posto cui la configurazione del mio router cisco 877 con c870-advipservicesk9-mz.124-24.T8.bin
nel caso a qualcuno servisse o se qulcuno vede orrori o ottimizzazione possibili.
Premetto che ho utilizzato soluzioni prese da questo forum e da altri siti.
Codice: Seleziona tutto
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$XXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-2606526901
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2606526901
revocation-check none
rsakeypair TP-self-signed-2606526901
!
!
crypto pki certificate chain TP-self-signed-2606526901
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.100.1.1 10.100.1.199
ip dhcp excluded-address 10.100.1.230 10.100.1.254
!
ip dhcp pool free
import all
network 10.100.1.0 255.255.255.0
default-router 10.100.1.15
dns-server 10.100.1.15
lease 0 0 5
!
!
ip cef
no ip bootp server
ip domain name lan
ip inspect log drop-pkt
ip inspect name IP_INSPECT cuseeme
ip inspect name IP_INSPECT dns
ip inspect name IP_INSPECT ftp
ip inspect name IP_INSPECT h323
ip inspect name IP_INSPECT sip
ip inspect name IP_INSPECT https
ip inspect name IP_INSPECT icmp
ip inspect name IP_INSPECT imap reset
ip inspect name IP_INSPECT pop3 reset
ip inspect name IP_INSPECT rcmd
ip inspect name IP_INSPECT realaudio
ip inspect name IP_INSPECT rtsp
ip inspect name IP_INSPECT esmtp
ip inspect name IP_INSPECT sqlnet
ip inspect name IP_INSPECT streamworks
ip inspect name IP_INSPECT tftp
ip inspect name IP_INSPECT tcp
ip inspect name IP_INSPECT udp
ip inspect name IP_INSPECT vdolive
ip ddns update method ddns1
HTTP
add http://[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!
ipv6 unicast-routing
ipv6 cef
!
appfw policy-name IP_INSPECT
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 $1$XXXXXXXXXXXXXXXXXXX
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 10.100.1.15 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ipv6 address NODE-PD ::1/64
ipv6 enable
ipv6 traffic-filter IPv6-DENY out
!
interface Dialer0
description $FW_OUTSIDE$
ip ddns update hostname XXXXXXXXX.dyndns.org
ip ddns update ddns1
ip address negotiated
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip inspect IP_INSPECT out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer-group 1
ipv6 address FE80::1 link-local
ipv6 address autoconfig
ipv6 enable
ipv6 traffic-filter IPv6-IN in
ipv6 mtu 1280
ipv6 verify unicast reverse-path
ipv6 dhcp client pd NODE-PD rapid-commit
ipv6 virtual-reassembly
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 143E223D5A242B272D2B3663
ppp ipcp dns request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 permit 10.100.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.100.1.0 0.0.0.255
access-list 2 deny any
access-list 102 permit ip any any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit tcp host 204.13.248.111 eq www any
access-list 103 permit udp any eq domain any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
ipv6 route 2000::/3 Dialer0
ipv6 route ::/0 Dialer0
!
!
!
!
snmp-server community public RO
!
ipv6 access-list IPv6-DENY
permit icmp any any
permit tcp any any established
deny ipv6 any any
!
ipv6 access-list IPv6-IN
permit icmp any any
permit tcp any any established
permit udp any any eq 546
deny ipv6 any any
!
control-plane
!
banner login ---CISCO---
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 10.100.1.22
end
