199 deny ip any any log
poi:
int ***
ip access-froup 199 in
Per il firewall e l'sdm hai ragione però intanto metti a posto le ACL!
access-l 199 permit tcp any any eq 80 (per il web)
access-l 199 permit udp any any eq 53 (dns)
etc etc
Alla fine fai un bel
access-l 199 deny ip any any log
poi:
int ***
ip access-froup 199 in
Per il firewall e l'sdm hai ragione però intanto metti a posto le ACL!
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
acarlo
- n00b
- Messaggi: 12
- Iscritto il: mar 01 nov , 2005 7:50 pm
Ok ho in parte risolto i miei problemi, ovvero adesso dalla lan effettivamente funzionano solo i servizi vouluti, ma non riesco a far funzionare alcuni servizi che devono essere visibili dall'esterno come il server http or ssh. Riposto la nuova configurazione sperando che qualcuno mi dia qualche dritta.
Building configuration...
Current configuration : 17349 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-4.T2.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$q4jQ$S6x4Q1TPHjS3lhlHW.Jk1/
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.161
!
ip dhcp pool guest-vlan
network 192.168.100.160 255.255.255.224
default-router 192.168.100.161
dns-server 151.99.125.1 151.99.125.3
!
!
no ip bootp server
ip name-server 192.168.100.4
ip name-server 213.92.5.54
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect udp idle-time 60
ip inspect dns-timeout 60
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 60
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
ip rcmd rcp-enable
!
appfw policy-name SDM_LOW
application http
port-misuse p2p action reset alarm
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4101280706
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4101280706
revocation-check none
rsakeypair TP-self-signed-4101280706
!
!
crypto pki certificate chain TP-self-signed-4101280706
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313031 32383037 3036301E 170D3036 30343231 31313230
31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31303132
38303730 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009BD3 FE5C84D7 B910F9AA 458AB56F 34491033 403D59B1 E64C2924 1FC1B541
F4B0142D 19BDDF52 0DFCF400 9C8A4D69 BBB2A71F 00C4B51E 1A4E024E AE2D2000
DFD47032 A7855F9F 69C948D5 0092345B 1AAE6B90 E91B2EB3 1A02A960 C3E0091B
D15E9EE8 7CD987E9 705D776C B0A0ADF9 75E0B597 EBDC725D 710CD4B4 25465812
332D0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 149EE8B7
65708D64 D5321D75 E8449F39 4ED56087 79301D06 03551D0E 04160414 9EE8B765
708D64D5 321D75E8 449F394E D5608779 300D0609 2A864886 F70D0101 04050003
81810012 303C1CED 4C73D281 93D0B20E 9E52E153 FB51985B FC82C8FD 31EF9921
F723E0C5 669AB447 CF1B46E9 CA4258B9 83BF8597 3AAB20A1 C8E3332E 323A899D
01910CCD 15FD3787 50F81A98 6588CE67 901B4FB3 22C479F8 D0EAEBC1 281BE8C5
F0AEC336 1A8F6816 92D133E8 6D6C263B 0F834EAA 064C8CE4 D73CFF5A 73A1CC29 321330
quit
username carlo privilege 15 secret 5 $1$hnvH$hkuTqKdTh1/XVBfb3V8so.
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_LOW
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
class sdm_p2p_kazaa
drop
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
description $FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.100.193 255.255.255.240
ip access-group 124 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.100.1 255.255.255.128
ip access-group 125 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 192.168.100.129 255.255.255.224
ip access-group 126 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.4
description $FW_INSIDE$
encapsulation dot1Q 4
ip address 192.168.100.161 255.255.255.224
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.5
description $FW_INSIDE$
encapsulation dot1Q 5
ip address 192.168.100.209 255.255.255.240
ip access-group 132 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.6
description $FW_INSIDE$
encapsulation dot1Q 6
ip address 192.168.100.225 255.255.255.240
ip access-group 134 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address 88.45.132.114 255.255.255.248
ip access-group 137 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
interface Serial0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
clock rate 2000000
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 88.45.132.113 permanent
!
!
no ip http server
ip http access-class 1
ip http secure-server
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.100.5 1001 interface GigabitEthernet0/1 1001
ip nat inside source static tcp 192.168.100.5 21 interface GigabitEthernet0/1 21
ip nat inside source static tcp 192.168.100.4 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.100.5 1000 interface GigabitEthernet0/1 1000
ip nat inside source static tcp 192.168.100.4 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.100.5 80 88.45.132.114 80 extendable
ip nat inside source static tcp 192.168.100.20 4662 88.45.132.114 4662 extendable
ip nat inside source static udp 192.168.100.20 4672 88.45.132.114 4672 extendable
ip nat inside source static tcp 192.168.100.139 22 88.45.132.115 22 extendable
!
logging trap debugging
access-list 1 permit 192.168.100.0 0.0.0.127
access-list 1 permit 192.168.100.192 0.0.0.15
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.128 0.0.0.31
access-list 2 permit 192.168.100.160 0.0.0.31
access-list 2 permit 192.168.100.208 0.0.0.15
access-list 2 permit 192.168.100.224 0.0.0.15
access-list 2 permit 192.168.100.192 0.0.0.15
access-list 2 permit 192.168.100.0 0.0.0.127
access-list 107 remark VTY Access-class list
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.100.0 0.0.0.127 any
access-list 107 permit ip 192.168.100.192 0.0.0.15 any
access-list 107 permit ip 192.168.100.224 0.0.0.15 any
access-list 107 permit ip 192.168.100.208 0.0.0.15 any
access-list 107 permit ip 192.168.100.160 0.0.0.31 any
access-list 107 permit ip 192.168.100.128 0.0.0.31 any
access-list 107 deny ip any any
access-list 124 remark auto generated by SDM firewall configuration
access-list 124 remark SDM_ACL Category=1
access-list 124 deny ip 192.168.100.0 0.0.0.127 any
access-list 124 deny ip 192.168.100.224 0.0.0.15 any
access-list 124 deny ip 192.168.100.208 0.0.0.15 any
access-list 124 deny ip 192.168.100.160 0.0.0.31 any
access-list 124 deny ip 192.168.100.128 0.0.0.31 any
access-list 124 deny ip host 255.255.255.255 any
access-list 124 deny ip 127.0.0.0 0.255.255.255 any
access-list 124 deny ip any any log
access-list 125 remark auto generated by SDM firewall configuration
access-list 125 remark SDM_ACL Category=1
access-list 125 remark Dario Notebook
access-list 125 permit ip host 192.168.100.28 192.168.100.128 0.0.0.31
access-list 125 remark Uni 3
access-list 125 permit ip host 192.168.100.41 192.168.100.128 0.0.0.31
access-list 125 remark Uni 2
access-list 125 permit ip host 192.168.100.40 192.168.100.128 0.0.0.31
access-list 125 remark Uni 1
access-list 125 permit ip host 192.168.100.39 192.168.100.128 0.0.0.31
access-list 125 remark Giovanni
access-list 125 permit ip host 192.168.100.20 any
access-list 125 remark Alessandro
access-list 125 permit ip host 192.168.100.17 any
access-list 125 remark Emilio
access-list 125 permit ip host 192.168.100.21 any
access-list 125 remark Dario
access-list 125 permit ip host 192.168.100.38 192.168.100.128 0.0.0.31
access-list 125 remark Printer
access-list 125 permit ip host 192.168.100.124 any
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.192 0.0.0.15 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
access-list 125 deny ip 192.168.100.224 0.0.0.15 any
access-list 125 deny ip 192.168.100.208 0.0.0.15 any
access-list 125 remark PPTP
access-list 125 permit tcp host 192.168.100.4 any eq 1723
access-list 125 remark HTTP
access-list 125 permit tcp any any eq www
access-list 125 remark HTTPS
access-list 125 permit tcp any any eq 443
access-list 125 remark DNS
access-list 125 permit tcp any any eq domain
access-list 125 remark DNS
access-list 125 permit udp any any eq domain
access-list 125 remark POP
access-list 125 permit tcp any any eq pop3
access-list 125 remark SMTP
access-list 125 permit tcp any any eq smtp
access-list 125 remark FTP
access-list 125 permit tcp any any eq ftp
access-list 125 remark SSH
access-list 125 permit tcp any any eq 22
access-list 125 remark MSN messaggi
access-list 125 permit tcp any any eq 1863
access-list 125 remark MSN Files
access-list 125 permit tcp any any eq 6891
access-list 125 remark SIP
access-list 125 permit udp any any eq 5060
access-list 125 deny ip host 255.255.255.255 any
access-list 125 deny ip 127.0.0.0 0.255.255.255 any
access-list 125 deny ip any any log
access-list 126 remark auto generated by SDM firewall configuration
access-list 126 remark SDM_ACL Category=1
access-list 126 remark Dario Notebook
access-list 126 permit ip any host 192.168.100.28
access-list 126 remark Uni 3
access-list 126 permit ip any host 192.168.100.41
access-list 126 remark Uni 2
access-list 126 permit ip any host 192.168.100.40
access-list 126 remark Uni 1
access-list 126 permit ip any host 192.168.100.39
access-list 126 remark Dario
access-list 126 permit ip any host 192.168.100.38
access-list 126 remark Carlo
access-list 126 permit ip any host 192.168.100.11
access-list 126 remark Printer
access-list 126 permit ip any host 192.168.100.124
access-list 126 deny ip 192.168.100.192 0.0.0.15 any
access-list 126 deny ip 192.168.100.224 0.0.0.15 any
access-list 126 deny ip 192.168.100.208 0.0.0.15 any
access-list 126 deny ip 192.168.100.160 0.0.0.31 any
access-list 126 deny ip 192.168.100.0 0.0.0.127 any
access-list 126 remark HTTP
access-list 126 permit tcp any any eq www
access-list 126 remark HTTPS
access-list 126 permit tcp any any eq 443
access-list 126 remark DNS
access-list 126 permit tcp any any eq domain
access-list 126 remark DNS
access-list 126 permit udp any any eq domain
access-list 126 remark POP
access-list 126 permit tcp any any eq pop3
access-list 126 remark SMTP
access-list 126 permit tcp any any eq smtp
access-list 126 remark SSH
access-list 126 permit tcp any any eq 22
access-list 126 deny ip host 255.255.255.255 any
access-list 126 deny ip 127.0.0.0 0.255.255.255 any
access-list 126 deny ip any any log
access-list 131 remark auto generated by SDM firewall configuration
access-list 131 remark SDM_ACL Category=1
access-list 131 permit ip host 192.168.100.124 any
access-list 131 deny ip 192.168.100.128 0.0.0.31 any
access-list 131 deny ip 192.168.100.192 0.0.0.15 any
access-list 131 deny ip 192.168.100.224 0.0.0.15 any
access-list 131 deny ip 192.168.100.208 0.0.0.15 any
access-list 131 deny ip 192.168.100.0 0.0.0.127 any
access-list 131 remark HTTP
access-list 131 permit tcp any any eq www
access-list 131 remark HTTPS
access-list 131 permit tcp any any eq 443
access-list 131 remark DNS
access-list 131 permit tcp any any eq domain
access-list 131 remark DNS
access-list 131 permit udp any any eq domain
access-list 131 remark POP
access-list 131 permit tcp any any eq pop3
access-list 131 remark SMTP
access-list 131 permit tcp any any eq smtp
access-list 131 deny ip host 255.255.255.255 any
access-list 131 deny ip 127.0.0.0 0.255.255.255 any
access-list 131 deny ip any any log
access-list 132 remark auto generated by SDM firewall configuration
access-list 132 remark SDM_ACL Category=1
access-list 132 deny ip 192.168.100.0 0.0.0.127 any
access-list 132 deny ip 192.168.100.192 0.0.0.15 any
access-list 132 deny ip 192.168.100.224 0.0.0.15 any
access-list 132 deny ip 192.168.100.160 0.0.0.31 any
access-list 132 deny ip 192.168.100.128 0.0.0.31 any
access-list 132 deny ip host 255.255.255.255 any
access-list 132 deny ip 127.0.0.0 0.255.255.255 any
access-list 132 deny ip any any log
access-list 134 remark auto generated by SDM firewall configuration
access-list 134 remark SDM_ACL Category=1
access-list 134 deny ip 192.168.100.0 0.0.0.127 any
access-list 134 deny ip 192.168.100.192 0.0.0.15 any
access-list 134 deny ip 192.168.100.208 0.0.0.15 any
access-list 134 deny ip 192.168.100.160 0.0.0.31 any
access-list 134 deny ip 192.168.100.128 0.0.0.31 any
access-list 134 deny ip host 255.255.255.255 any
access-list 134 deny ip 127.0.0.0 0.255.255.255 any
access-list 134 deny ip any any log
access-list 137 remark auto generated by SDM firewall configuration
access-list 137 remark SDM_ACL Category=1
access-list 137 permit udp any host 88.45.132.114 eq 4672
access-list 137 permit tcp any host 88.45.132.114 eq 4662
access-list 137 remark SSH Newnet
access-list 137 permit tcp any host 88.45.132.114 eq 22
access-list 137 remark SSH Cardamom
access-list 137 permit tcp any host 88.45.132.115 eq 22
access-list 137 remark GRE Tunnel PPTP
access-list 137 permit gre any host 88.45.132.114
access-list 137 remark HTTP SERVER
access-list 137 permit tcp any host 88.45.132.114 eq www
access-list 137 permit tcp any host 88.45.132.114 eq 1723
access-list 137 permit tcp any host 88.45.132.114 eq 1000
access-list 137 permit tcp any host 88.45.132.114 eq 1001
access-list 137 permit tcp any host 88.45.132.114 eq ftp
access-list 137 permit udp host 88.45.132.113 eq domain host 88.45.132.114
access-list 137 deny ip 192.168.100.0 0.0.0.127 any
access-list 137 deny ip 192.168.100.192 0.0.0.15 any
access-list 137 deny ip 192.168.100.224 0.0.0.15 any
access-list 137 deny ip 192.168.100.208 0.0.0.15 any
access-list 137 deny ip 192.168.100.160 0.0.0.31 any
access-list 137 deny ip 192.168.100.128 0.0.0.31 any
access-list 137 permit icmp any host 88.45.132.114 echo-reply
access-list 137 permit icmp any host 88.45.132.114 time-exceeded
access-list 137 permit icmp any host 88.45.132.114 unreachable
access-list 137 deny ip 10.0.0.0 0.255.255.255 any
access-list 137 deny ip 172.16.0.0 0.15.255.255 any
access-list 137 deny ip 192.168.0.0 0.0.255.255 any
access-list 137 deny ip 127.0.0.0 0.255.255.255 any
access-list 137 deny ip host 255.255.255.255 any
access-list 137 deny ip host 0.0.0.0 any
access-list 137 deny ip any any log
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CArea Protetta^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler allocate 20000 1000
!
end
Building configuration...
Current configuration : 17349 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-4.T2.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$q4jQ$S6x4Q1TPHjS3lhlHW.Jk1/
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.161
!
ip dhcp pool guest-vlan
network 192.168.100.160 255.255.255.224
default-router 192.168.100.161
dns-server 151.99.125.1 151.99.125.3
!
!
no ip bootp server
ip name-server 192.168.100.4
ip name-server 213.92.5.54
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect udp idle-time 60
ip inspect dns-timeout 60
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 60
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
ip rcmd rcp-enable
!
appfw policy-name SDM_LOW
application http
port-misuse p2p action reset alarm
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4101280706
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4101280706
revocation-check none
rsakeypair TP-self-signed-4101280706
!
!
crypto pki certificate chain TP-self-signed-4101280706
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313031 32383037 3036301E 170D3036 30343231 31313230
31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31303132
38303730 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009BD3 FE5C84D7 B910F9AA 458AB56F 34491033 403D59B1 E64C2924 1FC1B541
F4B0142D 19BDDF52 0DFCF400 9C8A4D69 BBB2A71F 00C4B51E 1A4E024E AE2D2000
DFD47032 A7855F9F 69C948D5 0092345B 1AAE6B90 E91B2EB3 1A02A960 C3E0091B
D15E9EE8 7CD987E9 705D776C B0A0ADF9 75E0B597 EBDC725D 710CD4B4 25465812
332D0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 149EE8B7
65708D64 D5321D75 E8449F39 4ED56087 79301D06 03551D0E 04160414 9EE8B765
708D64D5 321D75E8 449F394E D5608779 300D0609 2A864886 F70D0101 04050003
81810012 303C1CED 4C73D281 93D0B20E 9E52E153 FB51985B FC82C8FD 31EF9921
F723E0C5 669AB447 CF1B46E9 CA4258B9 83BF8597 3AAB20A1 C8E3332E 323A899D
01910CCD 15FD3787 50F81A98 6588CE67 901B4FB3 22C479F8 D0EAEBC1 281BE8C5
F0AEC336 1A8F6816 92D133E8 6D6C263B 0F834EAA 064C8CE4 D73CFF5A 73A1CC29 321330
quit
username carlo privilege 15 secret 5 $1$hnvH$hkuTqKdTh1/XVBfb3V8so.
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_LOW
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
class sdm_p2p_kazaa
drop
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
description $FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.100.193 255.255.255.240
ip access-group 124 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.100.1 255.255.255.128
ip access-group 125 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 192.168.100.129 255.255.255.224
ip access-group 126 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.4
description $FW_INSIDE$
encapsulation dot1Q 4
ip address 192.168.100.161 255.255.255.224
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.5
description $FW_INSIDE$
encapsulation dot1Q 5
ip address 192.168.100.209 255.255.255.240
ip access-group 132 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.6
description $FW_INSIDE$
encapsulation dot1Q 6
ip address 192.168.100.225 255.255.255.240
ip access-group 134 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule out
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address 88.45.132.114 255.255.255.248
ip access-group 137 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
interface Serial0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
clock rate 2000000
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 88.45.132.113 permanent
!
!
no ip http server
ip http access-class 1
ip http secure-server
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.100.5 1001 interface GigabitEthernet0/1 1001
ip nat inside source static tcp 192.168.100.5 21 interface GigabitEthernet0/1 21
ip nat inside source static tcp 192.168.100.4 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.100.5 1000 interface GigabitEthernet0/1 1000
ip nat inside source static tcp 192.168.100.4 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.100.5 80 88.45.132.114 80 extendable
ip nat inside source static tcp 192.168.100.20 4662 88.45.132.114 4662 extendable
ip nat inside source static udp 192.168.100.20 4672 88.45.132.114 4672 extendable
ip nat inside source static tcp 192.168.100.139 22 88.45.132.115 22 extendable
!
logging trap debugging
access-list 1 permit 192.168.100.0 0.0.0.127
access-list 1 permit 192.168.100.192 0.0.0.15
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.128 0.0.0.31
access-list 2 permit 192.168.100.160 0.0.0.31
access-list 2 permit 192.168.100.208 0.0.0.15
access-list 2 permit 192.168.100.224 0.0.0.15
access-list 2 permit 192.168.100.192 0.0.0.15
access-list 2 permit 192.168.100.0 0.0.0.127
access-list 107 remark VTY Access-class list
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.100.0 0.0.0.127 any
access-list 107 permit ip 192.168.100.192 0.0.0.15 any
access-list 107 permit ip 192.168.100.224 0.0.0.15 any
access-list 107 permit ip 192.168.100.208 0.0.0.15 any
access-list 107 permit ip 192.168.100.160 0.0.0.31 any
access-list 107 permit ip 192.168.100.128 0.0.0.31 any
access-list 107 deny ip any any
access-list 124 remark auto generated by SDM firewall configuration
access-list 124 remark SDM_ACL Category=1
access-list 124 deny ip 192.168.100.0 0.0.0.127 any
access-list 124 deny ip 192.168.100.224 0.0.0.15 any
access-list 124 deny ip 192.168.100.208 0.0.0.15 any
access-list 124 deny ip 192.168.100.160 0.0.0.31 any
access-list 124 deny ip 192.168.100.128 0.0.0.31 any
access-list 124 deny ip host 255.255.255.255 any
access-list 124 deny ip 127.0.0.0 0.255.255.255 any
access-list 124 deny ip any any log
access-list 125 remark auto generated by SDM firewall configuration
access-list 125 remark SDM_ACL Category=1
access-list 125 remark Dario Notebook
access-list 125 permit ip host 192.168.100.28 192.168.100.128 0.0.0.31
access-list 125 remark Uni 3
access-list 125 permit ip host 192.168.100.41 192.168.100.128 0.0.0.31
access-list 125 remark Uni 2
access-list 125 permit ip host 192.168.100.40 192.168.100.128 0.0.0.31
access-list 125 remark Uni 1
access-list 125 permit ip host 192.168.100.39 192.168.100.128 0.0.0.31
access-list 125 remark Giovanni
access-list 125 permit ip host 192.168.100.20 any
access-list 125 remark Alessandro
access-list 125 permit ip host 192.168.100.17 any
access-list 125 remark Emilio
access-list 125 permit ip host 192.168.100.21 any
access-list 125 remark Dario
access-list 125 permit ip host 192.168.100.38 192.168.100.128 0.0.0.31
access-list 125 remark Printer
access-list 125 permit ip host 192.168.100.124 any
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.192 0.0.0.15 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
access-list 125 deny ip 192.168.100.224 0.0.0.15 any
access-list 125 deny ip 192.168.100.208 0.0.0.15 any
access-list 125 remark PPTP
access-list 125 permit tcp host 192.168.100.4 any eq 1723
access-list 125 remark HTTP
access-list 125 permit tcp any any eq www
access-list 125 remark HTTPS
access-list 125 permit tcp any any eq 443
access-list 125 remark DNS
access-list 125 permit tcp any any eq domain
access-list 125 remark DNS
access-list 125 permit udp any any eq domain
access-list 125 remark POP
access-list 125 permit tcp any any eq pop3
access-list 125 remark SMTP
access-list 125 permit tcp any any eq smtp
access-list 125 remark FTP
access-list 125 permit tcp any any eq ftp
access-list 125 remark SSH
access-list 125 permit tcp any any eq 22
access-list 125 remark MSN messaggi
access-list 125 permit tcp any any eq 1863
access-list 125 remark MSN Files
access-list 125 permit tcp any any eq 6891
access-list 125 remark SIP
access-list 125 permit udp any any eq 5060
access-list 125 deny ip host 255.255.255.255 any
access-list 125 deny ip 127.0.0.0 0.255.255.255 any
access-list 125 deny ip any any log
access-list 126 remark auto generated by SDM firewall configuration
access-list 126 remark SDM_ACL Category=1
access-list 126 remark Dario Notebook
access-list 126 permit ip any host 192.168.100.28
access-list 126 remark Uni 3
access-list 126 permit ip any host 192.168.100.41
access-list 126 remark Uni 2
access-list 126 permit ip any host 192.168.100.40
access-list 126 remark Uni 1
access-list 126 permit ip any host 192.168.100.39
access-list 126 remark Dario
access-list 126 permit ip any host 192.168.100.38
access-list 126 remark Carlo
access-list 126 permit ip any host 192.168.100.11
access-list 126 remark Printer
access-list 126 permit ip any host 192.168.100.124
access-list 126 deny ip 192.168.100.192 0.0.0.15 any
access-list 126 deny ip 192.168.100.224 0.0.0.15 any
access-list 126 deny ip 192.168.100.208 0.0.0.15 any
access-list 126 deny ip 192.168.100.160 0.0.0.31 any
access-list 126 deny ip 192.168.100.0 0.0.0.127 any
access-list 126 remark HTTP
access-list 126 permit tcp any any eq www
access-list 126 remark HTTPS
access-list 126 permit tcp any any eq 443
access-list 126 remark DNS
access-list 126 permit tcp any any eq domain
access-list 126 remark DNS
access-list 126 permit udp any any eq domain
access-list 126 remark POP
access-list 126 permit tcp any any eq pop3
access-list 126 remark SMTP
access-list 126 permit tcp any any eq smtp
access-list 126 remark SSH
access-list 126 permit tcp any any eq 22
access-list 126 deny ip host 255.255.255.255 any
access-list 126 deny ip 127.0.0.0 0.255.255.255 any
access-list 126 deny ip any any log
access-list 131 remark auto generated by SDM firewall configuration
access-list 131 remark SDM_ACL Category=1
access-list 131 permit ip host 192.168.100.124 any
access-list 131 deny ip 192.168.100.128 0.0.0.31 any
access-list 131 deny ip 192.168.100.192 0.0.0.15 any
access-list 131 deny ip 192.168.100.224 0.0.0.15 any
access-list 131 deny ip 192.168.100.208 0.0.0.15 any
access-list 131 deny ip 192.168.100.0 0.0.0.127 any
access-list 131 remark HTTP
access-list 131 permit tcp any any eq www
access-list 131 remark HTTPS
access-list 131 permit tcp any any eq 443
access-list 131 remark DNS
access-list 131 permit tcp any any eq domain
access-list 131 remark DNS
access-list 131 permit udp any any eq domain
access-list 131 remark POP
access-list 131 permit tcp any any eq pop3
access-list 131 remark SMTP
access-list 131 permit tcp any any eq smtp
access-list 131 deny ip host 255.255.255.255 any
access-list 131 deny ip 127.0.0.0 0.255.255.255 any
access-list 131 deny ip any any log
access-list 132 remark auto generated by SDM firewall configuration
access-list 132 remark SDM_ACL Category=1
access-list 132 deny ip 192.168.100.0 0.0.0.127 any
access-list 132 deny ip 192.168.100.192 0.0.0.15 any
access-list 132 deny ip 192.168.100.224 0.0.0.15 any
access-list 132 deny ip 192.168.100.160 0.0.0.31 any
access-list 132 deny ip 192.168.100.128 0.0.0.31 any
access-list 132 deny ip host 255.255.255.255 any
access-list 132 deny ip 127.0.0.0 0.255.255.255 any
access-list 132 deny ip any any log
access-list 134 remark auto generated by SDM firewall configuration
access-list 134 remark SDM_ACL Category=1
access-list 134 deny ip 192.168.100.0 0.0.0.127 any
access-list 134 deny ip 192.168.100.192 0.0.0.15 any
access-list 134 deny ip 192.168.100.208 0.0.0.15 any
access-list 134 deny ip 192.168.100.160 0.0.0.31 any
access-list 134 deny ip 192.168.100.128 0.0.0.31 any
access-list 134 deny ip host 255.255.255.255 any
access-list 134 deny ip 127.0.0.0 0.255.255.255 any
access-list 134 deny ip any any log
access-list 137 remark auto generated by SDM firewall configuration
access-list 137 remark SDM_ACL Category=1
access-list 137 permit udp any host 88.45.132.114 eq 4672
access-list 137 permit tcp any host 88.45.132.114 eq 4662
access-list 137 remark SSH Newnet
access-list 137 permit tcp any host 88.45.132.114 eq 22
access-list 137 remark SSH Cardamom
access-list 137 permit tcp any host 88.45.132.115 eq 22
access-list 137 remark GRE Tunnel PPTP
access-list 137 permit gre any host 88.45.132.114
access-list 137 remark HTTP SERVER
access-list 137 permit tcp any host 88.45.132.114 eq www
access-list 137 permit tcp any host 88.45.132.114 eq 1723
access-list 137 permit tcp any host 88.45.132.114 eq 1000
access-list 137 permit tcp any host 88.45.132.114 eq 1001
access-list 137 permit tcp any host 88.45.132.114 eq ftp
access-list 137 permit udp host 88.45.132.113 eq domain host 88.45.132.114
access-list 137 deny ip 192.168.100.0 0.0.0.127 any
access-list 137 deny ip 192.168.100.192 0.0.0.15 any
access-list 137 deny ip 192.168.100.224 0.0.0.15 any
access-list 137 deny ip 192.168.100.208 0.0.0.15 any
access-list 137 deny ip 192.168.100.160 0.0.0.31 any
access-list 137 deny ip 192.168.100.128 0.0.0.31 any
access-list 137 permit icmp any host 88.45.132.114 echo-reply
access-list 137 permit icmp any host 88.45.132.114 time-exceeded
access-list 137 permit icmp any host 88.45.132.114 unreachable
access-list 137 deny ip 10.0.0.0 0.255.255.255 any
access-list 137 deny ip 172.16.0.0 0.15.255.255 any
access-list 137 deny ip 192.168.0.0 0.0.255.255 any
access-list 137 deny ip 127.0.0.0 0.255.255.255 any
access-list 137 deny ip host 255.255.255.255 any
access-list 137 deny ip host 0.0.0.0 any
access-list 137 deny ip any any log
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CArea Protetta^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 107 in
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler allocate 20000 1000
!
end
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Per cusiosità. che router è? un 2800?
Per gli accessi da outside le regole da creare sono i nat e le acl.
Controlla, in base alle porte che devi pubblicare queste 2 cose!
Per gli accessi da outside le regole da creare sono i nat e le acl.
Controlla, in base alle porte che devi pubblicare queste 2 cose!
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
grazie.-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Fai questa prova:
Togli la acl in entrata e vedi se così funziona
Se funziona controlla quella acl se invece non va è colpa delle righe di nat oppure della macchina a cui punti
Togli la acl in entrata e vedi se così funziona
Se funziona controlla quella acl se invece non va è colpa delle righe di nat oppure della macchina a cui punti
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
acarlo
- n00b
- Messaggi: 12
- Iscritto il: mar 01 nov , 2005 7:50 pm
Una domanda,
Se ho creato delle vlan, e voglio che queste siano bloccata dalle access list sulle varie intefacce come devo regolarmi ?
esempio
eth0/0.1 con network 192.168.100.0 0.0.0.127
eth0/0.2 con network 192.168.100.128 0.0.0.31
eth0/0.3 con network 192.168.100.160 0.0.0.31
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
e poi la applico sulla eth0/0.1
ip access-group 125 in
in questo modo cosa avviene ? i pacchetti diretti a quelle network vengono bloccati o i pacchetti provenienti da quelle network verranno bloccati ?
Grazie dell'aiuto.
Se ho creato delle vlan, e voglio che queste siano bloccata dalle access list sulle varie intefacce come devo regolarmi ?
esempio
eth0/0.1 con network 192.168.100.0 0.0.0.127
eth0/0.2 con network 192.168.100.128 0.0.0.31
eth0/0.3 con network 192.168.100.160 0.0.0.31
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
e poi la applico sulla eth0/0.1
ip access-group 125 in
in questo modo cosa avviene ? i pacchetti diretti a quelle network vengono bloccati o i pacchetti provenienti da quelle network verranno bloccati ?
Grazie dell'aiuto.
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
eth0/0.1 con network 192.168.100.0 0.0.0.127
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
e poi la applico sulla eth0/0.1
ip access-group 125 in
Tui vuoi che gli ip 192.168.100.128 e 160 non vadano da nessuna parte (cioè non escano dalla interfaccia) mentre tutti gli altri si, giusto?!
Se è così fai la acl in questo modo:
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
access-l 125 permit ip any any
e poi la applico sulla eth0/0.1
ip access-group 125 in
In questo modo i pacchetti provenienti dagli ip 192.168.100.128 e 160 verranno bloccati mentre tutti gli altri (sempre di quella subnet) verranno forwardati
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
e poi la applico sulla eth0/0.1
ip access-group 125 in
Tui vuoi che gli ip 192.168.100.128 e 160 non vadano da nessuna parte (cioè non escano dalla interfaccia) mentre tutti gli altri si, giusto?!
Se è così fai la acl in questo modo:
access-list 125 deny ip 192.168.100.128 0.0.0.31 any
access-list 125 deny ip 192.168.100.160 0.0.0.31 any
access-l 125 permit ip any any
e poi la applico sulla eth0/0.1
ip access-group 125 in
In questo modo i pacchetti provenienti dagli ip 192.168.100.128 e 160 verranno bloccati mentre tutti gli altri (sempre di quella subnet) verranno forwardati
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
acarlo
- n00b
- Messaggi: 12
- Iscritto il: mar 01 nov , 2005 7:50 pm
Ciao,
Mi scuso se ancora rompo con i miei problemi...ma proprio non riesco a capire dove sia il mio errore.
Se qualcuno ha un pò di tempo ci potrebbe dare un'occhiata ?
Vi spiego quello che vorrei che il router facesse...ma che purtroppo non fa
In pratica vorrei rendere possibile l'accesso dall'esterno ad alcuni servizi come ssh server e http server
E permettere dall'interno solo l'uso di determinati servizi( quelli essenziali http posta ecc..)
E avendo nella mia rete delle vlan, non permettere il traffico tra loro.
La mia ultima configurazione postata funziona in parte, ovvero riesco a decidere i servizi in uscita e bloccare le vlan, ma non funzianano i servizi che dovrebbero essere visibili dall'esterno ne tantomeno la funzione di dhcp su una delle vlan.
Grazie in anticipo per l'aiuto.
Mi scuso se ancora rompo con i miei problemi...ma proprio non riesco a capire dove sia il mio errore.
Se qualcuno ha un pò di tempo ci potrebbe dare un'occhiata ?
Vi spiego quello che vorrei che il router facesse...ma che purtroppo non fa
In pratica vorrei rendere possibile l'accesso dall'esterno ad alcuni servizi come ssh server e http server
E permettere dall'interno solo l'uso di determinati servizi( quelli essenziali http posta ecc..)
E avendo nella mia rete delle vlan, non permettere il traffico tra loro.
La mia ultima configurazione postata funziona in parte, ovvero riesco a decidere i servizi in uscita e bloccare le vlan, ma non funzianano i servizi che dovrebbero essere visibili dall'esterno ne tantomeno la funzione di dhcp su una delle vlan.
Grazie in anticipo per l'aiuto.
