Hardware Upgrade Forum - View Single Post

NightStalker · 04-02-2004, 20:49

io sta config la rivedrei così:

------------------------------------------------------
version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname paoletto
!
logging buffered 10000 informational
enable secret XXXXXXXX
username AAAAAAAA password YYYYYYYY
!
ip subnet-zero
no ip source-route
!
ip name-server 212.216.112.112
ip name-server 212.216.172.62
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
no cdp enable
no ip directed broadcast
no ip mroute-cache
no ip route-cache
no ip proxy-arp
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
no cdp enable
hold-queue 100 in
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname
ppp chap password
ppp pap sent-username
ip access-group 100 in
no ip directed broadcast
no ip mroute-cache
no ip route-cache
no ip proxy-arp
!
ip nat translations max-entries 500
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 4662 interface Dialer0 4662 extendable
ip nat inside source static udp 192.168.1.2 4665 interface Dialer0 4665 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no cdp run
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 permit tcp any any gt 1023 established
access-list 100 permit udp any eq domain 192.168.1.0 0.0.0.255 gt 1023
access-list 100 permit tcp any eq 20 192.168.1.0 0.0.0.255 gt 1023
access-list 100 permit tcp any eq 21 192.168.1.0 0.0.0.255 gt 1023
access-list 100 permit tcp any host 192.168.1.2 eq 4662
access-list 100 permit udp any host 192.168.1.2 eq 4665
!
line con 0
exec-timeout 0 0
login local
line aux 0
line vty 0 4
access class 5 in
login local
exec-timeout 15 0
!
scheduler max-task-time 5000
no scheduler allocate

end
------------------------------------------------------

come vedi ho levato alcuni comandi (tra cui memery size io-mem che per me è più dannoso che altro), ho fatto qualche modifica qua e là e ho aggiunto un access-list per filtrare il traffico, in entrata inoltre ho limitato l'accesso in telnet alla sola rete locale (quindi non ti puoi loggare da remoto).

se hai dubbi, chiedi (e leggiti la command reference sul sito Cisco)

se avessi bisogno di limitare la banda, c'è il commando traffic-shape (da inserire all'interno della configurazione dell'interfaccia che ti interessa, in questo caso la Dialer0 o l'ATM0) bitrate (valore numerico che definisce la banda), può anche essere usato in combinazione con access-list per limitare determinati ip.

04-02-2004, 20:49	#12
NightStalker Senior Member Iscritto dal: Oct 2000 Città: Hellstorm Messaggi: 7808	io sta config la rivedrei così: ------------------------------------------------------ version 12.2 service config service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service dhcp ! hostname paoletto ! logging buffered 10000 informational enable secret XXXXXXXX username AAAAAAAA password YYYYYYYY ! ip subnet-zero no ip source-route ! ip name-server 212.216.112.112 ip name-server 212.216.172.62 ! ! interface ATM0 no ip address no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 no cdp enable no ip directed broadcast no ip mroute-cache no ip route-cache no ip proxy-arp ! dsl operating-mode auto hold-queue 224 in ! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside speed auto no cdp enable hold-queue 100 in ! interface Dialer0 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 no cdp enable ppp chap hostname ppp chap password ppp pap sent-username ip access-group 100 in no ip directed broadcast no ip mroute-cache no ip route-cache no ip proxy-arp ! ip nat translations max-entries 500 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 192.168.1.2 4662 interface Dialer0 4662 extendable ip nat inside source static udp 192.168.1.2 4665 interface Dialer0 4665 extendable ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 no ip http server no cdp run ! ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 5 permit 192.168.1.0 0.0.0.255 access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 permit tcp any any gt 1023 established access-list 100 permit udp any eq domain 192.168.1.0 0.0.0.255 gt 1023 access-list 100 permit tcp any eq 20 192.168.1.0 0.0.0.255 gt 1023 access-list 100 permit tcp any eq 21 192.168.1.0 0.0.0.255 gt 1023 access-list 100 permit tcp any host 192.168.1.2 eq 4662 access-list 100 permit udp any host 192.168.1.2 eq 4665 ! line con 0 exec-timeout 0 0 login local line aux 0 line vty 0 4 access class 5 in login local exec-timeout 15 0 ! scheduler max-task-time 5000 no scheduler allocate end ------------------------------------------------------ come vedi ho levato alcuni comandi (tra cui memery size io-mem che per me è più dannoso che altro), ho fatto qualche modifica qua e là e ho aggiunto un access-list per filtrare il traffico, in entrata inoltre ho limitato l'accesso in telnet alla sola rete locale (quindi non ti puoi loggare da remoto). se hai dubbi, chiedi (e leggiti la command reference sul sito Cisco) se avessi bisogno di limitare la banda, c'è il commando traffic-shape (da inserire all'interno della configurazione dell'interfaccia che ti interessa, in questo caso la Dialer0 o l'ATM0) bitrate (valore numerico che definisce la banda), può anche essere usato in combinazione con access-list per limitare determinati ip.