Salve ragazzi
premetto che non sono un esperto di router cisco, sto installando
degli 877 su delle adsl per far accedere una postazione ad uno specifico
host pubblico.
Vorrei quindi effettuare una configurazione che non permettesse
nessun accesso dalla wan (tranne uno o 2 ip via ssh)
e nessun accesso dagli host in lan ad internet (tranne uno o 2 ip + i dns)
ho caricato questa configurazione, per la prima parte e' ok,
cioe' inibisce l'accesso dalla wan, non ho pero' ben capito come e dove applicare la acl per la LAN.
Attualmente dalla lan non e' possibile fare nessun tipo di accesso verso internet.
Grazie a chiunque voglia darmi qualche dritta
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
no service dhcp
!
hostname ********
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ********************
enable password 7 **********************
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-2313100275
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2313100275
revocation-check none
rsakeypair TP-self-signed-2313100275
!
!
crypto pki certificate chain TP-self-signed-2313100275
certificate self-signed 01 nvram:IOS-Self-Sig#5.cer
dot11 syslog
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name ***************
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 ***********************
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh authentication-retries 5
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description lan
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username *********** password 7 *************************
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 9 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 3389 xx.xx.xx.xx 3389 extendable
ip nat inside source static tcp 10.10.10.2 5900 xx.xx.xx.xx 5900 extendable
!
logging trap debugging
access-list 9 permit 10.10.10.0 0.0.0.255
access-list 100 permit icmp any any
access-list 101 permit tcp any any
access-list 131 permit ip host xxx.xxx.xxx.xxx any
access-list 131 permit ip host xxx.xxx.xxx.xxx any
access-list 131 permit ip host xxx.xxx.xxx.xxx any
access-list 131 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
banner motd ^
c
^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
