!
version 12.4]
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service udp-small-servers
service sequence-numbers
!
hostname Aminahoora-CISCO-Firewall
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
logging console critical
enable secret 5
enable password 7!
aaa new-model
!
!
aaa group server radius SDM_NAC_GROUP
server 192.168.0.2 auth-port 1645 acct-port 1646
!
aaa authentication fail-message orng Access!!!
aaa authentication password-prompt PIX-PASSWORD:
aaa authentication username-prompt PIX-USERNAME:
aaa authentication login default local
aaa authentication login local_authen local
aaa authentication eou default group SDM_NAC_GROUP
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Tehran 3 30
clock summer-time Tehran date Mar 22 2003 12:00 Sep 22 2003 12:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 10
!
!
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name Aminahoora esmtp alert on audit-trail on
ip inspect name Aminahoora http urlfilter
ip inspect name Aminahoora https
ip admission name SDM_EOU_1 eapoudp inactivity-time 60
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
no ip bootp server
ip urlfilter exclusive-domain permit
[فقط اعضا می توانند لینک ها را مشاهده کنند برای ثبت نام اینجا را کلیک کنید]
ip urlfilter exclusive-domain deny sex.com
ip urlfilter exclusive-domain deny xxx.com
ip urlfilter exclusive-domain permit cisco.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-1037260179
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1037260179
revocation-check none
rsakeypair TP-self-signed-1037260179
!
!
crypto pki certificate chain TP-self-signed-1037260179
certificate self-signed 01
30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303337 32363031 3739301E 170D3032 30333031 30303032
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333732
36303137 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D57D 479113C8 58278A12 A673F70B 48AFDA77 89FC3DEA A193084B F61FE6F7
C14ED0BC F3023E25 1E24D28E CA18B1AE 9DE1B27E BE49BFED 452FBBE2 E6677649
0AA2C7D4 DA2A5F3D 6C4A9172 1A283121 CFEE6B08 71CADDE5 5A79ABB8 39D81270
F8411131 73FEBD0D 33B3DEC2 DE5FDD27 171CFCCC 105D01A1 D0375327 FCCDF5D6
B8010203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
551D1104 1E301C82 1A416D69 6E61686F 6F72612D 43495343 4F2D4669 72657761
6C6C2E30 1F060355 1D230418 30168014 276B101E 25C08CD6 9F0BEC36 DB89D734
9400A27E 301D0603 551D0E04 16041427 6B101E25 C08CD69F 0BEC36DB 89D73494
00A27E30 0D06092A 864886F7 0D010104 05000381 810076BD 5C2E8198 B2D80116
895FA40D E8BA18A6 EDFAAE3A 18F14749 9A88B82C A5D18B11 2DEED269 AD03C630
810E5C97 B8FC2A74 6B1337DB 9A1D7493 31D367CF 7A52E3F6 DDF2FEE7 3C55EDD0
00342FBA C6D05397 ED9B4427 FB4B9358 3FCAD81B 1353E7EA 034AE66C 1E017279
499155F0 56B8F946 823FF875 E65CC93A CF0F353D 5441
quit
eou clientless username
eou clientless password
eou allow clientless
username aminahoora password 7!
!
class-map match-any SDM-Transactional-1
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-any SDM-Signaling-1
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any SDM-Scavenger-1
match protocol napster
match protocol fasttrack
match protocol gnutella
class-map match-any SDM-Routing-1
match protocol bgp
match protocol egp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDM-Voice-1
match protocol rtp audio
class-map match-any SDM-Streaming-Video-1
match protocol cuseeme
match protocol netshow
match protocol rtsp
match protocol streamwork
match protocol vdolive
class-map match-any SDM-Management-1
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol *****
match protocol syslog
class-map match-any SDM-Interactive-Video-1
match protocol rtp video
class-map match-any SDM-BulkData-1
match protocol exchange
match protocol ftp
match protocol irc
match protocol nntp
match protocol pop3
match protocol printer
match protocol secure-ftp
match protocol secure-irc
match protocol secure-nntp
match protocol secure-pop3
match protocol smtp
match protocol tftp
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
set dscp ef
priority percent 33
class SDM-Signaling-1
set dscp cs3
bandwidth percent 5
class SDM-Routing-1
set dscp cs6
bandwidth percent 5
class SDM-Management-1
set dscp cs2
bandwidth percent 5
class SDM-Transactional-1
set dscp af21
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
crypto dynamic-map CRYPTO 1
set peer 20.20.20.1
set transform-set ESP-3DES-SHA
match address aminahoora1
!
!
crypto map aminahoora 1 ipsec-isakmp
set peer 20.20.20.1
set transform-set ESP-3DES-SHA
match address aminahoora1
!
!
!
interface Tunnel0
bandwidth 1000
ip address 20.20.20.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.0.2 255.255.255.0
ip broadcast-address 192.168.0.255
ip access-group 100 in
no ip redirects
no ip unreachables
no ip *****-arp
ip nbar protocol-discovery
ip admission SDM_EOU_1
ip route-cache flow
ip tcp adjust-mss 1412
speed auto
full-duplex
no mop enabled
service-policy output SDM-QoS-Policy-1
!
interface FastEthernet0/1
description $ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip *****-arp
ip route-cache flow
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no mop enabled
!
interface Dialer0
description $FW_OUTSIDE$
ip address 192.168.10.2 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip *****-arp
ip mtu 1452
ip inspect SDM_LOW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname aminahoora
ppp chap password 7 011E0713570A545A76
ppp pap sent-username aminahoora password 7
!
router rip
version 2
network 20.0.0.0
no auto-summary
!
ip classless
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http secure-trustpoint amin
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended aminahoora1
remark SDM_ACL Category=4
permit ip 20.20.20.0 0.0.0.255 any
!
ip radius source-interface Dialer0
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any host 192.168.0.2 eq cmd
access-list 100 permit tcp any host 192.168.0.2 eq telnet
access-list 100 permit tcp any host 192.168.0.2 eq 22
access-list 100 permit tcp any host 192.168.0.2 eq www
access-list 100 permit tcp any host 192.168.0.2 eq 443
access-list 100 permit ip any host 192.168.0.2
access-list 100 permit udp host 192.168.0.2 eq 1646 host 192.168.0.2 eq 1646
access-list 100 permit udp host 192.168.0.2 eq 1645 host 192.168.0.2 eq 1645
access-list 100 permit udp any eq 21862 host 192.168.0.2
access-list 100 permit udp any host 192.168.0.2 eq non500-isakmp
access-list 100 permit udp any host 192.168.0.2 eq isakmp
access-list 100 permit esp any host 192.168.0.2
access-list 100 permit ahp any host 192.168.0.2
access-list 100 permit gre any host 192.168.0.2
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.10.2 echo-reply
access-list 101 permit icmp any host 192.168.10.2 time-exceeded
access-list 101 permit icmp any host 192.168.10.2 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
radius-server host 192.168.0.2 auth-port 1645 acct-port 1646
radius-server vsa send authentication
!
control-plane
!
!
!
banner login IPS Sescor is Active "You have an authurotize Access Please check Your permission!!! "
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
!
end
Cisco 2600 sample config file
علاقه مندی ها (Bookmarks)