From: Tommy C (tkc9789@xxxxxxxxxxx)
Date: Mon Jul 08 2002 - 10:11:06 GMT-3
You should use Steve's example as a model, then go to CCO and do a little
research on your own. You'll retain the stuff longer if you had spend time
looking for the answer yourself and understand the issues at hand.
>Original Message:
>-----------------
>From: Tom Young gitsyoung@yahoo.co.jp
>Date: Mon, 8 Jul 2002 20:47:02 +0900 (JST)
>To: saridder@attbi.com, ccielab@groupstudy.com
>Subject: RE: Firewall feature
>
>
>Hi, Steven:
>
> Thank you for your sample, it is very helpful. And some
>thing I still couldn't understand, would you plz answer me
>for it?
> In your F0 interface. You worte STOP too more and GO is
>too little. You don't want to some common protocol out ?
>For example, ftp, h323...
> Second, In the WAN side, you just put a access-list,
>Why? Why you don't make a INSPECT IN? If you want to tell
>me you had already worte the IN in the LAN side, but why
>you write the access-list ? It is meanless?
> Third, How about the diffirece between the access-list
>and inspect? I don't know. My I use the access-list to do
>a firewall?
>
>Thanks again
>
>Tom
> --- "Steven A. Ridder" <saridder@attbi.com> $B$+$i$N%a%C(B
>$B%;!<%8!'(B
> > Here's one I did a few months ago on a 1750:
> >
> > Current configuration : 5110 bytes
> > !
> > version 12.2
> > no parser cache
> > no service single-slot-reload-enable
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname (DELETED)
> > !
> > logging buffered 4096 debugging
> > logging rate-limit console 10 except errors
> > no logging console
> > enable secret 5 $1$EZSH$UJkNhmVVFU34XgZwDISek.
> > !
> > memory-size iomem 15
> > mmi polling-interval 60
> > no mmi auto-configure
> > no mmi pvc
> > mmi snmp-timeout 180
> > ip subnet-zero
> > no ip source-route
> > !
> > !
> > no ip domain-lookup
> > !
> > no ip bootp server
> > ip inspect name STOP smtp
> > ip inspect name STOP tcp
> > ip inspect name STOP udp
> > ip inspect name STOP cuseeme
> > ip inspect name STOP ftp
> > ip inspect name STOP h323
> > ip inspect name STOP rcmd
> > ip inspect name STOP realaudio
> > ip inspect name STOP streamworks
> > ip inspect name STOP vdolive
> > ip inspect name STOP sqlnet
> > ip inspect name STOP tftp
> > ip inspect name GO smtp
> > ip inspect name GO tcp
> > ip inspect name GO udp
> > ip audit notify log
> > ip audit po max-events 100
> > ip ssh time-out 120
> > ip ssh authentication-retries 3
> > no ip dhcp-client network-discovery
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key (DELETED) address 0.0.0.0 0.0.0.0
> > crypto isakmp client configuration address-pool
> > local VPNpool
> > !
> > !
> > crypto ipsec transform-set Strong esp-des
> > esp-md5-hmac
> > crypto mib ipsec flowmib history tunnel size 200
> > crypto mib ipsec flowmib history failure size 200
> > !
> > crypto dynamic-map dynVPNmap 10
> > set transform-set Strong
> > !
> > !
> > crypto map modecfg client configuration address
> > initiate
> > crypto map modecfg client configuration address
> > respond
> > crypto map modecfg 10 ipsec-isakmp dynamic dynVPNmap
> > !
> > !
> > !
> > !
> > interface Ethernet0
> > ip address 255.21.220.202 255.255.255.252
> > ip access-group 101 in
> > no ip redirects
> > no ip unreachables
> > no ip proxy-arp
> > ip nat outside
> > no ip route-cache
> > ip policy route-map nonat
> > no ip mroute-cache
> > half-duplex
> > no cdp enable
> > crypto map modecfg
> > !
> > interface FastEthernet0
> > ip address 192.168.1.1 255.255.255.0
> > ip nat inside
> > ip inspect STOP in
> > ip inspect GO out
> > speed auto
> > no cdp enable
> > !
> > ip local pool VPNpool 192.168.100.50 192.168.100.55
> > ip default-gateway 255.21.220.201
> > ip nat pool IntNATpool 255.21.220.202 255.21.220.202
> > netmask
> > 255.255.255.252
> > ip nat inside source route-map rmap pool IntNATpool
> > overload
> > ip nat inside source static tcp 192.168.1.100 25
> > 255.21.220.202 25
> > extendable
> > ip nat inside source static tcp 192.168.1.100 110
> > 255.21.220.202 110
> > extendable
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 255.21.220.201
> > no ip http server
> > !
> > access-list 101 permit tcp any any established
> > access-list 101 permit tcp any host 255.21.220.202
> > eq telnet
> > access-list 101 permit icmp any any echo
> > access-list 101 permit icmp any any echo-reply
> > access-list 101 permit icmp any any packet-too-big
> > access-list 101 permit icmp any any time-exceeded
> > access-list 101 permit icmp any any traceroute
> > access-list 101 permit ahp any any
> > access-list 101 permit esp any any
> > access-list 101 permit udp any any eq isakmp
> > access-list 101 permit tcp any host 255.21.220.202
> > eq pop3
> > access-list 101 permit tcp any host 255.21.220.202
> > eq smtp
> > access-list 101 permit ip host 192.168.100.50 any
> > access-list 101 permit ip host 192.168.100.51 any
> > access-list 101 permit ip host 192.168.100.52 any
> > access-list 101 permit ip host 192.168.100.53 any
> > access-list 101 permit ip host 192.168.100.54 any
> > access-list 101 permit ip host 192.168.100.55 any
> > access-list 110 deny ip 192.168.1.0 0.0.0.255
> > 192.168.100.0 0.0.0.255
> > access-list 110 permit ip 192.168.1.0 0.0.0.255 any
> > access-list 120 permit ip 192.168.1.0 0.0.0.255
> > 192.168.100.0 0.0.0.255
> > no cdp run
> > !
> > !
> > route-map rmap permit 10
> > match ip address 110
> > !
> > route-map nonat permit 10
> > match ip address 120
> > !
> > route-map nonat permit 20
> > !
> > banner motd ^C
> >
>************************************************************************
> > ***
> > NOTICE TO USERS
> >
> > This is a private computer system and is the
> > property of (DELETED)
> > Associates. It is for authorized use only. Users
> > (authorized or
> > unauthorized) have no explicit or implicit
> > expectation of privacy.
> >
> > Any or all uses of this system and all files on this
> > system may be
> > intercepted, monitored, recorded, copied, audited,
> > inspected, and
> > disclosed
> > to authorized site, and law enforcement personnel,
> > as well as authorized
> > officials of other agencies, both domestic and
> > foreign.
> > By using this system, the user consents to such
> > interception,
> > monitoring,
> > recording, copying, auditing, inspection, and
> > disclosure at the
> > discretion
> > of authorized site or Department of Energy
> > personnel.
> >
> > Unauthorized or improper use of this system may
> > result in administrative
> > disciplinary action and civil and criminal
> > penalties. By continuing to
> > use
> > this system you indicate your awareness of and
> > consent to these terms
> > and
> > conditions of use. LOG OFF IMMEDIATELY if you do not
> > agree to the
> > conditions
> > stated in this warning.
> >
> >
>************************************************************************
> > *****^C
> > !
> > line con 0
> > exec-timeout 5 0
> >
>=== message truncated ===
>
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:21 GMT-3