Salve, sono nuovo e non sono molto pratico
in ufficio abbiamo cambiato il tipo di connessione, sempre con telecom, ci hanno cambiato sia l'indirizzo statico pubblico sia gli 8 indirizzi fissi
come procedere? ho un firewall cisco PIX 515 e un router 1700 a monte con interfaccia ATM1/0 connessa alla linea
grazie
il network è un pò complesso ci sono diversi switch e diverse VLAN
Questo è il firewall
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 Management security99
enable password oP6iAHhlkBE1yoTU encrypted
passwd g6G2J/Bk/tpsBNB6 encrypted
hostname FW-AC-CW-1
domain-name UFFICIOapix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol http 80-8080
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.3.0 VL-CW-FWFL-1
name 10.5.101.0 VL-CW-FL-1.Ammnistr.
name 10.5.102.0 VL-CW-FL-2.Mansarda
name 10.5.103.0 VL-CW-FL-3.Primopiano
name 10.5.104.0 VL-CW-FL-4.Pianoterra
name 10.5.106.0 VL-CW-FL-6.Scantinato
name 10.5.107.0 VL-CW-FL-7.Server_1
name 10.5.108.0 VL-CW-FL-8.Server_2
name 10.5.105.0 VL-CW-FL-5.Altro
name 85.38.226.162 PA-Pubblico
name 10.2.4.0 VL-Mgt-RTSW-1
name 10.2.5.0 VL-CW-FWMgt-1
name 10.2.7.29 Mgt-Server-1
name 10.2.7.30 Mgt-Server-2
name 10.2.6.0 VL-Mgt-RTFW-1
name 10.2.7.0 VL-CW-Mgt-1
name 10.5.106.11 Stampante-TAC
name 10.5.106.10 TAC
name 10.5.104.7 Locale-PC2
name 10.5.104.6 Locale-PC1
name 10.5.108.5 Data-Server-net2
name 10.5.108.4 Appl-Server-Net2
name 10.5.103.9 Guardia-PC2
name 10.5.103.8 -Guardia-PC1
name 10.5.107.3 Data-Server-Net1
name 10.5.107.2 Appl-Server-Net1
name 10.2.4.8 SW-Floor-1
name 10.2.4.7 SW-Floor-2
name 10.2.4.6 SW-Floor-3
name 10.2.4.5 RT-FL-CW-1_Int.1
name 10.2.4.4 RT-AC-CW-1_Int.1
name 10.2.4.3 SW-CSL-CW-1
name 10.2.4.2 SW-Mgt-Cw-1
name 10.2.4.1 RT-Mgt-CW-1_Int.3
name 10.2.6.2 FW-Mgt-CW-1_Outside
name 10.2.6.1 RT-Mgt-Cw-1_Int.1
name 10.2.5.2 RT-Mgt-CW-1_Int.2
name 10.2.7.1 FW-Mgt-CW-1_Inside
name 10.1.3.2 RT-FL-CW-1_Int.3
name 10.5.104.13 Locale-PC3
name XXX.121.XXX.121 RT-AC-CW-1_Int.2
name 10.5.107.5 Server-Antivirus-Int2
name 10.5.107.4 Server-Antivirus-Int1
name 10.5.106.62 PC-Rad
name 10.5.102.25 PC-Sala
name 10.5.102.19 PC-utenti-2
name 10.5.102.18 PC-utenti-1
name 10.5.106.12 SyngoXS1
name 10.5.104.34 Locale-EEG-NEW
name 10.5.103.29 PC1-1Piano-New
name 10.5.104.35 PC1-PTerra-New
name 10.5.106.60 NB-RisMag-New
name 10.5.101.37 PC-Scant_new
name 172.16.1.22 Apparati_22
name 172.16.1.0 Apparati_Scantinato
name 10.5.106.108 Scantinato_108
name 10.5.106.107 Scantinato_107
object-group service Ext-Mgt-Dev-TCPGroup tcp
description Porte TCP aperte per gestione apparati di rete da remoto
port-object eq telnet
port-object eq www
port-object eq ssh
port-object eq https
port-object eq ftp
object-group service Server-TCPGroup tcp
description Porte TCP aperte per gestione dei server da remoto
port-object eq telnet
port-object eq www
port-object eq 5800
port-object eq ssh
port-object eq ftp
port-object eq 5900
port-object eq 10000
object-group service Ext-Mgt-Dev-UDPGroup udp
description Porte UDP aperte per gestione apparati di rete da remoto
port-object eq tftp
port-object eq www
object-group service Pc-Control-TCPGroup tcp
description Porte TCP aperte per gestione dei computer da remoto
port-object eq 5900
port-object eq 5800
object-group service Server-UDPGroup udp
description Porte UDP aperte per gestione dei server da remoto
port-object eq tftp
port-object eq www
port-object eq 10000
object-group service Traffic-TCP-Permit tcp
description Traffico TCP permesso in ingresso da internet
port-object eq www
port-object eq ftp-data
port-object eq pop3
port-object eq https
port-object eq ftp
port-object eq smtp
port-object eq telnet
object-group service RX-Remote-TCP tcp
description Permette la visualizzazione delle Immagini dal server SyngoXS1
port-object eq www
port-object eq ssh
port-object eq ftp-data
port-object eq https
port-object eq ftp
object-group service RX-Remote-UDP udp
description Permette la visualizzazione delle Immagini dal server SyngoXS1
port-object eq secureid-udp
port-object eq tftp
access-list compiled
access-list inside_outbound_nat0_acl permit ip any 10.2.10.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 10.5.100.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 10.5.109.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 10.5.110.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host SyngoXS1 host 10.5.111.1
access-list inside_outbound_nat0_acl permit ip host SyngoXS1 10.5.112.0 255.255.
255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.2.10.0 255.255.255.224
access-list outside_cryptomap_dyn_40 permit ip any 10.5.100.0 255.255.255.224
access-list outside_cryptomap_dyn_60 permit ip any 10.5.109.0 255.255.255.224
access-list outside_cryptomap_dyn_80 permit ip any 10.5.110.0 255.255.255.224
access-list Management_nat0_outbound permit ip any 10.2.10.0 255.255.255.224
access-list outside_access_in permit tcp 85.137.246.160 255.255.255.248 any eq ht
tps
access-list outside_access_in permit tcp 85.137.246.160 255.255.255.248 any eq te
lnet
access-list outside_access_in permit icmp host RT-AC-CW-1_Int.2 host RT-FL-CW-1_
Int.3
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-1.A
mmnistr. 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-2.M
ansarda 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-3.P
rimopiano 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-4.P
ianoterra 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-5.D
egenza 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in deny ip 10.5.100.0 255.255.255.224 host TAC
access-list outside_access_in deny ip 10.5.100.0 255.255.255.224 host Stampante-
access-list outside_access_in deny ip 10.5.100.0 255.255.255.224 host SyngoXS1
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-6.S
cantinato 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-7.S
erver_1 255.255.255.0 object-group Server-TCPGroup
access-list outside_access_in permit tcp 10.5.100.0 255.255.255.224 VL-CW-FL-8.S
erver_2 255.255.255.0 object-group Server-TCPGroup
access-list outside_access_in permit udp 10.5.100.0 255.255.255.224 VL-CW-FL-7.S
erver_1 255.255.255.0 object-group Server-UDPGroup
access-list outside_access_in permit udp 10.5.100.0 255.255.255.224 VL-CW-FL-8.S
erver_2 255.255.255.0 object-group Server-UDPGroup
access-list outside_access_in permit tcp 10.5.109.0 255.255.255.224 VL-CW-FL-1.A
mmnistr. 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.109.0 255.255.255.224 VL-CW-FL-2.M
ansarda 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.109.0 255.255.255.224 VL-CW-FL-3.P
rimopiano 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.109.0 255.255.255.224 VL-CW-FL-4.P
ianoterra 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in deny ip 10.5.109.0 255.255.255.224 host TAC
access-list outside_access_in deny ip 10.5.109.0 255.255.255.224 host Stampante-
TAC
access-list outside_access_in deny ip 10.5.109.0 255.255.255.224 host SyngoXS1
access-list outside_access_in permit tcp 10.5.109.0 255.255.255.224 VL-CW-FL-6.S
cantinato 255.255.255.0 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.109.0 255.255.255.224 host Server-
Antivirus-Int1 object-group Pc-Control-TCPGroup
access-list outside_access_in permit tcp 10.5.109.0 255.255.255.224 host Server-
Antivirus-Int2 object-group Pc-Control-TCPGroup
access-list outside_access_in deny ip 10.5.109.0 255.255.255.224 host Appl-Serve
r-Net1
access-list outside_access_in deny ip 10.5.109.0 255.255.255.224 host Data-Serve
r-Net1
access-list outside_access_in deny ip 10.5.109.0 255.255.255.224 VL-CW-FL-8.Serv
er_2 255.255.255.0
access-list outside_access_in permit ip 10.5.110.0 255.255.255.224 host TAC
access-list outside_access_in permit ip 10.5.110.0 255.255.255.224 host Stampant
e-TAC
access-list outside_access_in permit ip 10.5.110.0 255.255.255.224 host SyngoXS1
access-list outside_access_in deny ip 10.5.110.0 255.255.255.224 any
access-list outside_access_in permit ip 10.2.10.0 255.255.255.224 VL-Mgt-RTSW-1
255.255.255.240
access-list outside_access_in permit ip 10.2.10.0 255.255.255.224 VL-CW-FWMgt-1
255.255.255.240
access-list outside_access_in permit ip 10.2.10.0 255.255.255.224 VL-Mgt-RTFW-1
255.255.255.240
access-list outside_access_in permit ip 10.2.10.0 255.255.255.224 VL-CW-Mgt-1 25
5.255.255.224
access-list outside_access_in deny ip 10.2.10.0 255.255.255.224 any
access-list outside_access_in permit tcp host 10.5.111.1 host SyngoXS1 object-gr
oup RX-Remote-TCP
access-list outside_access_in permit udp host 10.5.111.1 host SyngoXS1 object-gr
oup RX-Remote-UDP
access-list outside_access_in deny ip host 10.5.111.1 any
access-list outside_access_in permit tcp 10.5.112.0 255.255.255.224 host SyngoXS
1 object-group RX-Remote-TCP
access-list outside_access_in permit udp 10.5.112.0 255.255.255.224 host SyngoXS
1 object-group RX-Remote-UDP
access-list outside_access_in deny ip 10.5.112.0 255.255.255.224 any
access-list outside_access_in permit tcp any any object-group Traffic-TCP-Permit
access-list outside_cryptomap_dyn_100 permit ip any host 10.5.111.1
access-list outside_cryptomap_dyn_120 permit ip any 10.5.112.0 255.255.255.224
pager lines 24
logging history notifications
icmp permit 10.1.10.0 255.255.255.248 outside
icmp permit host RT-AC-CW-1_Int.2 outside
icmp permit VL-CW-FWFL-1 255.255.255.240 inside
icmp permit VL-CW-FWMgt-1 255.255.255.240 Management
icmp permit VL-CW-Mgt-1 255.255.255.224 Management
icmp permit VL-Mgt-RTSW-1 255.255.255.240 Management
mtu outside 1500
mtu inside 1500
mtu Management 1500
ip address outside 81.121.224.122 255.255.255.248
ip address inside 10.1.3.1 255.255.255.240
ip address Management 10.2.5.1 255.255.255.240
ip audit name Inbound-Rules-Attack attack action alarm drop reset
ip audit name Inbound-Rules-Info info action alarm drop reset
ip audit name Outbound-Rules-Attack attack action alarm drop reset
ip audit name Outbound-Rules-Info info action alarm drop reset
ip audit interface outside Inbound-Rules-Info
ip audit interface outside Inbound-Rules-Attack
ip audit info action alarm
ip audit attack action alarm
ip local pool Mgt 10.2.10.1-10.2.10.30 mask 255.255.255.224
ip local pool Siemens 10.5.110.1-10.5.110.30 mask 255.255.255.224
ip local pool Ht 10.5.100.1-10.5.100.30 mask 255.255.255.224
ip local pool 10.5.109.1-10.5.109.30 mask 255.255.255.224
ip local pool RX-Remote-1 10.5.111.1
ip local pool RX-Remote-2 10.5.112.1-10.5.112.30
pdm location VL-CW-FL-1.Ammnistr. 255.255.255.0 inside
pdm location VL-CW-FL-2.Mansarda 255.255.255.0 inside
pdm location VL-CW-FL-3.Primopiano 255.255.255.0 inside
pdm location VL-CW-FL-4.Pianoterra 255.255.255.0 inside
pdm location VL-CW-FL-5.Degenza 255.255.255.0 inside
pdm location VL-CW-FL-6.Scantinato 255.255.255.0 inside
pdm location VL-CW-FL-7.Server_1 255.255.255.0 inside
pdm location VL-CW-FL-8.Server_2 255.255.255.0 inside
pdm location VL-Mgt-RTSW-1 255.255.255.240 Management
pdm location VL-Mgt-RTFW-1 255.255.255.240 Management
pdm location VL-CW-Mgt-1 255.255.255.224 Management
pdm location PA-Pubblico 255.255.255.255 outside
pdm location Mgt-Server-1 255.255.255.255 Management
pdm location Mgt-Server-2 255.255.255.255 Management
pdm location 255.255.255.255 inside
pdm location Stampante-TAC 255.255.255.255 inside
pdm location SyngoXS1 255.255.255.255 inside
pdm location Guardia-PC1 255.255.255.255 inside
pdm location Guardia-PC2 255.255.255.255 inside
pdm location Locale-EMG-PC1 255.255.255.255 inside
pdm location Locale-EMG-PC2 255.255.255.255 inside
pdm location Appl-Server-Net1 255.255.255.255 inside
pdm location Data-Server-Net1 255.255.255.255 inside
pdm location Appl-Server-Net2 255.255.255.255 inside
pdm location Data-Server-net2 255.255.255.255 inside
pdm location 10.2.10.0 255.255.255.224 outside
pdm location 10.5.100.0 255.255.255.224 outside
pdm location 10.5.109.0 255.255.255.224 outside
pdm location 10.5.110.0 255.255.255.224 outside
pdm location RT-Mgt-CW-1_Int.3 255.255.255.255 Management
pdm location SW-Mgt-Cw-1 255.255.255.255 Management
pdm location SW-CSL-CW-1 255.255.255.255 Management
pdm location RT-AC-CW-1_Int.1 255.255.255.255 Management
pdm location RT-FL-CW-1_Int.1 255.255.255.255 Management
pdm location SW-Floor-3 255.255.255.255 Management
pdm location SW-Floor-2 255.255.255.255 Management
pdm location SW-Floor-1 255.255.255.255 Management
pdm location RT-Mgt-CW-1_Int.2 255.255.255.255 Management
pdm location RT-Mgt-Cw-1_Int.1 255.255.255.255 Management
pdm location FW-Mgt-CW-1_Outside 255.255.255.255 Management
pdm location FW-Mgt-CW-1_Inside 255.255.255.255 Management
pdm location RT-FL-CW-1_Int.3 255.255.255.255 inside
pdm location Locale-EMG-PC3 255.255.255.255 inside
pdm location 85.137.246.160 255.255.255.248 outside
pdm location 0.0.0.0 255.255.255.248 outside
pdm location RT-AC-CW-1_Int.2 255.255.255.255 outside
pdm location Server-Antivirus-Int1 255.255.255.255 inside
pdm location Server-Antivirus-Int2 255.255.255.255 inside
pdm location PC-Medico-Rad 255.255.255.255 inside
pdm location PC-SALA- 255.255.255.255 inside
pdm location PC-1 255.255.255.255 inside
pdm location PC-2 255.255.255.255 inside
pdm location 217.133.172.0 255.255.255.240 outside
pdm location 10.5.111.1 255.255.255.255 outside
pdm location 10.5.112.0 255.255.255.224 outside
pdm location 217.133.12.76 255.255.255.255 inside
pdm location 217.133.172.0 255.255.255.255 inside
pdm location 217.133.12.76 255.255.255.255 outside
pdm location Locale-EEG-NEW 255.255.255.255 inside
pdm location PC1-1Piano-New 255.255.255.255 inside
pdm location 10.5.103.30 255.255.255.255 inside
pdm location 10.5.103.31 255.255.255.255 inside
pdm location 10.5.103.32 255.255.255.255 inside
pdm location PC1-PTerra-New 255.255.255.255 inside
pdm location NB-RisMag-New 255.255.255.255 inside
pdm location PC-Scant_new 255.255.255.255 inside
pdm location Apparati_22 255.255.255.255 inside
pdm location Apparati_Scantinato 255.255.255.0 inside
pdm location Scantinato_108 255.255.255.255 inside
pdm location Scantinato_107 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 100 interface
global (outside) 110 XXX.121.XXX.123
global (outside) 120 XXX.121.XXX.124
global (outside) 130 XXX.121.XXX.125
global (outside) 140 XXX.121.XXX.126
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 120 PC-1 255.255.255.255 0 0
nat (inside) 120 PC-2 255.255.255.255 0 0
nat (inside) 120 PC-Sala-255.255.255.255 0 0
nat (inside) 120 Guardia-PC1 255.255.255.255 0 0
nat (inside) 120 Guardia-PC2 255.255.255.255 0 0
nat (inside) 120 PC1-1Piano-New 255.255.255.255 0 0
nat (inside) 120 10.5.103.30 255.255.255.255 0 0
nat (inside) 120 10.5.103.31 255.255.255.255 0 0
nat (inside) 120 10.5.103.32 255.255.255.255 0 0
nat (inside) 130 Locale-EMG-PC1 255.255.255.255 0 0
nat (inside) 130 Locale-EMG-PC2 255.255.255.255 0 0
nat (inside) 130 Locale-EMG-PC3 255.255.255.255 0 0
nat (inside) 130 Locale-EEG-NEW 255.255.255.255 0 0
nat (inside) 130 PC1-PTerra-New 255.255.255.255 0 0
nat (inside) 120 NB-RisMag-New 255.255.255.255 0 0
nat (inside) 120 PC-Rad 255.255.255.255 0 0
nat (inside) 120 Scantinato_107 255.255.255.255 0 0
nat (inside) 120 Scantinato_108 255.255.255.255 0 0
nat (inside) 120 Apparati_22 255.255.255.255 0 0
nat (inside) 110 VL-CW-FL-1.Ammnistr. 255.255.255.0 0 0
nat (inside) 140 VL-CW-FL-7.Server_1 255.255.255.0 0 0
nat (inside) 140 VL-CW-FL-8.Server_2 255.255.255.0 0 0
nat (Management) 0 access-list Management_nat0_outbound
nat (Management) 100 VL-CW-Mgt-1 255.255.255.224 0 0
static (inside,outside) RT-FL-CW-1_Int.3 RT-FL-CW-1_Int.3 netmask 255.255.255.25
5 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 RT-AC-CW-1_Int.2 1
route Management VL-Mgt-RTSW-1 255.255.255.240 RT-Mgt-CW-1_Int.2 1
route Management VL-Mgt-RTFW-1 255.255.255.240 RT-Mgt-CW-1_Int.2 1
route Management VL-CW-Mgt-1 255.255.255.224 RT-Mgt-CW-1_Int.2 1
route inside VL-CW-FL-1.Ammnistr. 255.255.255.0 RT-FL-CW-1_Int.3 1
route inside VL-CW-FL-2.Mansarda 255.255.255.0 RT-FL-CW-1_Int.3 1
route inside VL-CW-FL-3.Primopiano 255.255.255.0 RT-FL-CW-1_Int.3 1
route inside VL-CW-FL-4.Pianoterra 255.255.255.0 RT-FL-CW-1_Int.3 1
route inside VL-CW-FL-5.Degenza 255.255.255.0 RT-FL-CW-1_Int.3 1
route inside VL-CW-FL-6.Scantinato 255.255.255.0 RT-FL-CW-1_Int.3 1
route inside VL-CW-FL-7.Server_1 255.255.255.0 RT-FL-CW-1_Int.3 1
route inside VL-CW-FL-8.Server_2 255.255.255.0 RT-FL-CW-1_Int.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
filter activex except 0.0.0.0 0.0.0.0 82.112.195.133 255.255.255.255
filter activex except 0.0.0.0 0.0.0.0 10.5.100.0 255.255.255.224
filter activex except 0.0.0.0 0.0.0.0 10.5.109.0 255.255.255.224
filter activex except 0.0.0.0 0.0.0.0 10.5.110.0 255.255.255.224
filter activex except VL-CW-Mgt-1 255.255.255.224 10.2.10.0 255.255.255.224
filter java except 0.0.0.0 0.0.0.0 10.5.100.0 255.255.255.224
filter java except 0.0.0.0 0.0.0.0 10.5.109.0 255.255.255.224
filter java except 0.0.0.0 0.0.0.0 10.5.110.0 255.255.255.224
filter java except VL-CW-Mgt-1 255.255.255.224 10.2.10.0 255.255.255.224
filter activex except 0.0.0.0 0.0.0.0 10.5.111.1 255.255.255.255
filter activex except 0.0.0.0 0.0.0.0 10.5.112.0 255.255.255.224
filter java except 0.0.0.0 0.0.0.0 10.5.111.1 255.255.255.255
filter java except SyngoXS1 255.255.255.255 10.5.112.0 255.255.255.224
filter activex 80-8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80-8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 217.133.172.0 255.255.255.240 outside
http 217.133.12.76 255.255.255.255 outside
http VL-CW-FWFL-1 255.255.255.240 inside
http VL-CW-Mgt-1 255.255.255.224 Management
snmp-server host Management Mgt-Server-1
snmp-server host Management Mgt-Server-2
no snmp-server location
snmp-server contact helper-local
snmp-server community helperadmin
snmp-server enable traps
tftp-server Management Mgt-Server-1 C:\TFTP-Root
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Mgt address-pool Mgt
vpngroup Mgt idle-time 1800
vpngroup Mgt password ********
vpngroup Ht-address-pool Ht-
vpngroup Ht-idle-time 1800
vpngroup Ht-password ********
vpngroup Address-pool
vpngroup idle-time 1800
vpngroup password ********
vpngroup Siemens address-pool Siemens
vpngroup Siemens idle-time 1800
vpngroup Siemens password ********
vpngroup lano address-pool RX-Remote-1
vpngroup lano idle-time 1800
vpngroup lano password ********
vpngroup XRayService address-pool RX-Remote-2
vpngroup XRayService idle-time 1800
vpngroup XRayService password ********
vpngroup Test idle-time 1800
vpngroup Philips address-pool
vpngroup Philips idle-time 1800
vpngroup Philips password ********
telnet RT-AC-CW-1_Int.2 255.255.255.255 outside
telnet VL-CW-FWFL-1 255.255.255.240 inside
telnet VL-CW-Mgt-1 255.255.255.224 Management
telnet RT-Mgt-CW-1_Int.2 255.255.255.255 Management
telnet timeout 5
ssh timeout 5
console timeout 0
username philips password CIfv62oKv.QVGUH3 encrypted privilege 2
username xrayservice password VquLl5Ocj2dEIdF0 encrypted privilege 3
username siemens password DoZagHLKCs1anH3p encrypted privilege 3
username password 9HXx4s.xHmtMaecj encrypted privilege 3
usernamelano password kI1gi3.Ry7QxKsNq encrypted privilege 3
username password 7de8ABZopgiUr8pN encrypted privilege 3
username mgt password ILXJN06GV2Hne2aH encrypted privilege 15
auto-update device-id ipaddress Management
auto-update server https://********@Mgt-Server-1/autoupdat ... ateServlet
terminal width 80
banner login Access for autorized users only. Please enter your username and pas
sword.
Questo è il router :
!
class-map match-any ARP
match protocol arp
class-map match-any Slammer-Worm
match access-group name ACL-Slammer-Worm
match packet length min 404 max 404
class-map match-any Http-Hacks-Worm
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
match protocol http url "*.rtf.exe*"
match protocol http url "*.doc.exe*"
match protocol http url "*.jpg.exe*"
match protocol http url "*.mp3.exe*"
match protocol http url "*.mp3.pif*"
match protocol http url "*.txt.exe*"
match protocol http url "*.mpg.exe*"
match protocol http url "*3D Studio Max 6 3dsmax.exe*"
match protocol http url "*ACDSee 10.exe*"
match protocol http url "*Adobe Photoshop 10 crack.exe*"
match protocol http url "*Adobe Photoshop 10 full.exe*"
match protocol http url "*Adobe Premiere 10.exe*"
match protocol http url "*Ahead Nero 8.exe*"
match protocol http url "*Best Matrix Screensaver new.scr*"
match protocol http url "*Clone DVD 6.exe*"
match protocol http url "*Cloning.doc.exe*"
match protocol http url "*Cracks & Warez Archiv.exe*"
match protocol http url "*Dark Angels new.pif*"
match protocol http url "*DivX 8.0 final.exe*"
match protocol http url "*Doom 3 release 2.exe*"
class-map match-any Dos-Attack
match access-group name ACL-RateLimitSyn
!
!
policy-map Drop-HacksWormDoS-Attack
class Http-Hacks-Worm
set ip dscp 1
class Slammer-Worm
police 1000000 31250 31250 conform-action transmit exceed-action drop viola
te-action drop
class Dos-Attack
police 4000000 16000 16000 conform-action transmit exceed-action drop
policy-map RateLimitARP
class ARP
police 8000 1500 1500 conform-action transmit exceed-action drop violate-ac
tion drop
!
!
!
interface FastEthernet0/0
no ip address
shutdown
speed 100
!
interface FastEthernet0/1
description verso SW-Mgt-CW-1;trasporta la VL-Mgt-RTSW-1 (VID=004)
switchport access vlan 4
no ip address
duplex full
speed 100
!
interface FastEthernet0/2
description verso FW-AC-CW-1;trasporta la VL-CW-FWAC-1 (VID=002)
switchport access vlan 2
no ip address
!
interface FastEthernet0/3
description description trunk 802.1q; VLAN Nativa VL-CW-FWAC-1 (VID=002)
switchport trunk native vlan 2
switchport mode trunk
no ip address
shutdown
duplex full
speed 100
!
interface FastEthernet0/4
no ip address
shutdown
!
interface ATM1/0
ip address XX.123.XXX.162 255.255.255.252
ip access-group ACL-XXXXX_In in
ip access-group ACL-XXXXX-Out out
ip verify unicast reverse-path
rate-limit input access-group 101 512000 96000 192000 conform-action set-prec-t
ransmit 5 exceed-action set-prec-transmit 0
rate-limit input access-group 102 128000 24000 48000 conform-action set-prec-tr
ansmit 5 exceed-action set-prec-transmit 0
rate-limit input access-group 103 128000 24000 48000 conform-action set-prec-tr
ansmit 5 exceed-action set-prec-transmit 0
rate-limit input access-group 104 320000 60000 120000 conform-action set-prec-t
ransmit 5 exceed-action set-prec-transmit 0
rate-limit input access-group 105 128000 24000 48000 conform-action set-prec-tr
ansmit 5 exceed-action set-prec-transmit 0
rate-limit input access-group 106 256000 48000 96000 conform-action set-prec-tr
ansmit 5 exceed-action set-prec-transmit 0
rate-limit input access-group 107 512000 96000 192000 conform-action set-prec-t
ransmit 5 exceed-action set-prec-transmit 0
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
service-policy output RateLimitARP
pvc 8/35
encapsulation aal5snap
!
!
interface Vlan1
no ip address
!
interface Vlan2
description VL-CW-FWAC-1 - Transito tra RT-AC e FW-AC
ip address XXX.121.XXX.121 255.255.255.248
ip access-group ACL-Land-Attack in
ip access-group ACL-HacksWorm out
service-policy output Drop-HacksWormDoS-Attack
!
interface Vlan4
description VL-Mgt-RTSW-1 - Gestione Router e Switches
ip address 10.2.4.4 255.255.255.240
ip access-group ACL-MGT-In in
ip access-group ACL-MGT-Out out
!
ip classless
ip route 0.0.0.0 0.0.0.0 XX.123.XXX.161
ip route 10.1.3.0 255.255.255.240 81.121.224.122 permanent
ip route 10.2.5.0 255.255.255.240 10.2.4.1 permanent
ip route 10.2.6.0 255.255.255.240 10.2.4.1 permanent
ip route 10.2.7.0 255.255.255.224 10.2.4.1 permanent
ip route 10.2.10.0 255.255.255.224 10.2.4.1 permanent
ip route 10.5.101.0 255.255.255.0 XXX.121.XXX.122 permanent
ip route 10.5.102.0 255.255.255.0 XXX.121.XXX.122 permanent
ip route 10.5.103.0 255.255.255.0 XXX.121.XXX.122 permanent
ip route 10.5.104.0 255.255.255.0 XXX.121.XXX.122 permanent
ip route 10.5.105.0 255.255.255.0 XXX.121.XXX.122 permanent
ip route 10.5.106.0 255.255.255.0 XXX.121.XXX.122 permanent
ip route 10.5.107.0 255.255.255.0 XXX.121.XXX.122 permanent
ip route 10.5.108.0 255.255.255.0 XXX.121.XXX.122 permanent
!
ip http server
ip http access-class 20
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip access-list extended ACL-HacksWorm
remark
remark +----------------------------------------------------------+
remark | ACL IP Policy per Worm Code-Red, Nimda e W32/Netsk |
remark +----------------------------------------------------------+
remark
deny ip any any dscp 1
permit ip any any
ip access-list extended ACL-Land-Attack
remark
remark +----------------------------------------------------------+
remark | ACL per attacchi tipo "Land" |
remark +----------------------------------------------------------+
remark
deny ip host XXX.121.XXX.121 host XXX.121.XXX.121 log
permit ip any any
ip access-list extended ACL-MGT-In
remark
remark +----------------------------------------------------------+
remark | ACL sul traffico in ingresso dalla rete di management |
remark +----------------------------------------------------------+
remark
remark +----------------------------------------------------------+
remark | Controlla traffico per impedire attacchi tipo "land" |
remark +----------------------------------------------------------+
remark
deny ip host 10.2.4.4 host 10.2.4.4 log
remark
remark +----------------------------------------------------------+
remark | Controlla il traffico da rete Mgt --> router |
remark +----------------------------------------------------------+
remark
permit icmp host 10.2.4.1 host 10.2.4.4
permit icmp 10.2.7.0 0.0.0.31 host 10.2.4.4
permit icmp 10.2.6.0 0.0.0.15 host 10.2.4.4
permit icmp 10.2.5.0 0.0.0.15 host 10.2.4.4
permit ip 10.2.7.0 0.0.0.31 host 10.2.4.4
permit ip host 10.2.4.1 host 10.2.4.4
remark
remark +----------------------------------------------------------+
remark | Controlla il traffico da Palermo --> router |
remark +----------------------------------------------------------+
remark
permit icmp 10.2.10.0 0.0.0.31 host 10.2.4.4
permit tcp 10.2.10.0 0.0.0.31 host 10.2.4.4
permit udp 10.2.10.0 0.0.0.31 host 10.2.4.4
remark
deny ip any any log
ip access-list extended ACL-MGT-Out
remark
remark +----------------------------------------------------------+
remark | ACL sul traffico in uscita verso la rete di management |
remark +----------------------------------------------------------+
remark
permit ip host 10.2.4.4 any
deny ip any any
ip access-list extended ACL--In
remark
remark +----------------------------------------------------------------+
remark | ACL per filtro in Ingresso |
remark +----------------------------------------------------------------+
remark
remark +----------------------------------------------------------------+
remark | Filtro Anti-Spoofing |
remark | impedisce il traffico con indirizzamento privato in ingresso |
remark +----------------------------------------------------------------+
remark
deny ip 127.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.0.0.0 0.240.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any redirect
remark
remark +----------------------------------------------------------------+
remark | Filtro Traffico in Ingresso alla Rete |
remark +----------------------------------------------------------------+
remark
remark -------------------->>>> filtro completo <<<<--------------------
remark
deny tcp any any eq echo
deny tcp any any eq 11
deny tcp any any eq daytime
deny tcp any any eq 17
deny tcp any any eq chargen
deny tcp any any eq 37
deny tcp any any eq tacacs
deny tcp any any eq sunrpc
deny udp any any eq echo
deny udp any any eq 11
deny udp any any eq 13
deny udp any any eq 17
deny udp any any eq 19
deny udp any any eq time
deny udp any any eq tacacs
deny udp any any eq sunrpc
remark
remark --------------->>>> filtro completo W32 Sasser <<<<---------------
remark
deny tcp any any eq 1068
deny tcp any any eq 5564
deny tcp any any range 9992 9997
deny udp any any eq 1068
deny udp any any eq 5564
deny udp any any range 9992 9997
remark
remark ---------------->>>> filtro porte del NetBios <<<<----------------
remark
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any range exec cmd
deny tcp any any eq 635
deny tcp any any eq 2049
deny udp any any range netbios-ns netbios-dgm
deny udp any any eq 445
deny udp any any eq 635
deny udp any any eq 2049
remark
remark ----------------->>>> filtro per Worm Zotob <<<<-----------------
remark
deny tcp any any eq 7778
deny tcp any any eq 8563
deny tcp any any eq 8594
deny tcp any any eq 8888
remark
remark -------------------->>>> filtro solo TCP <<<<--------------------
remark
deny tcp any any eq 15
deny tcp any any eq smtp
deny tcp any any eq domain
deny tcp any any eq gopher
deny tcp any any eq finger
deny tcp any any eq 87
deny tcp any any eq 95
deny tcp any any eq nntp
deny tcp any any eq 144
deny tcp any any eq lpd
deny tcp any any range uucp 541
deny tcp any any eq 2000
remark
remark ------------------>>>> filtro connessioni X <<<<-----------------
remark
deny tcp any any range 6000 6063
remark
remark -------------------->>>> filtro solo UDP <<<<--------------------
remark
deny udp any any range bootps bootpc
deny udp any any eq tftp
deny udp any any range snmp snmptrap
deny udp any any eq xdmcp
deny udp any any eq rip
remark
remark ----------------->>>> Passa tutto il resto <<<<-----------------
remark
permit ip any any
ip access-list extended ACL-Out
permit tcp XXX.121.XXX.120 0.0.0.7 any eq 33333 established
deny tcp any any eq 33333
deny tcp any any eq 6667
deny tcp any any eq 8080
permit tcp XXX.121.XXX.120 0.0.0.7 any eq 11173 established
deny tcp any any eq 11173
deny udp any any eq tftp
deny tcp any any eq 445
deny tcp any any eq 7778
deny tcp any any eq 8563
deny tcp any any eq 8594
deny tcp any any eq 8888
permit ip XXX.121.XXX.120 0.0.0.7 any
deny ip any any
ip access-list extended ACL-RateLimitSyn
remark
remark +----------------------------------------------------------+
remark | ACL IP Policy per Attacchi DDoS |
remark +----------------------------------------------------------+
remark
permit tcp any any syn
ip access-list extended ACL-Slammer-Worm
remark
remark +----------------------------------------------------------+
remark | ACL IP Policy per Worm SQL Slammer |
remark +----------------------------------------------------------+
remark
deny udp any any eq 1434
permit ip any any
!
access-list 10 remark gestisce l'accesso del server SNMP
access-list 10 permit 10.2.7.0 0.0.0.31
access-list 10 deny any
access-list 20 remark gestisce l'accesso al Web Server e dei TFTP server
access-list 20 permit 10.2.7.0 0.0.0.31
access-list 20 permit 10.2.10.0 0.0.0.31
access-list 20 deny any
access-list 101 permit tcp any any eq ftp
access-list 102 permit tcp any any eq www
access-list 103 permit tcp any any eq 22
access-list 104 permit tcp any any eq pop3
access-list 105 permit tcp any any eq 443
access-list 106 permit tcp any any eq telnet
access-list 107 deny tcp any any eq ftp
access-list 107 deny tcp any any eq www
access-list 107 deny tcp any any eq 22
access-list 107 deny tcp any any eq pop3
access-list 107 deny tcp any any eq 443
access-list 107 deny tcp any any eq telnet
access-list 107 permit ip any any
snmp-server community helperadmin RO 10
snmp-server trap-source Vlan4
snmp-server system-shutdown
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps atm pvc
snmp-server enable traps atm subif
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps ipmulticast
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host 10.2.7.29 1
snmp-server host 10.2.7.30 1
snmp-server tftp-server-list 20
no cdp run
!
control-plane
!
banner login ^C
GRAZIE A TUTTI
cambio connessione internet parametrare router cisco
Moderatore: Federico.Lagni
-
paolomat75
- Messianic Network master
- Messaggi: 2965
- Iscritto il: ven 29 gen , 2010 10:25 am
- Località: Prov di GE
Ciao,
direi che per prima cosa devi postare le 2 configurazioni. Sul PIX non ti posso aiutare ma sul router si.
direi che per prima cosa devi postare le 2 configurazioni. Sul PIX non ti posso aiutare ma sul router si.
Non cade foglia che l'inconscio non voglia (S.B.)
