Consigli su rete locale e cisco

[dvbman]

Ciao,

ho bisogno di pareri e consigli su come configurare una rete locale così composta :

Router in comodato (non configurabile, redirige tutto su 192.168.1.2)
192.168.1.1
255.255.255.0

Firewall cisco 851-k9
WAN
192.168.1.2
255.255.255.0
ETH0
10.10.10.1
255.255.255.248

Questi sono i miei dubbi :

- ai fini della sicurezza, che ip/subnet mi consigliate di impostare nella sottorete del cisco a cui sono collegati tutti i pc?

- perchè dalla sottorete in questione riesco a vedere il router principale? Come posso fare per evitare che venga risponda ai ping?

[dvbman]

Allego la configurazione del cisco, che vorrei ripulire da ciò che ha inserito SDM, software pratico ma che non rientra nei miei canoni : mi piacerebbe configurarlo da zero con solo il necessario per il mio caso, ovvero bloccare tutto ciò che entra, permettere l'uscita a tutto ciò che parte dalla lan. In pratica ora funziona perfettamente ma ci sono regole di inspect che non mi spiego, e comandi che credo siano inutili (sto imparando piano piano con guide come ciscopedia ; )

Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)
IOS : c850-advsecurityk9-mz.124-4.T7.bin

Codice:

Current configuration : 6893 bytes
!
! Last configuration change at 18:41:43 PCTime Mon Apr 7 2008 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$dQ/b$InXcd26L2rKF.DWf/FJzd.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name router.eu
ip name-server 192.168.1.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1347078970
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1347078970
 revocation-check none
 rsakeypair TP-self-signed-1347078970
!
!
crypto pki certificate chain TP-self-signed-1347078970
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31333437 30373839 3730301E 170D3038 30343036 31383435
  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343730
  37383937 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D457 3CBBAFB2 AC8A4A8A 2FA6B30F DB117811 B4FAEC15 D32EB28F 215CCC90
  D44D5723 F544DCED 65FCBD37 FFD476F7 D144F1BC 6070CF9D 25F149E5 9C6CAFC3
  82B2AB5A F9C5DCB9 9557001D D9022E94 3AB45629 5CB27321 0D078242 76540E55
  3C1B4E98 82AA8BFA 9C3138FF 654F13A0 C401EAC2 5F6ACE47 64CE415B 626A6ADD
  9C2F0203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
  551D1104 14301282 10726F75 7465722E 726F7574 65722E65 75301F06 03551D23
  04183016 80146208 39C4B294 51B67D2B F547A136 2EF692CC B6EC301D 0603551D
  0E041604 14620839 C4B29451 B67D2BF5 47A1362E F692CCB6 EC300D06 092A8648
  86F70D01 01040500 03818100 06296D95 CFEF5F79 8A4F3D22 8ABEE574 86FE4F29
  45AE2263 DD865633 83E673FF 60EE728E D54B38BC B14BECEF 43776C68 A308716D
  99097653 F28A99B0 682028AC C345165E 0A2F90F7 9DA45BB2 EE896924 FE9D6694
  C071C2E8 D3357E25 3B477304 FB18D5B2 846D7265 98A65CE2 70DF6DEC 8FB208B8
  0549469F 8E03F420 78D9A9C5
  quit
username admin privilege 15 secret 5 $1$DDHi$LAz093paJQjZN2fUhj2041
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.2.101 65432 interface FastEthernet4 65432
ip nat inside source static udp 192.168.2.101 12345 interface FastEthernet4 12345
ip dns server
ip dns spoofing
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 192.168.1.2 eq 12345
access-list 101 permit tcp any host 192.168.1.2 eq 65432
access-list 101 permit udp host 192.168.1.1 eq domain any
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.233
access-list 101 permit udp host 193.204.114.233 eq ntp host 192.168.1.2 eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.204.114.232
access-list 101 permit udp host 193.204.114.232 eq ntp host 192.168.1.2 eq ntp
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.1.2 echo-reply
access-list 101 permit icmp any host 192.168.1.2 time-exceeded
access-list 101 permit icmp any host 192.168.1.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 deny   ip any any
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175048
ntp server 193.204.114.232 prefer
ntp server 193.204.114.233

grazie a chiunque mi aiuti

[dvbman]

[dvbman]

sob

[dvbman]

[dvbman]

[dvbman]