Jump to content

Frage zu Konfiguration: Kann mir einer näheres sagen?

ShineDaStar

Von ShineDaStar
in Cisco Forum — Allgemein

Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Empfohlene Beiträge

ShineDaStar Proficient

ShineDaStar   10

Geschrieben
Geschrieben

Hallo liebe Forengemeinde,

 

ich habe nun einige Zeit damit zugebracht, meinen router ( cisco 892 ) etwas zu konfigurieren...

Nun würde ich gerne Wissen, ob man die konfig in anbetracht von Sicherheit und Funktionalität auch so bedenkenlos verwenden kann, bzw. was verbessern könnte. Erstmal die konfig:

 

Building configuration...

% String too long to write to nvram (2147):
Current configuration : 14757 bytes
!
! Last configuration change at 19:46:35 CET Sun Jan 10 2010 by Tobias
! NVRAM config last updated at 23:54:58 CET Sat Jan 9 2010 by Tobias
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security passwords min-length 6
logging count
logging message-counter syslog
logging userinfo
logging buffered 102400
logging console critical
enable secret 5 .
enable password 7 
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
clock calendar-valid
cef table consistency-check IPv4 auto-repair delay 15
cef table rate-monitor-period 10
!
crypto pki trustpoint TP-self-signed-3284086038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-3284086038
certificate self-signed 01
 3
       quit
ip source-route
ip arp gratuitous local
ip arp incomplete retry 10
ip arp incomplete entries 2048
ip icmp rate-limit unreachable 10
ip icmp rate-limit unreachable DF 1
!
!         
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.29 192.168.2.254
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.5 192.168.10.254
ip dhcp excluded-address 192.168.11.1
ip dhcp excluded-address 192.168.11.10 192.168.11.254
ip dhcp excluded-address 192.168.12.1
ip dhcp excluded-address 192.168.12.2
ip dhcp excluded-address 192.168.12.3 192.168.12.9
ip dhcp excluded-address 192.168.12.36 192.168.12.254
ip dhcp excluded-address 192.168.8.1
!         
ip dhcp pool ASA
  host 192.168.8.2 255.255.255.0
  client-identifier 0100.23eb.abbe.91
  client-name TKGNASA01LTB01
  domain-name painlan.local
  dns-server 192.168.8.1 
  default-router 192.168.8.1 
  lease infinite
!
ip dhcp pool UC520
  host 192.168.11.2 255.255.255.0
  client-identifier 0100.270d.5d84.a0
  default-router 192.168.2.1 
  dns-server 192.168.2.1 
  domain-name painlan.local
  client-name TKGNVPU01LTB01
  lease infinite
!
ip dhcp pool IPTV-Clients
  import all
  network 192.168.10.0 255.255.255.0
  default-router 192.168.10.1 
  dns-server 192.168.10.1 
  lease 7
!
ip dhcp pool VoIP_Network
  import all
  network 192.168.11.0 255.255.255.0
  dns-server 192.168.11.1 
  default-router 192.168.11.1 
  lease 7
!
ip dhcp pool Perimeter_Zone
  import all
  network 192.168.12.0 255.255.255.0
  default-router 192.168.12.1 
  dns-server 192.168.12.1 
  lease 5
!
ip dhcp pool Lan2WAN.Interconnect
  import all
  network 192.168.8.0 255.255.255.0
  default-router 192.168.8.1 
  dns-server 192.168.8.1 
!
!

Link zu diesem Kommentar
ShineDaStar Proficient

ShineDaStar   10

Geschrieben
  • Autor
Geschrieben 
ip cef
ip domain retry 1
ip domain timeout 1
ip domain name routernet.local
ip multicast-routing 
ip multicast cache-headers
ip inspect log drop-pkt
ip inspect L2-transparent dhcp-passthrough
ip inspect max-incomplete high 4000
ip inspect max-incomplete low 2000
ip inspect one-minute high 40000
ip inspect one-minute low 40000
ip inspect udp idle-time 86400
ip inspect hashtable-size 4096
ip inspect dns-timeout 2
ip inspect tcp finwait-time 30
ip inspect tcp block-non-session
ip inspect tcp reassembly timeout 120
ip dhcp-client forcerenew
no ipv6 cef
!
!
multilink bundle-name authenticated
isdn switch-type basic-net3
!
!
username Tobias privilege 15 password 7 
secure boot-config
! 
!
!
archive
log config
 hidekeys
!         
!
ip tcp synwait-time 10
ip ssh port 2367 rotary 1
ip ssh version 2
!
class-map match-any Forbitten-Tasks
match protocol kazaa2
match protocol bittorrent
match protocol edonkey
match protocol gnutella
!
!
policy-map mark-forbitten-tasks
class Forbitten-Tasks
 set ip dscp 1
!
!
!
!
interface BRI0
description ISDN Management and Backup interface
no ip address
encapsulation ppp
shutdown
isdn switch-type basic-net3
isdn termination multidrop
isdn point-to-point-setup
!
interface FastEthernet0
description MediaReceiver_1
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet1
description MediaReceiver_2
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet2
description empty
shutdown
!
interface FastEthernet3
description empty
shutdown
!
interface FastEthernet4
description Uplink to ASA for internal
switchport access vlan 100
switchport protected
!
interface FastEthernet5
description uplink to Perimeter Switch
switchport access vlan 4
switchport protected
!
interface FastEthernet6
description Uplink to UC520 PBX System
switchport access vlan 3
switchport protected
spanning-tree portfast
!
interface FastEthernet7
description empty
shutdown
!
interface FastEthernet8
description Management Interface
ip address 192.90.60.90 255.255.255.0
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description Host of Vif and Admin Connection to CPE
ip address dhcp
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0.7
description BoundIFace4Dialer1
encapsulation dot1Q 7
pppoe enable group 1
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0.8
description IPTV-Network T-Home interconnect
encapsulation dot1Q 8
ip address dhcp
ip access-group IPTV in
ip information-reply
ip directed-broadcast
ip pim sparse-mode
ip nat outside
ip virtual-reassembly
ip igmp version 3
ip igmp mroute-proxy Vlan2
keepalive 1
no cdp enable
!

Link zu diesem Kommentar
ShineDaStar Proficient

ShineDaStar   10

Geschrieben
  • Autor
Geschrieben 
interface Vlan1
description Internal Management Host allocation
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
timeout absolute 1440 0
fair-queue
!
interface Vlan2
description IPTV virtual access
ip address 192.168.10.1 255.255.255.0
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
ip igmp helper-address 79.249.159.254
ip igmp version 3
ip igmp explicit-tracking
ip igmp query-interval 15
ip igmp proxy-service
!
interface Vlan3
description PBX VoIP System Interconnect
bandwidth 2000
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description Perimeter Network
ip address 192.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly
delay 10
!
interface Vlan100
description Hostlink to ASA Secured Net
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly
delay 2
!
interface Dialer1
description Dialer for Dialin VDSL$FW_OUTSIDE$
ip address negotiated
ip access-group PUBLIC-VDSL in
ip access-group 185 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
keepalive 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username MeineKennung#0001@t-online.de password 7 MeinPw
service-policy input mark-forbitten-tasks
!
ip forward-protocol nd
ip route profile
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 87.140.255.0 255.255.255.128 MeineIP
ip route 87.141.128.0 255.255.128.0 MeineIP
ip route 193.158.34.0 255.255.254.0 MeineIP
ip route 194.25.134.197 255.255.255.255 MeineIP
ip route 194.25.237.4 255.255.255.255 MeineIP
ip route 217.6.164.40 255.255.255.254 MeineIP
ip route 217.6.164.42 255.255.255.255 MeineIP
ip route 217.6.164.45 255.255.255.255 MeineIP
ip route 217.6.164.46 255.255.255.254 MeineIP
ip route 217.6.164.48 255.255.255.248 MeineIP
ip route 217.6.167.128 255.255.255.192 MeineIP
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip dns view default
logging
domain timeout 1
domain retry 1
dns forwarder 8.8.8.8
dns forwarder 208.67.220.220
dns forwarder 192.58.128.30
dns forwarder 193.0.14.129
dns forwarder 199.7.83.42
dns forwarder 192.33.4.12
ip dns server
ip pim rp-address 79.249.159.254
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 3600
ip nat inside source route-map check->NAT interface Dialer1 overload
ip nat inside source route-map check->NAT->IIPTV interface Dialer1 overload
ip nat inside source route-map check->NAT->IPTV interface GigabitEthernet0.8 overload
!
ip access-list standard Administrationsteam@deluxemails.com
ip access-list standard Rack_UG_Slot1
!
ip access-list extended IPTV
permit tcp any any established
permit udp any eq bootps any eq bootpc
permit udp any any gt 1024
permit udp host 193.158.35.31 any
permit ip any 224.0.0.0 15.255.255.255
permit pim host 79.249.159.254 any
permit igmp host 79.249.159.254 any
permit icmp host 79.249.159.254 any
deny   ip any any log-input
remark grand access list IPTV Network
ip access-list extended PUBLIC-VDSL
permit udp any eq domain any
permit udp any any eq 5060
permit udp any any gt 1024
permit tcp any any eq 1723
permit udp any any eq 1701
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 3483
permit tcp any any eq 9000
permit icmp any any echo-reply
permit tcp any any established
remark Access list for internet access
permit udp host 192.53.103.104 eq ntp any
permit udp host 192.53.103.108 eq ntp any
permit udp host 195.145.119.188 eq ntp any
deny   ip any any log-input
!
kron occurrence Reset-PPPoE at 5:00 recurring
policy-list Reset-PPPoE
!
kron policy-list Reset-PPPoE
cli clear interface Dialer 1
!

Link zu diesem Kommentar
ShineDaStar Proficient

ShineDaStar   10

Geschrieben
  • Autor
Geschrieben 
logging history size 300
access-list 110 remark Management-Vlan
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
access-list 120 remark Interlan.private.interconnect
access-list 120 permit ip 192.168.8.0 0.0.0.255 any
access-list 124 permit ip 192.168.10.0 0.0.0.255 any
access-list 124 remark IPTV.Multicast.Access
access-list 125 permit ip 192.168.10.0 0.0.0.255 any
access-list 125 remark IPTV.Dialer1.Access
access-list 126 remark VoIP-Network
access-list 126 permit ip 192.168.11.0 0.0.0.255 any
access-list 127 remark perimeter-net
access-list 127 permit ip 192.168.12.0 0.0.0.255 any
access-list 185 deny   ip any any dscp 1
access-list 185 permit ip any any
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high list 126
priority-list 1 queue-limit 4096 2048 1024 512
priority-list 2 interface Vlan100 medium
priority-list 2 protocol ip high list 124
priority-list 2 protocol ip high list 125
priority-list 2 queue-limit 4096 2048 1024 512
priority-list 3 protocol ip high udp domain
priority-list 3 queue-limit 4096 2048 1024 512
priority-list 4 interface Vlan100 medium
priority-list 4 queue-limit 4096 2048 1024 512
priority-list 5 protocol ip medium tcp 441
priority-list 5 protocol ip medium tcp www
priority-list 5 protocol ip medium tcp 143
priority-list 5 protocol ip medium tcp 993
priority-list 5 protocol ip medium tcp smtp
priority-list 5 protocol ip medium tcp 465
priority-list 5 protocol ip medium tcp pop3
priority-list 5 protocol ip medium tcp 995
priority-list 5 protocol ip high tcp 37
priority-list 5 protocol ip high tcp 443
priority-list 5 protocol ip high udp 443
priority-list 5 queue-limit 4096 2048 1024 512
priority-list 6 protocol ip normal
priority-list 6 queue-limit 4096 2048 1024 512
snmp-server community sicherheitRW
snmp-server community viewlineRO
snmp-server community location RO Rack_UG_Slot1
snmp-server community contact RO meine@me.com
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server location Serverraum U1
snmp-server contact meine@me.com
snmp-server chassis-id Router
snmp-server enable traps syslog
snmp-server host 192.168.0.5 MeViewNet
snmp-server host 192.168.0.5 MeAdminNet
mac-address-table aging-time 3600
no cdp run

!
!
!
!
route-map check->NAT->IPTV permit 10
match ip address 124
match interface GigabitEthernet0.8
!
route-map check->NAT permit 15
match ip address 126
match interface Dialer1
!
route-map check->NAT permit 20
match ip address 120
match interface Dialer1
!
route-map check->NAT permit 25
match ip address 127
match interface Dialer1
!
route-map check->NAT->IIPTV permit 10
match ip address 125
match interface Dialer1
!
!
!         
control-plane host
management-interface BRI0 allow ssh 
management-interface FastEthernet8 allow ftp http https ssh tftp snmp beep telnet tl1 
management-interface Vlan1 allow ssh snmp 
management-interface Vlan100 allow ssh snmp 
!
!
control-plane
!
banner exec ^CCC ADMINISTRATION ONLY!!!! All abuse will be logged and procecuded! No trasspassing beyond this point for unauthorized personal! ^C
banner login ^C                                                   ___,------, 
^C
banner motd ^C Admin Conta^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
password 7 meinpw
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 195.145.119.188 prefer source Dialer1
ntp server 192.53.103.104 maxpoll 16 minpoll 8 prefer source Dialer1 burst iburst
ntp server 192.53.103.108 source Dialer1
end

Link zu diesem Kommentar
ShineDaStar Proficient

ShineDaStar   10

Geschrieben
  • Autor
Geschrieben (bearbeitet)

Nun sollte die Config folgendes können:

 

- Interface FastEthernet 8 ( ein WAN Interface ) soll als reines admin Zugang verwendet werden, so dass man es hinter der asa ins interne netz stecken kann, ohne sicherheitsbedenken

- IPTV priorisieren - hier hängt öfters mal der stream, bzw. ton geht weiter, Bild freezed und es gibt starke artefaktbildung, Grobpixelung, dann geht es erst weiter.

- Standard Firewall Inspection durchführen

- VoIP Priorisieren

- vom Gigabitethernet 0 sollte man das Modem erreichen können, das liegt im konfigurierten subnet, ich kann aber leider nicht drauf zugreifen, das sollte aber gehen

- Über BRI sollte man sich via einer Telefonnummer zur Fernkonfig verbinden können

 

Danke schonmal für eure hilfe. Ich versuche mir die Cisco Technik selbst beizubringen und wollte mir mal Rat von den experten und tipps zur Lösung selbiger einholen.

 

Danke schonmal im Voraus.:)

bearbeitet von ShineDaStar
Link zu diesem Kommentar
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Schreibe einen Kommentar

Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.

Gast
Auf dieses Thema antworten...

×   Du hast formatierten Text eingefügt.   Formatierung jetzt entfernen

  Only 75 emoji are allowed.

×   Dein Link wurde automatisch eingebettet.   Einbetten rückgängig machen und als Link darstellen

×   Dein vorheriger Inhalt wurde wiederhergestellt.   Editor-Fenster leeren

×   Du kannst Bilder nicht direkt einfügen. Lade Bilder hoch oder lade sie von einer URL.

×
Zurück zur Übersicht


×
×
  • Neu erstellen...