ru.cisco
- RU.CISCO ---------------------------------------------------------------------
From : Irakli Natsvlishvili 2:5020/400 14 Dec 2002 23:40:34
To : Oleg Zaytsev
Subject : Re: Проблемы...12.2.8Т( 3)-12.2.8Т(5)
--------------------------------------------------------------------------------
Hello, Oleg!
You wrote to Irakli Natsvlishvili on Sat, 14 Dec 2002 12:16:54 +0000 (UTC):
OZ> RAM мало (конфиг ты не показал).
-----------------------------------------------------------------
Building configuration...
Current configuration : 13470 bytes
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Cisco2621
!
logging count
no logging buffered
logging rate-limit all 500
no logging console
no logging monitor
logging cns-events debugging
aaa new-model
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip source-route
ip cef table event-log size 10000
ip cef table consistency-check type lc-detect
ip cef table consistency-check type scan-lc
ip cef table consistency-check type scan-rp
ip cef table consistency-check type scan-rib
ip cef
ip cef accounting per-prefix non-recursive prefix-length
!
!
ip nbar port-map custom-02 tcp 5634 6346 6347 6348 6349 6355
no ip domain lookup
ip domain name server.com
ip host orb 192.168.20.246
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
ip accounting-threshold 100000
!
class-map match-all VoIP
description This class allocates bandwith for VoIP traffic
match access-group 140
class-map match-any Deny
description This traffic class denies all Napser/Gnutella like traffic
match protocol napster
match protocol custom-02
match protocol fasttrack
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
class-map match-all VoIP-Signaling
description This is class for VoIP signaling on TCP port 1720
match access-group 150
!
!
policy-map mark-inbound-http-hacks
description This traffice policy will filter all requests from the Internet
to web Servers
class http-hacks
set ip dscp 1
class Deny
set ip dscp 1
policy-map drop-inbound-http-hacks
class http-hacks
police cir 1000000 bc 31250 be 31250
conform-action drop
exceed-action drop
violate-action drop
class Deny
police cir 1000000 bc 31250 be 31250
conform-action drop
exceed-action drop
violate-action drop
!
!
crypto ca trustpoint vpn
enrollment mode ra
enrollment url http://orb:80/certsrv/mscep/mscep.dll
serial-number
ip-address Serial0/0
crl optional
crypto ca certificate query
crypto ca certificate chain vpn
certificate ca 65AA17C1285FFE8148F74893E844EC9A query
fingerprint F93093C35566784E30D9653EA3D5B865
certificate ca 65AA17C1285FFE8148F74893E844EC9A query
fingerprint D41D8CD98F00B204E9800998ECF8427E
certificate 04149B19000000000025 query
!
crypto isakmp policy 200
authentication pre-share
!
crypto isakmp policy 250
group 2
crypto isakmp key ciscokey address yyy.yyy.yyy.106
crypto isakmp identity hostname
crypto isakmp keepalive 300 60
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set newset esp-des esp-sha-hmac
!
crypto map connect local-address Serial0/0
crypto map connect 1 ipsec-isakmp
set peer yyy.yyy.yyy.106
set transform-set newset
match address 130
qos pre-classify
!
voice call carrier capacity active
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
spanning-tree backbonefast
!
interface FastEthernet0/0
description For Dialogic VoIP LAN
ip address xxx.xxx.xxx.201 255.255.255.248
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip accounting precedence input
ip accounting precedence output
ip accounting access-violations
ip nbar protocol-discovery
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
description Serial T1 CSU/DSU to ISP
ip address zzz.zzz.zzz.zzz 255.255.255.252
ip access-group 2500 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting precedence input
ip accounting precedence output
ip accounting access-violations
ip nat outside
ip nbar protocol-discovery
ip route-cache policy
ip route-cache flow
no ip mroute-cache
service-policy input mark-inbound-http-hacks
service-module t1 clock source internal
service-module t1 remote-alarm-enable
no cdp enable
crypto map connect
!
interface FastEthernet0/1
description Local LAN
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip accounting mac-address input
ip accounting mac-address output
ip accounting precedence input
ip accounting precedence output
ip accounting access-violations
ip nat inside
ip nbar protocol-discovery
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
service-policy output drop-inbound-http-hacks
!
ip nat translation timeout 300
ip nat translation tcp-timeout 300
ip nat translation pptp-timeout 1800
ip nat translation udp-timeout 60
ip nat translation dns-timeout 15
ip nat translation icmp-timeout 20
ip nat pool NAT xxx.xxx.xxx.214 xxx.xxx.xxx.215 netmask 255.255.255.252
ip nat inside source route-map NoNAT pool NAT overload
ip nat inside source static 192.168.20.239 xxx.xxx.xxx.209 route-map NoNAT
ip nat inside source static 192.168.20.229 xxx.xxx.xxx.199 route-map NoNAT
ip nat inside source static 192.168.20.228 xxx.xxx.xxx.198 route-map NoNAT
ip nat inside source static 192.168.20.227 xxx.xxx.xxx.197 route-map NoNAT
ip nat inside source static 192.168.20.226 xxx.xxx.xxx.196 route-map NoNAT
ip nat inside source static 192.168.20.241 xxx.xxx.xxx.211 route-map NoNAT
ip nat inside source static 192.168.20.240 xxx.xxx.xxx.210 route-map NoNAT
ip nat inside source static 192.168.20.242 xxx.xxx.xxx.212 route-map NoNAT
ip nat inside source static 192.168.20.243 xxx.xxx.xxx.213 route-map NoNAT
ip nat inside source static 192.168.20.247 xxx.xxx.xxx.217 route-map NoNAT
ip nat inside source static 192.168.20.246 xxx.xxx.xxx.216 route-map NoNAT
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 zzz.zzz.zzz.zzz
ip http server
ip http port 18888
ip pim bidir-enable
!
!
logging history debugging
logging trap debugging
logging facility local4
logging source-interface FastEthernet0/1
logging 192.168.20.229
!
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 deny ip 192.168.20.0 0.0.0.255 176.20.30.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
!
access-list 130 permit ip 192.168.20.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 192.168.20.0 0.0.0.255 176.20.30.0 0.0.0.255
access-list 130 permit ip xxx.xxx.xxx.192 0.0.0.31 10.1.1.0 0.0.0.255
access-list 130 permit ip xxx.xxx.xxx.192 0.0.0.31 176.20.30.0 0.0.0.255
!
access-list 140 remark ACL for VoIP Traffic
access-list 140 permit udp any host xxx.xxx.xxx.205 range 16384 37276
!
access-list 150 remark ACL for VoIP Signaling
access-list 150 permit tcp any host xxx.xxx.xxx.205 range 1719 1720
!
access-list 2500 remark ------ Permit VPN Pix-to-Router to Serial
Interface ----------
access-list 2500 permit ip host yyy.yyy.yyy.106 any
access-list 2500 permit ip host 10.1.1.200 192.168.20.0 0.0.0.255
access-list 2500 permit ip host 10.1.1.100 192.168.20.0 0.0.0.255
access-list 2500 permit ip host 176.20.30.200 192.168.20.0 0.0.0.255
access-list 2500 remark ------------------ Deny Back
Offerice ------------------------
access-list 2500 deny tcp any any eq 27374 log
access-list 2500
remark --------------------------------------------------------------
access-list 2500 remark ----------- Permit established TCP
connections ---------------
access-list 2500 permit tcp any any established
access-list 2500 remark ----------- Permit access to NTP
servers ---------------------
access-list 2500 permit udp host 207.200.81.113 eq ntp any eq ntp
access-list 2500 permit udp host 204.123.2.72 eq ntp any eq ntp
access-list 2500 permit udp host 204.34.198.40 eq ntp any eq ntp
access-list 2500 remark ----------- Permit echo-reply and
traceroute -----------------
access-list 2500 permit icmp any any echo-reply
access-list 2500 permit icmp any any time-exceeded
access-list 2500 remark ----------- Permit access and replay from DNS
servers --------
access-list 2500 permit udp any eq domain any
access-list 2500 permit udp any any eq domain log
access-list 2500 remark --------xxx.xxx.xxx.196 - 192.168.20.226 -
Server24 ---------
access-list 2500 permit tcp any host xxx.xxx.xxx.196 eq 443
access-list 2500 remark --------xxx.xxx.xxx.197 - 192.168.20.227 -
Server65 ---------
access-list 2500 permit tcp any host xxx.xxx.xxx.197 eq 443
access-list 2500 remark --------xxx.xxx.xxx.198 - 192.168.20.228 -
Server00 ---------
access-list 2500 permit tcp any host xxx.xxx.xxx.198 eq 443
access-list 2500 remark ------ Permit Acceess on Server00 from Cingular's
proxy -----
access-list 2500 permit tcp host 199.176.84.11 host xxx.xxx.xxx.198 eq www
log
access-list 2500 permit tcp host 66.209.11.71 host xxx.xxx.xxx.198 eq www
log
access-list 2500 remark -------Permit Acceess on 00 from Palm's
proxy ----------------
access-list 2500 permit tcp host 206.112.114.81 host xxx.xxx.xxx.198 eq www
log
access-list 2500 permit tcp host 206.112.103.2 host xxx.xxx.xxx.198 eq www
log
access-list 2500 permit tcp host 63.97.179.2 host xxx.xxx.xxx.198 eq www log
access-list 2500 permit tcp host 63.97.179.30 host xxx.xxx.xxx.198 eq www
log
access-list 2500 remark --------xxx.xxx.xxx.199 - 192.168.20.229 -
Exchange -----------
access-list 2500 permit tcp any host xxx.xxx.xxx.199 eq 443
access-list 2500 permit tcp any host xxx.xxx.xxx.199 eq smtp
access-list 2500 permit tcp any host xxx.xxx.xxx.199 eq 995
access-list 2500 permit tcp any host xxx.xxx.xxx.199 eq 993
access-list 2500 remark -------- Permit access from Server India to
Exchange -------
access-list 2500 permit tcp sss.sss.sss.0 0.0.0.193 host xxx.xxx.xxx.199
range 4000 4001
access-list 2500 permit tcp sss.sss.sss.0 0.0.0.193 host xxx.xxx.xxx.199
range 5000 5001
access-list 2500 permit tcp sss.sss.sss.0 0.0.0.193 host xxx.xxx.xxx.199 eq
135
access-list 2500 remark --------xxx.xxx.xxx.205 - Dialogic
VoIP -----------------------
access-list 2500 permit icmp any host xxx.xxx.xxx.205 log
access-list 2500 permit udp any host xxx.xxx.xxx.205 gt 1024 log
access-list 2500 permit tcp any host xxx.xxx.xxx.205 gt 1024 log
access-list 2500 remark --------xxx.xxx.xxx.209 - 192.168.20.239
SQL2000--------------
access-list 2500 permit tcp any host xxx.xxx.xxx.209 eq 443
access-list 2500 permit tcp any host xxx.xxx.xxx.209 eq 1723 log
access-list 2500 permit gre any host xxx.xxx.xxx.209 log
access-list 2500 remark --------xxx.xxx.xxx.210 - 192.168.20.240 -
FTP ----------------
access-list 2500 permit tcp any host xxx.xxx.xxx.210 eq ftp log
access-list 2500 permit tcp any host xxx.xxx.xxx.210 eq ftp-data log
access-list 2500 remark --------xxx.xxx.xxx.211 - 192.168.20.241
Onlinedemo ----------
access-list 2500 permit tcp any host xxx.xxx.xxx.211 eq 443
access-list 2500 remark ----- xxx.xxx.xxx.212 - 192.168.20.242 -
WebDemo --------------
access-list 2500 permit tcp any host xxx.xxx.xxx.212 eq www log
access-list 2500 permit tcp any host xxx.xxx.xxx.212 eq 443 log
access-list 2500 permit tcp any host xxx.xxx.xxx.212 eq gopher log
access-list 2500 permit udp any host xxx.xxx.xxx.212 eq 70 log
access-list 2500 remark ----xxx.xxx.xxx.213 - 192.168.20.243
E-Commerce --------------
access-list 2500 permit tcp any host xxx.xxx.xxx.213 eq 443
access-list 2500 remark --------xxx.xxx.xxx.216 - 192.168.20.246 -
ORB ----------------
access-list 2500 permit tcp any host xxx.xxx.xxx.216 eq 443
access-list 2500 remark --------xxx.xxx.xxx.217 - 192.168.20.247
Server23 ----------
access-list 2500 permit tcp any host xxx.xxx.xxx.217 eq 443
access-list 2500 remark ------------------ ACCESS-L 2500 DENY ALL
OTHER --------------
access-list 2500 deny ip host 0.0.0.0 any log
access-list 2500 deny ip 10.0.0.0 0.255.255.255 any log
access-list 2500 deny ip 127.0.0.0 0.255.255.255 any log
access-list 2500 deny ip 172.16.0.0 0.15.255.255 any log
access-list 2500 deny ip 192.168.0.0 0.0.255.255 any log
access-list 2500 deny ip 192.168.20.0 0.0.0.255 any log
access-list 2500 deny ip 10.10.10.0 0.0.0.255 any log
access-list 2500 deny icmp any any log
access-list 2500 deny ip any host 63.121.124.98 log
access-list 2500 deny tcp any range 0 65535 any range 0 65535 log
access-list 2500 deny udp any range 0 65535 any range 0 65535 log
access-list 2500 deny ip any xxx.xxx.xxx.192 0.0.0.31 log
access-list 2500 deny ip any any
!
route-map NoNAT permit 10
match ip address 100
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
width 132
!
ntp clock-period 17180333
ntp source Serial0/0
ntp server 207.200.81.113
ntp server 204.123.2.72
ntp server 204.34.198.40
-----------------------------------------------------------------
I.N.
--- ifmail v.2.15dev5
* Origin: Demos online service (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
