Abilitare la funzione firewall su Soho 97

[Ottovp]

Ciao a tutti,

spulcio da tempo il vs forum e con grande ammirazione per theirish che molte volte indirettamente con le sue risposte mi ha aiutato nelle mie peripezie nel mondo cisco.

Ho un cisco soho 97 comprato usato e correttamente (spero configurato) e
ora vorrei abilitare la funzione firewall sul predetto.
ho una bella collezione di Ios ma mi reputo per il momento soddisfatto con questa a parte che nn riesco a caricare sto benedetto firewall.

idee? dopve posso reperire la parte di conf relativa al firewall per il mio router?

ringraziandovi per l'aiuto e il tempo concessomi

Ora sta girando ocn la seguente configurazione:

Codice: Seleziona tutto

Current configuration : 2670 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname **********
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******************************
enable password 7 *************************************
!
ip subnet-zero
ip name-server 88.149.128.12
ip name-server 88.149.128.22
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool CLIENT
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   lease 0 2
!
!
no aaa new-model
!
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
dsl operating-mode auto
 hold-queue 224 in
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Dialer1
 ip address **** 255.255.255.0
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp chap hostname xxxxxxxxxxxx
 ppp chap password 7 *****************
 ppp pap sent-username *************** password 7 *****************
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.1 4713 interface Dialer1 4713
ip nat inside source static udp 192.168.1.1 4712 interface Dialer1 4712
ip nat inside source static tcp 192.168.1.1 5900 interface Dialer1 5900
ip nat inside source static tcp 192.168.1.1 6000 interface Dialer1 6000
ip nat inside source static tcp 192.168.1.1 4711 interface Dialer1 4711
ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.1 6881 interface Dialer1 6881
ip nat inside source static tcp 192.168.1.1 6666 interface Dialer1 6666
ip nat inside source static tcp 192.168.1.1 6667 interface Dialer1 6667
ip nat inside source static tcp 192.168.1.1 6668 interface Dialer1 6668
ip nat inside source static tcp 192.168.1.1 2710 interface Dialer1 2710
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
line aux 0
 transport preferred all
 transport output all
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 password 7 104D061A0616000F0D3B7B72707A
 login
 length 0
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end

alla fine del boot ho questi 2 errori (ma penso cmq trascurabili) viste le mie ricerche sul web:

boostrap:

Codice: Seleziona tutto

00:29:01: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload comm                                                                                
and.    
System Bootstrap, Version 12.2(11r)YV3,                                      
Technical Support: http://www.cisco.com/techsupport                                                   
Copyright (c) 2004 by cisco Systems, Inc.                                         
C800/SOHO series (Board ID: 22-128) platform with 65536 Kbytes of main memory                                                                             

program load complete, entry point: 0x80013000, size: 0x54dc74                                                              
Self decompressing the image : #################################################                                                                                
############################################# [OK]                                                  

              Restricted Rights Legend                                      

Use, duplication, or disclosure by the Government is                                                    
subject to restrictions as set forth in subparagraph                                                    
(c) of the Commercial Computer Software - Restricted                                                    
Rights clause at FAR sec. 52.227-19 and subparagraph                                                    
(c) (1) (ii) of the Rights in Technical Data and Computer                                                         
Software clause at DFARS sec. 252.227-7013.                                           

           cisco Systems, Inc.                              
           170 West Tasman Drive                                
           San Jose, California 95134-1706                                          



Cisco IOS Software, SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(7)T11, RELEAS                                                                                
E SOFTWARE (fc3)                
Technical Support: http://www.cisco.com/techsupport                                                   
Copyright (c) 1986-2005 by Cisco Systems, Inc.                                              
Compiled Fri 15-Jul-05 09:00 by dchih                                     
Image text-base: 0x800131C0, data-base: 0x809D0CBC                                                  


This product contains cryptographic features and is subject to United                                                                     
States and local country laws governing import, export, transfer and                                                                    
use. Delivery of Cisco cryptographic products does not imply                                                            
third-party authority to import, export, distribute or use encryption.                                                                      
Importers, exporters, distributors and users are responsible for                                                                
compliance with U.S. and local country laws. By using this product you                                                                      
agree to comply with applicable laws and regulations. If you are unable                                                                       
to comply with U.S. and local laws, return this product immediately.                                                                    

A summary of U.S. laws governing Cisco cryptographic products may be found at:                                                                              
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html                                                      

If you require further assistance please contact us by sending email to
[email protected].

Cisco SOHO97 (MPC857DSL) processor (revision 0x500) with 58983K/6553K bytes of m
emory.
Processor board ID FCZ093341SF (1409697396), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
1 ATM interface
128K bytes of NVRAM.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)


no aaa new-model
    ^
% Invalid input detected at '^' marker.

%NAT: Error activating CNBAR on the interface Ethernet0
%NAT: Error activating CNBAR on the interface Dialer1

^
||
||
riporto qui x' non funzionano i bbcode nel code:


no aaa new-model
^
% Invalid input detected at '^' marker.

%NAT: Error activating CNBAR on the interface Ethernet0
%NAT: Error activating CNBAR on the interface Dialer1

[MaiO]

Leggi questo documento, vedrai che ti chiarirai le idee e riuscirai a configurare il FW da te. Non esiste una conf "standard", si applicano delle funzinalita in base alle neccessità.

http://www.ciscoforums.it/viewtopic.php?t=2655

Ciao

[Ottovp]

mo ci provo

intanto grazie

[Ottovp]

ciao ho dato un'occhiata ed e' circa come il manuale del mio 1°-2 semestre CCNA
ok volevo qualche diritta magari sugli access list o come configuro tra l'atm e il nat le varie regole di fw.
i concetti li so volevo "trasferirli" alla conf

ciauz

p.s. per gli errori ho notato che sono tipici della versione dello ios.

[MaiO]

ciao ho dato un'occhiata ed e' circa come il manuale del mio 1°-2 semestre CCNA
ok volevo qualche diritta magari sugli access list o come configuro tra l'atm e il nat le varie regole di fw.
i concetti li so volevo "trasferirli" alla conf

ciauz

p.s. per gli errori ho notato che sono tipici della versione dello ios.

Prova qui:
http://www.cisco.com/en/US/products/sw/ ... l#wp999526


Ciao

[Wizard]

Di seguito la configurazione della funzione auto secure di Cisco.
Adattala alla tua situazione:

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no ip identd

security passwords min-length 6

security authentication failure rate 10 log

enable secret 5 $1$CZ6G$GkGOnHdNJCO3CjNHHyTUA.

aaa new-model

aaa authentication login local_auth local

line console 0

login authentication local_auth

exec-timeout 5 0

transport output telnet

line aux 0

login authentication local_auth

exec-timeout 10 0

transport output telnet

line vty 0 4

login authentication local_auth

transport input telnet

ip domain-name cisco.com

crypto key generate rsa general-keys modulus 1024

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 4

transport input ssh telnet

service timestamps debug datetime localtime show-timezone msec

service timestamps log datetime localtime show-timezone msec

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

int FastEthernet0/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

int FastEthernet1/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

int FastEthernet1/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

int FastEthernet0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

ip cef


interface FastEthernet0/0

ip verify unicast reverse-path

ip inspect audit-trail

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect udp idle-time 1800

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

access-list 100 deny ip any any

interface FastEthernet0/0

ip inspect autosec_inspect out

ip access-group 100 in

!

end

[Ottovp]

mittico!
adesso provo