Configurare accesso WAN SSH ad un Cisco 857
Inviato: sab 29 mag , 2010 6:57 pm
Salve a tutti,
vorrei se possibile un aiuto per modificare una configurazione che ho realizzato all'80% con SDM per una alice res.
Ho un minimo di conoscenze di comandi ios, ma sinceramente non mi ero posto il problema di configurare regole di fw per consentire l'accesso in ssh/telnet da internet al router stesso, e non ho capito cosa modificare.
Un altra cosa che vorrei fare è rendere pingabile a fini diagnostici la dialer0 dal router stesso e/o da internet.
Questa è l'attuale conf depurata solo di pass e certificato che prendeva fin troppo spazio:
La versione dell' IOS è la 12.4(15)T11
Sono ben accetti anche altri suggerimenti per migliorare prestazioni e/o sicurezza
Grazie a tutti
Mav
vorrei se possibile un aiuto per modificare una configurazione che ho realizzato all'80% con SDM per una alice res.
Ho un minimo di conoscenze di comandi ios, ma sinceramente non mi ero posto il problema di configurare regole di fw per consentire l'accesso in ssh/telnet da internet al router stesso, e non ho capito cosa modificare.
Un altra cosa che vorrei fare è rendere pingabile a fini diagnostici la dialer0 dal router stesso e/o da internet.
Questa è l'attuale conf depurata solo di pass e certificato che prendeva fin troppo spazio:
Codice: Seleziona tutto
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname Cisco857
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console informational
!
no aaa new-model
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-1084598882
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1084598882
revocation-check none
rsakeypair TP-self-signed-1084598882
!
!
crypto pki certificate chain TP-self-signed-1084598882
certificate self-signed 01
---- omissis -----
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.63
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
domain-name miodominio
dns-server 151.99.125.1 212.216.112.112
lease 0 2
!
!
ip cef
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp router-traffic
ip inspect name SDM_HIGH udp
no ip bootp server
ip domain name miodominio.dnsalias.com
ip name-server 151.99.125.1
ip name-server 212.216.112.112
ip ddns update method sdm_ddns1
HTTP
add http://login:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://login:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
!
appfw policy-name SDM_HIGH
application http
strict-http action reset
!
!
!
username root privilege 15 password 7 XXXXX
username admin privilege 15 secret 5 XXXXX
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
dsl bitswap both
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip ddns update hostname miodominio.dnsalias.com
ip ddns update sdm_ddns1
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname cisco
ppp chap password 7 121A0C041104
ppp pap sent-username cisco password 7 094F471A1A0A
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 4662 interface Dialer0 4662
ip nat inside source static udp 10.10.10.2 4672 interface Dialer0 4672
ip nat inside source static tcp 10.10.10.2 5881 interface Dialer0 5881
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark Auto generated by SDM for NTP (123) 193.204.114.232
access-list 100 permit udp host 193.204.114.232 eq ntp host 10.10.10.1 eq ntp
access-list 100 remark Auto generated by SDM for NTP (123) 193.204.114.233
access-list 100 permit udp host 193.204.114.233 eq ntp host 10.10.10.1 eq ntp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark uTorrent
access-list 101 permit tcp any any eq 5881
access-list 101 remark eMule UDP
access-list 101 permit udp any any eq 4672
access-list 101 remark eMule TCP
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp host 212.216.112.112 eq domain any
access-list 101 permit udp host 151.99.125.1 eq domain any
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.232
access-list 101 permit udp host 193.204.114.232 eq ntp any eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.233
access-list 101 permit udp host 193.204.114.233 eq ntp any eq ntp
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
---- omissis ----
^C
banner login ^CCC
---- omissis ----
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
timeout login response 60
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
end
Sono ben accetti anche altri suggerimenti per migliorare prestazioni e/o sicurezza
Grazie a tutti
Mav
