Salve a tutti.
Ho un CISCO 1844 configurato con 384MB di memoria RAM, HWIC-1ADSL, HWIC-AP-G-E e versione IOS c1841-advipservicesk9-mz.12.4-15.T3. Recentemente ho configurato il nuovo zone-based firewall assegnando in particolare una subinterface dell'interfaccia Dot11Radio alla zona VOIP e l'interfaccia Dialer alla zona INTERNET. Per evitare che venisse introdotta della latenza durante l'ispezione dei pacchetti da parte del firewall fra le 2 zone, le ho configutate con una "pass all" policy per la classe di default in tutti e due i sensi. Il problema è che, nonostante questo accorgimento, da quando è in funzione il nuovo firewall, la qualità delle telefonate è peggiorata notevolmente. Ho inoltre notato che la qualità migliora "leggermente" se associo anche la subinterface Dot11Radio alla zona INTERNET, cosa che però introduce delle problematiche di sicurezza che vorrei evitare. Qualcuno ha percaso notato lo stesso tipo di problema per quando riguarda il traffico voce il nuovo IOS Firewall? Esiste qualche trucco per migliorare le prestazioni?
Se richiesto posso postare lo show conf, ma non credo che il problema risieda nella configurazione.
Grazie[/b]
Zone based firewall e pessima qualità VOIP
Moderatore: Federico.Lagni
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
E' chiaro che il problema è nella configurazione...
Ma hai provato a configurare il qos x il voip?
Ma hai provato a configurare il qos x il voip?
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
berlioz
- n00b
- Messaggi: 3
- Iscritto il: ven 03 ago , 2007 2:04 pm
Ciao,
qui di seguito la configurazione.
grazie
CISCO1841#show conf
Using 14751 out of 196600 bytes
!
! Last configuration change at 11:01:58 GMT Fri Aug 8 2008 by XXXXXXXXX
! NVRAM config last updated at 11:01:59 GMT Fri Aug 8 2008 by XXXXXXXXX
!
version 12.4
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname CISCO1841
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.124-15.T3.bin
boot-end-marker
!
logging buffered 12288
no logging console
no logging monitor
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa group server radius GRUPPO-RADIUS
server 192.168.2.3 auth-port 1812 acct-port 1813
!
aaa authentication login WIRELESS group GRUPPO-RADIUS local
aaa authentication login TELNET group GRUPPO-RADIUS local
aaa authentication login SDM group GRUPPO-RADIUS local
aaa authentication ppp VPN local
aaa authorization exec SDM group GRUPPO-RADIUS local
aaa authorization network default local
!
!
aaa session-id common
clock timezone GMT 1
clock summer-time GMT recurring
!
dot11 ssid rete-protetta
vlan 2
authentication open eap WIRELESS
authentication network-eap WIRELESS
authentication key-management wpa
guest-mode
!
dot11 ssid telefono
vlan 3
max-associations 1
authentication open
!
dot11 phone
ip cef
!
!
ip nbar custom customrtp udp 8000 8001 8002 8004
ip nbar custom customstun udp 3478
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.129
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.2.3
!
ip dhcp pool WIRELESS
network 192.168.2.128 255.255.255.128
default-router 192.168.2.129
dns-server 192.168.2.3
!
ip dhcp pool RETE-PROTETTA
network 192.168.2.0 255.255.255.128
default-router 192.168.2.1
dns-server 192.168.2.3
!
!
ip name-server 193.70.152.15
ip name-server 193.70.152.25
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips config location flash:/IPS/ retries 1
ip ips notify SDEE
ip ips name FIREWALL-INTERNO list CONSENTI-RETI-INTERNE
!
ip ips signature-category
category all
retired true
enabled false
event-action reset-tcp-connection deny-packet-inline produce-alert
category adware/spyware
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category viruses/worms/trojans
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category ddos
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category attack command_execution
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category attack file_access
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category attack ids_evasion
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
!
ip sdee subscriptions 2
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-1725869512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1725869512
revocation-check none
rsakeypair TP-self-signed-1725869512
!
!
crypto pki certificate chain TP-self-signed-1725869512
certificate self-signed 01 nvram:IOS-Self-Sig#6.cer
!
!
username XXXXXXXXX privilege 15 password 7 XXXXXXXXX
username XXXXXXXXX password 7 XXXXXXXXX
archive
log config
hidekeys
!
crypto keyring CRYPTO-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key 6 XXXXXXXXX
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile L2TP-PROFILE
keyring CRYPTO-KEYRING
match identity address 0.0.0.0
!
!
crypto ipsec transform-set L2TPTRANS esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map L2TP 1
set security-association lifetime seconds 28800
set transform-set L2TPTRANS
set isakmp-profile L2TP-PROFILE
!
!
crypto map L2TPMAP 1 ipsec-isakmp dynamic L2TP
!
!
!
!
class-map type inspect match-any POP3-L3
match protocol pop3
class-map match-any P2P
match protocol bittorrent
match protocol edonkey file-transfer "*"
match protocol fasttrack file-transfer "*"
match protocol gnutella file-transfer "*"
match protocol kazaa2 file-transfer "*"
match protocol directconnect
match protocol winmx
match access-group name P2P
class-map type inspect match-any DA-P2P-A-INTERNET
match protocol http
match protocol https
match protocol icmp
match protocol dns
match protocol ftp
match protocol ssh
match protocol telnet
match protocol tftp
match protocol tcp
match protocol udp
class-map type inspect match-any DA-INTERNET-A-P2P
match protocol tcp
match protocol udp
class-map type inspect match-any DA-SICURA-A-P2P
match protocol netbios-ssn
match protocol microsoft-ds
match protocol icmp
class-map type inspect match-any DA-SICURA-A-INTERNET
match protocol http
match protocol https
match protocol icmp
match protocol dns
match protocol ftp
match protocol ssh
match protocol telnet
match protocol telnets
match protocol smtp
match protocol imap
match protocol imap3
match protocol sms
match protocol msnmsgr
match protocol realmedia
match protocol shell
match protocol ymsgr
match protocol tftp
match protocol netbios-ns
match protocol netbios-ssn
match protocol netbios-dgm
class-map type inspect match-all DA-SICURA-A-INTERNET-MAIN
match access-group name DA-SICURA-A-INTERNET
match class-map DA-SICURA-A-INTERNET
class-map match-any VOICE
match protocol customstun
match protocol customrtp
match protocol rtcp
match protocol sip
class-map type inspect match-any DA-P2P-A-VOIP
match protocol http
match protocol icmp
class-map type inspect match-all DA-SICURA-A-P2P-MAIN
match access-group name DA-SICURA-A-P2P
match class-map DA-SICURA-A-P2P
class-map type inspect match-all DA-INTERNET-A-P2P-MAIN
match access-group name DA-INTERNET-A-P2P
match class-map DA-INTERNET-A-P2P
class-map type inspect match-all DA-P2P-A-INTERNET-MAIN
match access-group name DA-P2P-A-INTERNET
match class-map DA-P2P-A-INTERNET
class-map match-any VOICE-IN
match access-group name VOIP-IN
class-map type inspect pop3 match-any POP3
match invalid-command
class-map type inspect match-all DA-P2P-A-VOIP-MAIN
match access-group name DA-P2P-A-VOIP
match class-map DA-P2P-A-VOIP
!
!
policy-map P2P
class P2P
police cir 8000
conform-action transmit
exceed-action drop
violate-action drop
policy-map VOICE-OUT
class VOICE
priority 80
set ip dscp ef
policy-map type inspect DA-P2P-A-INTERNET
class type inspect DA-P2P-A-INTERNET-MAIN
inspect
class class-default
policy-map type inspect DA-INTERNET-A-P2P
class type inspect DA-INTERNET-A-P2P-MAIN
inspect
class class-default
policy-map type inspect DA-SICURA-A-P2P
class type inspect DA-SICURA-A-P2P-MAIN
inspect
class class-default
policy-map type inspect DA-P2P-A-VOIP
class type inspect DA-P2P-A-VOIP-MAIN
inspect
class class-default
policy-map type inspect pop3 POP3
class type inspect pop3 POP3
reset
log
class class-default
policy-map type inspect DA-SICURA-A-INTERNET
class type inspect POP3-L3
inspect
service-policy pop3 POP3
class type inspect DA-SICURA-A-INTERNET-MAIN
inspect
class class-default
policy-map type inspect DA-VOIP-A-INTERNET
class class-default
pass
policy-map type inspect DA-INTERNET-A-VOIP
class class-default
pass
policy-map VOICE-IN
class VOICE-IN
set ip dscp ef
!
zone security SICURA
zone security INTERNET
zone security P2P
zone security VOIP
zone-pair security DA-SICURA-A-P2P source SICURA destination P2P
service-policy type inspect DA-SICURA-A-P2P
zone-pair security DA-SICURA-A-INTERNET source SICURA destination INTERNET
service-policy type inspect DA-SICURA-A-INTERNET
zone-pair security DA-P2P-A-INTERNET source P2P destination INTERNET
service-policy type inspect DA-P2P-A-INTERNET
zone-pair security DA-P2P-A-VOIP source P2P destination VOIP
service-policy type inspect DA-P2P-A-VOIP
zone-pair security DA-INTERNET-A-P2P source INTERNET destination P2P
service-policy type inspect DA-INTERNET-A-P2P
zone-pair security DA-VOIP-A-INTERNET source VOIP destination INTERNET
service-policy type inspect DA-VOIP-A-INTERNET
zone-pair security DA-INTERNET-A-VOIP source INTERNET destination VOIP
service-policy type inspect DA-INTERNET-A-VOIP
!
!
!
interface FastEthernet0/0
description RETE P2P
ip address 192.168.1.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
zone-member security P2P
speed 100
full-duplex
service-policy input P2P
!
interface FastEthernet0/1
description RETE PROTETTA
ip address 192.168.2.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips FIREWALL-INTERNO out
ip virtual-reassembly
zone-member security SICURA
speed 100
full-duplex
!
interface ATM0/0/0
bandwidth 8000
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Dot11Radio0/1/0
description RETE WIRELESS
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
broadcast-key vlan 2 change 300
!
!
ssid rete-protetta
!
ssid telefono
!
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
channel 2457
station-role root
service-policy output VOICE-OUT
!
interface Dot11Radio0/1/0.1
description RETE WIRELESS PROTETTA
encapsulation dot1Q 2
ip address 192.168.2.129 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips FIREWALL-INTERNO out
ip virtual-reassembly
zone-member security SICURA
!
interface Dot11Radio0/1/0.2
description RETE WIRELESS VOIP
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security VOIP
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security SICURA
peer default ip address dhcp-pool RETE-PROTETTA
ppp authentication ms-chap-v2 VPN
!
interface Dialer1
mtu 1492
bandwidth 8000
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
zone-member security INTERNET
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXX
ppp chap password 7 XXXXXXXXX
ppp multilink interleave
crypto map L2TPMAP
service-policy input VOICE-IN
service-policy output VOICE-OUT
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication aaa login-authentication SDM
ip http authentication aaa exec-authorization SDM
ip http secure-server
ip nat inside source static udp 192.168.3.2 3478 interface Dialer1 3478
ip nat inside source static udp 192.168.3.2 5060 interface Dialer1 5060
ip nat inside source static udp 192.168.3.2 8000 interface Dialer1 8000
ip nat inside source static udp 192.168.3.2 8001 interface Dialer1 8001
ip nat inside source static udp 192.168.3.2 8002 interface Dialer1 8002
ip nat inside source static tcp 192.168.1.4 10989 interface Dialer1 10989
ip nat inside source static udp 192.168.1.4 11633 interface Dialer1 11633
ip nat inside source static tcp 192.168.1.4 6463 interface Dialer1 6463
ip nat inside source static tcp 192.168.1.4 2234 interface Dialer1 2234
ip nat inside source list NATCLIENT interface Dialer1 overload
!
ip access-list standard NATCLIENT
permit 192.168.3.2
permit 192.168.2.0 0.0.0.255
permit 192.168.1.0 0.0.0.7
!
ip access-list extended CONSENTI-RETI-INTERNE
deny tcp host 192.168.1.4 eq 139 192.168.2.0 0.0.0.255
deny udp host 192.168.1.4 eq 445 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
ip access-list extended DA-INTERNET-A-P2P
permit tcp any any eq 6463
permit udp any any eq 11633
permit tcp any any eq 2234
permit tcp any any eq 10989
ip access-list extended DA-P2P-A-INTERNET
permit ip host 192.168.1.4 any
ip access-list extended DA-P2P-A-VOIP
permit ip host 192.168.1.4 host 192.168.3.2
ip access-list extended DA-SICURA-A-INTERNET
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended DA-SICURA-A-P2P
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.4
ip access-list extended P2P
permit tcp host 192.168.1.4 any eq 8270
permit tcp host 192.168.1.4 any eq 4242
permit tcp host 192.168.1.4 eq 6463 any
permit udp host 192.168.1.4 eq 11633 any
permit tcp host 192.168.1.4 any eq 4646
permit tcp host 192.168.1.4 eq 10989 any
permit tcp host 192.168.1.4 eq 2234 any
permit tcp host 192.168.1.4 any eq 10989
permit tcp host 192.168.1.4 any eq 2234
ip access-list extended TELNET
deny tcp 192.168.1.0 0.0.0.7 any eq telnet
permit tcp any any eq telnet
deny ip any any log
ip access-list extended VOIP
permit udp any eq 8000 any
permit udp any eq 8001 any
permit udp any eq 8002 any
permit udp any eq 8004 any
ip access-list extended VOIP-IN
permit udp any any eq 8000
permit udp any any eq 8001
permit udp any any eq 8002
permit udp any any eq 8004
permit udp any any eq 5060
permit udp any any eq 3478
!
no cdp run
!
!
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 32 include-in-access-req
radius-server host 192.168.2.3 auth-port 1812 acct-port 1813 key 7 XXXXXXXXX
radius-server vsa send authentication
!
control-plane
!
!
banner motd ^C
|===========================================================================|
| |
| UNAUTHORIZED ACCESS PROHIBITED !! |
| Disconnect IMMEDIATELY if you are not an authorized user ! |
| |
|===========================================================================|
^C
!
line con 0
line aux 0
line vty 0 4
session-timeout 5
access-class TELNET in
login authentication TELNET
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp authentication-key 1 md5 XXXXXXXXX
ntp trusted-key 1
ntp source FastEthernet0/1
ntp master 1
end
qui di seguito la configurazione.
grazie
CISCO1841#show conf
Using 14751 out of 196600 bytes
!
! Last configuration change at 11:01:58 GMT Fri Aug 8 2008 by XXXXXXXXX
! NVRAM config last updated at 11:01:59 GMT Fri Aug 8 2008 by XXXXXXXXX
!
version 12.4
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname CISCO1841
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.124-15.T3.bin
boot-end-marker
!
logging buffered 12288
no logging console
no logging monitor
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa group server radius GRUPPO-RADIUS
server 192.168.2.3 auth-port 1812 acct-port 1813
!
aaa authentication login WIRELESS group GRUPPO-RADIUS local
aaa authentication login TELNET group GRUPPO-RADIUS local
aaa authentication login SDM group GRUPPO-RADIUS local
aaa authentication ppp VPN local
aaa authorization exec SDM group GRUPPO-RADIUS local
aaa authorization network default local
!
!
aaa session-id common
clock timezone GMT 1
clock summer-time GMT recurring
!
dot11 ssid rete-protetta
vlan 2
authentication open eap WIRELESS
authentication network-eap WIRELESS
authentication key-management wpa
guest-mode
!
dot11 ssid telefono
vlan 3
max-associations 1
authentication open
!
dot11 phone
ip cef
!
!
ip nbar custom customrtp udp 8000 8001 8002 8004
ip nbar custom customstun udp 3478
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.129
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.2.3
!
ip dhcp pool WIRELESS
network 192.168.2.128 255.255.255.128
default-router 192.168.2.129
dns-server 192.168.2.3
!
ip dhcp pool RETE-PROTETTA
network 192.168.2.0 255.255.255.128
default-router 192.168.2.1
dns-server 192.168.2.3
!
!
ip name-server 193.70.152.15
ip name-server 193.70.152.25
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips config location flash:/IPS/ retries 1
ip ips notify SDEE
ip ips name FIREWALL-INTERNO list CONSENTI-RETI-INTERNE
!
ip ips signature-category
category all
retired true
enabled false
event-action reset-tcp-connection deny-packet-inline produce-alert
category adware/spyware
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category viruses/worms/trojans
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category ddos
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category attack command_execution
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category attack file_access
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
category attack ids_evasion
retired false
enabled true
event-action reset-tcp-connection deny-packet-inline produce-alert
!
ip sdee subscriptions 2
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-1725869512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1725869512
revocation-check none
rsakeypair TP-self-signed-1725869512
!
!
crypto pki certificate chain TP-self-signed-1725869512
certificate self-signed 01 nvram:IOS-Self-Sig#6.cer
!
!
username XXXXXXXXX privilege 15 password 7 XXXXXXXXX
username XXXXXXXXX password 7 XXXXXXXXX
archive
log config
hidekeys
!
crypto keyring CRYPTO-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key 6 XXXXXXXXX
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile L2TP-PROFILE
keyring CRYPTO-KEYRING
match identity address 0.0.0.0
!
!
crypto ipsec transform-set L2TPTRANS esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map L2TP 1
set security-association lifetime seconds 28800
set transform-set L2TPTRANS
set isakmp-profile L2TP-PROFILE
!
!
crypto map L2TPMAP 1 ipsec-isakmp dynamic L2TP
!
!
!
!
class-map type inspect match-any POP3-L3
match protocol pop3
class-map match-any P2P
match protocol bittorrent
match protocol edonkey file-transfer "*"
match protocol fasttrack file-transfer "*"
match protocol gnutella file-transfer "*"
match protocol kazaa2 file-transfer "*"
match protocol directconnect
match protocol winmx
match access-group name P2P
class-map type inspect match-any DA-P2P-A-INTERNET
match protocol http
match protocol https
match protocol icmp
match protocol dns
match protocol ftp
match protocol ssh
match protocol telnet
match protocol tftp
match protocol tcp
match protocol udp
class-map type inspect match-any DA-INTERNET-A-P2P
match protocol tcp
match protocol udp
class-map type inspect match-any DA-SICURA-A-P2P
match protocol netbios-ssn
match protocol microsoft-ds
match protocol icmp
class-map type inspect match-any DA-SICURA-A-INTERNET
match protocol http
match protocol https
match protocol icmp
match protocol dns
match protocol ftp
match protocol ssh
match protocol telnet
match protocol telnets
match protocol smtp
match protocol imap
match protocol imap3
match protocol sms
match protocol msnmsgr
match protocol realmedia
match protocol shell
match protocol ymsgr
match protocol tftp
match protocol netbios-ns
match protocol netbios-ssn
match protocol netbios-dgm
class-map type inspect match-all DA-SICURA-A-INTERNET-MAIN
match access-group name DA-SICURA-A-INTERNET
match class-map DA-SICURA-A-INTERNET
class-map match-any VOICE
match protocol customstun
match protocol customrtp
match protocol rtcp
match protocol sip
class-map type inspect match-any DA-P2P-A-VOIP
match protocol http
match protocol icmp
class-map type inspect match-all DA-SICURA-A-P2P-MAIN
match access-group name DA-SICURA-A-P2P
match class-map DA-SICURA-A-P2P
class-map type inspect match-all DA-INTERNET-A-P2P-MAIN
match access-group name DA-INTERNET-A-P2P
match class-map DA-INTERNET-A-P2P
class-map type inspect match-all DA-P2P-A-INTERNET-MAIN
match access-group name DA-P2P-A-INTERNET
match class-map DA-P2P-A-INTERNET
class-map match-any VOICE-IN
match access-group name VOIP-IN
class-map type inspect pop3 match-any POP3
match invalid-command
class-map type inspect match-all DA-P2P-A-VOIP-MAIN
match access-group name DA-P2P-A-VOIP
match class-map DA-P2P-A-VOIP
!
!
policy-map P2P
class P2P
police cir 8000
conform-action transmit
exceed-action drop
violate-action drop
policy-map VOICE-OUT
class VOICE
priority 80
set ip dscp ef
policy-map type inspect DA-P2P-A-INTERNET
class type inspect DA-P2P-A-INTERNET-MAIN
inspect
class class-default
policy-map type inspect DA-INTERNET-A-P2P
class type inspect DA-INTERNET-A-P2P-MAIN
inspect
class class-default
policy-map type inspect DA-SICURA-A-P2P
class type inspect DA-SICURA-A-P2P-MAIN
inspect
class class-default
policy-map type inspect DA-P2P-A-VOIP
class type inspect DA-P2P-A-VOIP-MAIN
inspect
class class-default
policy-map type inspect pop3 POP3
class type inspect pop3 POP3
reset
log
class class-default
policy-map type inspect DA-SICURA-A-INTERNET
class type inspect POP3-L3
inspect
service-policy pop3 POP3
class type inspect DA-SICURA-A-INTERNET-MAIN
inspect
class class-default
policy-map type inspect DA-VOIP-A-INTERNET
class class-default
pass
policy-map type inspect DA-INTERNET-A-VOIP
class class-default
pass
policy-map VOICE-IN
class VOICE-IN
set ip dscp ef
!
zone security SICURA
zone security INTERNET
zone security P2P
zone security VOIP
zone-pair security DA-SICURA-A-P2P source SICURA destination P2P
service-policy type inspect DA-SICURA-A-P2P
zone-pair security DA-SICURA-A-INTERNET source SICURA destination INTERNET
service-policy type inspect DA-SICURA-A-INTERNET
zone-pair security DA-P2P-A-INTERNET source P2P destination INTERNET
service-policy type inspect DA-P2P-A-INTERNET
zone-pair security DA-P2P-A-VOIP source P2P destination VOIP
service-policy type inspect DA-P2P-A-VOIP
zone-pair security DA-INTERNET-A-P2P source INTERNET destination P2P
service-policy type inspect DA-INTERNET-A-P2P
zone-pair security DA-VOIP-A-INTERNET source VOIP destination INTERNET
service-policy type inspect DA-VOIP-A-INTERNET
zone-pair security DA-INTERNET-A-VOIP source INTERNET destination VOIP
service-policy type inspect DA-INTERNET-A-VOIP
!
!
!
interface FastEthernet0/0
description RETE P2P
ip address 192.168.1.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
zone-member security P2P
speed 100
full-duplex
service-policy input P2P
!
interface FastEthernet0/1
description RETE PROTETTA
ip address 192.168.2.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips FIREWALL-INTERNO out
ip virtual-reassembly
zone-member security SICURA
speed 100
full-duplex
!
interface ATM0/0/0
bandwidth 8000
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Dot11Radio0/1/0
description RETE WIRELESS
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
broadcast-key vlan 2 change 300
!
!
ssid rete-protetta
!
ssid telefono
!
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
channel 2457
station-role root
service-policy output VOICE-OUT
!
interface Dot11Radio0/1/0.1
description RETE WIRELESS PROTETTA
encapsulation dot1Q 2
ip address 192.168.2.129 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips FIREWALL-INTERNO out
ip virtual-reassembly
zone-member security SICURA
!
interface Dot11Radio0/1/0.2
description RETE WIRELESS VOIP
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security VOIP
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security SICURA
peer default ip address dhcp-pool RETE-PROTETTA
ppp authentication ms-chap-v2 VPN
!
interface Dialer1
mtu 1492
bandwidth 8000
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
zone-member security INTERNET
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXX
ppp chap password 7 XXXXXXXXX
ppp multilink interleave
crypto map L2TPMAP
service-policy input VOICE-IN
service-policy output VOICE-OUT
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication aaa login-authentication SDM
ip http authentication aaa exec-authorization SDM
ip http secure-server
ip nat inside source static udp 192.168.3.2 3478 interface Dialer1 3478
ip nat inside source static udp 192.168.3.2 5060 interface Dialer1 5060
ip nat inside source static udp 192.168.3.2 8000 interface Dialer1 8000
ip nat inside source static udp 192.168.3.2 8001 interface Dialer1 8001
ip nat inside source static udp 192.168.3.2 8002 interface Dialer1 8002
ip nat inside source static tcp 192.168.1.4 10989 interface Dialer1 10989
ip nat inside source static udp 192.168.1.4 11633 interface Dialer1 11633
ip nat inside source static tcp 192.168.1.4 6463 interface Dialer1 6463
ip nat inside source static tcp 192.168.1.4 2234 interface Dialer1 2234
ip nat inside source list NATCLIENT interface Dialer1 overload
!
ip access-list standard NATCLIENT
permit 192.168.3.2
permit 192.168.2.0 0.0.0.255
permit 192.168.1.0 0.0.0.7
!
ip access-list extended CONSENTI-RETI-INTERNE
deny tcp host 192.168.1.4 eq 139 192.168.2.0 0.0.0.255
deny udp host 192.168.1.4 eq 445 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
ip access-list extended DA-INTERNET-A-P2P
permit tcp any any eq 6463
permit udp any any eq 11633
permit tcp any any eq 2234
permit tcp any any eq 10989
ip access-list extended DA-P2P-A-INTERNET
permit ip host 192.168.1.4 any
ip access-list extended DA-P2P-A-VOIP
permit ip host 192.168.1.4 host 192.168.3.2
ip access-list extended DA-SICURA-A-INTERNET
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended DA-SICURA-A-P2P
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.4
ip access-list extended P2P
permit tcp host 192.168.1.4 any eq 8270
permit tcp host 192.168.1.4 any eq 4242
permit tcp host 192.168.1.4 eq 6463 any
permit udp host 192.168.1.4 eq 11633 any
permit tcp host 192.168.1.4 any eq 4646
permit tcp host 192.168.1.4 eq 10989 any
permit tcp host 192.168.1.4 eq 2234 any
permit tcp host 192.168.1.4 any eq 10989
permit tcp host 192.168.1.4 any eq 2234
ip access-list extended TELNET
deny tcp 192.168.1.0 0.0.0.7 any eq telnet
permit tcp any any eq telnet
deny ip any any log
ip access-list extended VOIP
permit udp any eq 8000 any
permit udp any eq 8001 any
permit udp any eq 8002 any
permit udp any eq 8004 any
ip access-list extended VOIP-IN
permit udp any any eq 8000
permit udp any any eq 8001
permit udp any any eq 8002
permit udp any any eq 8004
permit udp any any eq 5060
permit udp any any eq 3478
!
no cdp run
!
!
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 32 include-in-access-req
radius-server host 192.168.2.3 auth-port 1812 acct-port 1813 key 7 XXXXXXXXX
radius-server vsa send authentication
!
control-plane
!
!
banner motd ^C
|===========================================================================|
| |
| UNAUTHORIZED ACCESS PROHIBITED !! |
| Disconnect IMMEDIATELY if you are not an authorized user ! |
| |
|===========================================================================|
^C
!
line con 0
line aux 0
line vty 0 4
session-timeout 5
access-class TELNET in
login authentication TELNET
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp authentication-key 1 md5 XXXXXXXXX
ntp trusted-key 1
ntp source FastEthernet0/1
ntp master 1
end
