Hardware Upgrade Forum - View Single Post

MircoT · 19-02-2004, 09:45

Quella che ho messo in fondo al post dovrebbe andare meglio.
La statica in ingresso sulla porta www mi serve perchè possano accedere dall'esterno ad un server web che accendo a necessità. Quando non è acceso ci pensa ZoneAlarm a impedire l'accesso. Anche se immagino che potrei sostituire la "access-list 111 permit tcp any any eq www" con "access-list 111 permit tcp any host 192.168.200.50 eq www"...

Le access list relative alle vpn le vorrei lasciare per il momento...

Per lo spoofing: oltre alla classe 10.0.0.0 immagino dovrei aggiungere anche la classe 192.168.0.0 e 172.16.0.0... o no?

Quanto al problema del telnet... Questa riga "ip inspect name myfw smtp timeout 3600" potrebbe dare noia? E' necessaria al firewall per proteggermi dagli attacchi dall'esterno?

Ma soprattutto: dove posso documentarmi per capire un po' di più sulla configurazione? Oltre al sito Cisco che, mi pare, è parecchio incasinato...

Ancora grazie dell'aiuto.

Ciauzzz!

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname MircoT
!
logging queue-limit 100
logging buffered 4096 informational
enable secret 5 <removed>
!
username MircoT password 7 <removed>
username CRWS_Bijoy privilege 15 password 7 <removed>
ip subnet-zero
ip name-server 151.99.125.1
ip name-server 151.99.0.100
ip dhcp excluded-address 192.168.200.1
ip dhcp excluded-address 192.168.200.1 192.168.200.49
ip dhcp excluded-address 192.168.200.201 192.168.200.254
ip dhcp excluded-address 192.168.200.50
!
ip dhcp pool CLIENT
import all
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.200.1-255.255.255.0
ip address 192.168.200.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <removed>
ppp chap password 7 <removed>
ppp pap sent-username <removed> password 7 <removed>
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.200.50 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 23 permit 192.168.200.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 111 permit tcp any host 192.168.200.50 eq www
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip host 255.255.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 deny ip any any log
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

19-02-2004, 09:45	#4
MircoT Senior Member Iscritto dal: May 2001 Città: Venessia... Messaggi: 2376	Quella che ho messo in fondo al post dovrebbe andare meglio. La statica in ingresso sulla porta www mi serve perchè possano accedere dall'esterno ad un server web che accendo a necessità. Quando non è acceso ci pensa ZoneAlarm a impedire l'accesso. Anche se immagino che potrei sostituire la "access-list 111 permit tcp any any eq www" con "access-list 111 permit tcp any host 192.168.200.50 eq www"... Le access list relative alle vpn le vorrei lasciare per il momento... Per lo spoofing: oltre alla classe 10.0.0.0 immagino dovrei aggiungere anche la classe 192.168.0.0 e 172.16.0.0... o no? Quanto al problema del telnet... Questa riga "ip inspect name myfw smtp timeout 3600" potrebbe dare noia? E' necessaria al firewall per proteggermi dagli attacchi dall'esterno? Ma soprattutto: dove posso documentarmi per capire un po' di più sulla configurazione? Oltre al sito Cisco che, mi pare, è parecchio incasinato... Ancora grazie dell'aiuto. Ciauzzz! ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname MircoT ! logging queue-limit 100 logging buffered 4096 informational enable secret 5 <removed> ! username MircoT password 7 <removed> username CRWS_Bijoy privilege 15 password 7 <removed> ip subnet-zero ip name-server 151.99.125.1 ip name-server 151.99.0.100 ip dhcp excluded-address 192.168.200.1 ip dhcp excluded-address 192.168.200.1 192.168.200.49 ip dhcp excluded-address 192.168.200.201 192.168.200.254 ip dhcp excluded-address 192.168.200.50 ! ip dhcp pool CLIENT import all network 192.168.200.0 255.255.255.0 default-router 192.168.200.1 lease 0 2 ! ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! interface Ethernet0 description CRWS Generated text. Please do not delete this:192.168.200.1-255.255.255.0 ip address 192.168.200.1 255.255.255.0 secondary ip address 10.10.10.1 255.255.255.0 ip nat inside no ip mroute-cache hold-queue 100 out ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface Dialer1 ip address negotiated ip access-group 111 in ip nat outside ip inspect myfw out encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname <removed> ppp chap password 7 <removed> ppp pap sent-username <removed> password 7 <removed> ppp ipcp dns request ppp ipcp wins request hold-queue 224 in ! ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 192.168.200.50 80 interface Dialer1 80 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! access-list 23 permit 192.168.200.0 0.0.0.255 access-list 23 permit 10.10.10.0 0.0.0.255 access-list 102 permit ip 192.168.200.0 0.0.0.255 any access-list 111 permit tcp any host 192.168.200.50 eq www access-list 111 deny ip host 0.0.0.0 any access-list 111 deny ip host 255.255.255.255 any access-list 111 deny ip 10.0.0.0 0.255.255.255 any access-list 111 deny ip 172.16.0.0 0.15.255.255 any access-list 111 deny ip 192.168.0.0 0.0.255.255 any access-list 111 deny ip 127.0.0.0 0.255.255.255 any access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit gre any any access-list 111 deny ip any any log dialer-list 1 protocol ip permit ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 ! end Ultima modifica di MircoT : 19-02-2004 alle 17:03.