Ik ben voor een klant een sdsl router van cisco aan het opzetten. Het is een cisco 878.
De sdsl is van xs4all over kpn. Er is een publieke range van 16 ip adressen toegekend aan het abo.
Omdat ze intern meerdere servers hebben met publieke ipadressen dacht ik aan de onderstaande config waarbij er geen gebruik van NAT wordt gemaakt. De config is overigens nog niet geheel af, maar alleen een www forward voor 123.123.123.248.
Mijn hoofdvraag is of het security level nu lager is geworden dan mét NAT.
Verder vertelden ze mij op de xs4all helpdesk dat de router op dhcp moest staan en de rest van de range zelf via dhcp van de router of statisch toewijzen. Een fixed ip instellen is mij dan ook niet gelukt, maar ik vraag mij af of dit toch WEL kan (in tegenstelling wat men beweerd). En dan heb ik het niet over de 123.123.123.241, maar over bijvoorbeeld de 123.123.123.248 als ip van de wan interface (het 123.123.123.xxx is overigens fake ivm de privacy).
Nog iets: Is het eventueel ook mogelijk om meerdere ip's op de outside interface te zetten en dan de eerste op dhcp en anderen manual?
CONFIG:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 123.123.123.241
!
ip dhcp pool sdm-pool1
import all
network 123.123.123.240 255.255.255.240
dns-server 194.109.6.66 194.109.9.99
default-router 123.123.123.241
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name localdomain.local
ip name-server 194.109.6.66
ip name-server 194.109.9.99
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
username xxx privilege 15 secret x xxxxxx
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 123.123.123.241 255.255.255.240
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip unnumbered Vlan1
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxx@xs4all.nl password xxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
logging trap debugging
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Inbound www 248
access-list 101 permit tcp any eq www host 123.123.123.248 eq www
access-list 101 permit udp host 194.109.9.99 eq domain any
access-list 101 permit udp host 194.109.6.66 eq domain any
access-list 101 deny ip 123.123.123.240 0.0.0.15 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 123.123.123.240 0.0.0.15 any
access-list 102 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 102 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Alvast bedankt!
De sdsl is van xs4all over kpn. Er is een publieke range van 16 ip adressen toegekend aan het abo.
Omdat ze intern meerdere servers hebben met publieke ipadressen dacht ik aan de onderstaande config waarbij er geen gebruik van NAT wordt gemaakt. De config is overigens nog niet geheel af, maar alleen een www forward voor 123.123.123.248.
Mijn hoofdvraag is of het security level nu lager is geworden dan mét NAT.
Verder vertelden ze mij op de xs4all helpdesk dat de router op dhcp moest staan en de rest van de range zelf via dhcp van de router of statisch toewijzen. Een fixed ip instellen is mij dan ook niet gelukt, maar ik vraag mij af of dit toch WEL kan (in tegenstelling wat men beweerd). En dan heb ik het niet over de 123.123.123.241, maar over bijvoorbeeld de 123.123.123.248 als ip van de wan interface (het 123.123.123.xxx is overigens fake ivm de privacy).
Nog iets: Is het eventueel ook mogelijk om meerdere ip's op de outside interface te zetten en dan de eerste op dhcp en anderen manual?
CONFIG:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 123.123.123.241
!
ip dhcp pool sdm-pool1
import all
network 123.123.123.240 255.255.255.240
dns-server 194.109.6.66 194.109.9.99
default-router 123.123.123.241
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name localdomain.local
ip name-server 194.109.6.66
ip name-server 194.109.9.99
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
username xxx privilege 15 secret x xxxxxx
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 123.123.123.241 255.255.255.240
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip unnumbered Vlan1
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxx@xs4all.nl password xxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
logging trap debugging
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Inbound www 248
access-list 101 permit tcp any eq www host 123.123.123.248 eq www
access-list 101 permit udp host 194.109.9.99 eq domain any
access-list 101 permit udp host 194.109.6.66 eq domain any
access-list 101 deny ip 123.123.123.240 0.0.0.15 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 123.123.123.240 0.0.0.15 any
access-list 102 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 102 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Alvast bedankt!
[ Voor 5% gewijzigd door Verwijderd op 20-05-2006 20:46 ]
Ik heb het in de startpost verduidelijkt.