Re: Help on logging on my Soho 77
- From: "Mr. Spadoni" <admin@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Sep 2006 15:02:05 +0200
Hello
Well I have a static DSL with a 8ip subnet
the first ip is my gw/router cisco on .177 IP.
on IP 178 there is a firewall that PATs the 3389 on its public wan address
to a private lan pc 192.168.0.138
the wan int of the cisco is the atm0.35
the "public" lan is the eth0
I put an ACL on the atm0.35 wich permits the 3389 inside and log
for me it is sufficient to log on the ram even if it clears on reboot.
Now is the config:
Current configuration : 8911 bytes
!
! Last configuration change at 10:26:32 CET Fri Sep 15 2006 by maggiore
! NVRAM config last updated at 10:26:11 CET Fri Sep 15 2006 by maggiore
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime localtime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered notifications
no logging console
enable password 7 xxxxxxxxxxxxx
!
clock timezone CET 1
ip subnet-zero
no ip source-route
ip tcp synwait-time 15
!
no ip bootp server
username maggiore SNIP
!
!
!
interface Ethernet0
bandwidth 10000
ip address xxxxxxxxxxx
ip broadcast-address xxxxxxxxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
hold-queue 100 out
!
interface ATM0
bandwidth 608
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
atm vc-per-vp 64
atm ilmi-keepalive
dsl operating-mode itu-dmt
hold-queue 224 in
!
interface ATM0.35 point-to-point
bandwidth 1504
ip address xxxxxxxxxxxxx
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.35
no ip http server
!
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 85.33.96.176 host 85.33.96.176
access-list 100 deny ip host 85.33.96.177 host 85.33.96.177
access-list 100 deny ip host 85.33.96.178 host 85.33.96.178
access-list 100 deny ip host 85.33.96.179 host 85.33.96.179
access-list 100 deny ip host 85.33.96.180 host 85.33.96.180
access-list 100 deny ip host 85.33.96.181 host 85.33.96.181
access-list 100 deny ip host 85.33.96.182 host 85.33.96.182
access-list 100 deny ip host 85.33.96.183 host 85.33.96.183
access-list 100 deny ip host 212.97.35.10 host 85.33.96.181
access-list 100 deny ip host 85.33.96.176 any
access-list 100 deny ip host 85.33.96.177 any
access-list 100 deny ip host 85.33.96.178 any
access-list 100 deny ip host 85.33.96.179 any
access-list 100 deny ip host 85.33.96.180 any
access-list 100 deny ip host 85.33.96.181 any
access-list 100 deny ip host 85.33.96.182 any
access-list 100 deny ip host 85.33.96.183 any
access-list 100 deny ip any host 85.33.96.176
access-list 100 deny ip any host 85.33.96.183
access-list 100 permit ip host 89.186.68.6 any
access-list 100 permit udp any any eq ntp
access-list 100 permit ip any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any unreachable
access-list 100 deny icmp any any
access-list 100 permit igmp any any
access-list 100 permit gre any any
SNIP
Now focusing on the ACL regarding my ip
access-list 100 deny tcp any host xxxxxxx.178 eq 135
access-list 100 deny udp any host xxxxxxx.178 eq 135
access-list 100 deny tcp any host xxxxxxx.178 range 137 139
access-list 100 deny udp any host xxxxxxx.178 range netbios-ns netbios-ss
access-list 100 deny tcp any host xxxxxxx.178 eq 445
access-list 100 deny udp any host xxxxxxx.178 eq 445
access-list 100 permit udp any eq domain host xxxxxxx.178 range 1024 5000
access-list 100 permit tcp any eq 3389 host 8xxxxxxx.178 eq 3389 log
access-list 100 permit tcp any host xxxxxxx.178 gt 1023
access-list 100 permit tcp any host xxxxxxx.178 gt 1023 established
access-list 100 deny tcp any lt 1023 host xxxxxxx.178 lt 1023
access-list 100 deny udp any lt 1023 host xxxxxxx.178 lt 1023
access-list 100 permit 41 any host xxxxxxx.178
access-list 100 deny ip any host xxxxxxx.178
etc etc etc
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
etc etc etc
.
- References:
- Help on logging on my Soho 77
- From: Mr. Spadoni
- Re: Help on logging on my Soho 77
- From: AM
- Re: Help on logging on my Soho 77
- From: Mr. Spadoni
- Re: Help on logging on my Soho 77
- From: Merv
- Re: Help on logging on my Soho 77
- From: Bod43
- Help on logging on my Soho 77
- Prev by Date: Re: VPN into ASA 5510 unable to access internet and other network
- Next by Date: Re: Help on logging on my Soho 77
- Previous by thread: Re: Help on logging on my Soho 77
- Next by thread: Re: Help on logging on my Soho 77
- Index(es):
Relevant Pages
|
