From: Steven A. Ridder (saridder@xxxxxxxxx)
Date: Fri Jul 05 2002 - 11:40:44 GMT-3
Here's one I did a few months ago on a 1750:
Current configuration : 5110 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname (DELETED)
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
no logging console
enable secret 5 $1$EZSH$UJkNhmVVFU34XgZwDISek.
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
no ip domain-lookup
!
no ip bootp server
ip inspect name STOP smtp
ip inspect name STOP tcp
ip inspect name STOP udp
ip inspect name STOP cuseeme
ip inspect name STOP ftp
ip inspect name STOP h323
ip inspect name STOP rcmd
ip inspect name STOP realaudio
ip inspect name STOP streamworks
ip inspect name STOP vdolive
ip inspect name STOP sqlnet
ip inspect name STOP tftp
ip inspect name GO smtp
ip inspect name GO tcp
ip inspect name GO udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key (DELETED) address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local VPNpool
!
!
crypto ipsec transform-set Strong esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto dynamic-map dynVPNmap 10
set transform-set Strong
!
!
crypto map modecfg client configuration address initiate
crypto map modecfg client configuration address respond
crypto map modecfg 10 ipsec-isakmp dynamic dynVPNmap
!
!
!
!
interface Ethernet0
ip address 255.21.220.202 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip route-cache
ip policy route-map nonat
no ip mroute-cache
half-duplex
no cdp enable
crypto map modecfg
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect STOP in
ip inspect GO out
speed auto
no cdp enable
!
ip local pool VPNpool 192.168.100.50 192.168.100.55
ip default-gateway 255.21.220.201
ip nat pool IntNATpool 255.21.220.202 255.21.220.202 netmask
255.255.255.252
ip nat inside source route-map rmap pool IntNATpool overload
ip nat inside source static tcp 192.168.1.100 25 255.21.220.202 25
extendable
ip nat inside source static tcp 192.168.1.100 110 255.21.220.202 110
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 255.21.220.201
no ip http server
!
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 255.21.220.202 eq telnet
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit ahp any any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any host 255.21.220.202 eq pop3
access-list 101 permit tcp any host 255.21.220.202 eq smtp
access-list 101 permit ip host 192.168.100.50 any
access-list 101 permit ip host 192.168.100.51 any
access-list 101 permit ip host 192.168.100.52 any
access-list 101 permit ip host 192.168.100.53 any
access-list 101 permit ip host 192.168.100.54 any
access-list 101 permit ip host 192.168.100.55 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
no cdp run
!
!
route-map rmap permit 10
match ip address 110
!
route-map nonat permit 10
match ip address 120
!
route-map nonat permit 20
!
banner motd ^C
************************************************************************
***
NOTICE TO USERS
This is a private computer system and is the property of (DELETED)
Associates. It is for authorized use only. Users (authorized or
unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed
to authorized site, and law enforcement personnel, as well as authorized
officials of other agencies, both domestic and foreign.
By using this system, the user consents to such interception,
monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion
of authorized site or Department of Energy personnel.
Unauthorized or improper use of this system may result in administrative
disciplinary action and civil and criminal penalties. By continuing to
use
this system you indicate your awareness of and consent to these terms
and
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions
stated in this warning.
************************************************************************
*****^C
!
line con 0
exec-timeout 5 0
password 16050
login
line aux 0
password 16050
login
line vty 0 4
exec-timeout 5 0
password 16050
login
line vty 5 15
no login
!
no scheduler allocate
end
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tom Young
Sent: Wednesday, July 03, 2002 6:17 AM
To: ccielab@groupstudy.com
Subject: Firewall feature
I want to set the firewall feature on C1710 router.
There is a ethernet and a bri port.
Who can provide me a sample for config the firewall
feature? The common firewall rule is ok. Not DMZ here.
Thanks alot
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:19 GMT-3