Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

access list na routeru

[es] :: Enterprise Networking :: access list na routeru

[ Pregleda: 2325 | Odgovora: 8 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

gogi100
Goran Ljubic

Član broj: 40722
Poruke: 940
*.mediaworksit.net.



+3 Profil

icon access list na routeru30.07.2015. u 14:01 - pre 46 meseci
dakle, konfigurisem cisco router 1921. treba da povezem dve mreze 192.168.200.0/24 i 192.168.0.0/24. na eksternom gigabitethernet0/0 sam kreirao inbound access-list tako da racunari iz mreze 192.168.0.0/24 bez problema pristupaju serverima u mrezi 192.168.200.0/24. medjutim racunari iz mreze 192.168.200.0/24 ne mogu pristupati serverima u mrezi 192.168.0.0/24. kad ova access lista nije postavljena sve radi u oba smera. medjutim ja hocu da ogranicim saobracaj na odredjene protokole.
konfiguracija rutera je

Building configuration...

Current configuration : 9974 bytes
!
! Last configuration change at 13:53:55 Prague Thu Jul 30 2015 by administrator
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname servers-r
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$zUjL$rAvZbXspCYjotGe/jL48T1
enable password 7 097C4F1A0A1218000F4D557878
!
no aaa new-model
clock timezone Prague 1 0
clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
!
!
!
!
!
ip domain name d.l
ip name-server 192.168.0.20
ip name-server 192.168.0.24
ip cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2259530887
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2259530887
revocation-check none
rsakeypair TP-self-signed-2259530887
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2259530887
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323539 35333038 3837301E 170D3135 30373038 31333139
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32353935
33303838 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B259 D0C431C4 B525F2EE 1D9BF630 C149CE34 786795EC B6355D65 A8EF7B3D
C65EEAC8 729155F5 5BC853AE 976AC249 B40FFED6 59CF457F 0F4FA191 2080218C
4380C255 33DAEF9C E103307A 69477BC6 5A740E2C D944326B 461DC373 2F1F6CE2
F1B8C22E A5010323 815804D3 7C3BAFB2 62BC7842 C8D0D506 0FB9CA8B 0F49236E
AE8B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A5124D 5912F9BC C4109E65 E49489B7 24AC8345 22301D06
03551D0E 04160414 A5124D59 12F9BCC4 109E65E4 9489B724 AC834522 300D0609
2A864886 F70D0101 05050003 81810033 1A9BEBA8 0736025C 5740E525 0A45910B
406A0CFA F2ADE31F 76D92B73 40EBBF98 F2E261C0 247D6BD9 94D3AE79 313D7AE4
0CA635B3 A62205B4 67F9CD78 6CD47554 F5F184BD C88BB35C C01E44AD E8491DF7
0A46F0AF 39867593 6F21B2D3 E8B5B787 D430E64B F3F7A7D3 C2D54690 E31E2B35
E77E55D8 02E035B1 0965616F 00AC1A
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1921/K9 sn FCZ163293TE
!
!
object-group network DC_0.20
host 192.168.0.20
host 192.168.0.24
!
object-group service SPSQL_server
description sql server for sharepoint
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 1433
tcp eq 445
tcp eq 2383
tcp eq www
tcp eq 5357
!
object-group network SQL_0.34
host 192.168.0.34
!
object-group network SQL_servers
host 192.168.200.14
host 192.168.200.34
host 192.168.200.16
!
object-group service WDS_server
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 5040
tcp eq 443
tcp eq 445
tcp eq 1032
tcp eq 1039
tcp eq 1089
tcp eq www
tcp eq 5357
!
object-group network backup_server
host 192.168.0.152
host 192.168.0.32
range 192.168.0.29 192.168.0.30
!
object-group service backup_servers
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 9876
tcp eq 445
tcp eq 2301
tcp eq 2381
tcp eq 3260
!
object-group service domain_controller
udp eq ntp
tcp eq 135
udp eq netbios-ns
udp eq netbios-dgm
tcp eq 139
tcp eq 636
tcp-udp eq 389
tcp-udp eq 445
tcp-udp eq 464
tcp eq 5722
tcp eq smtp
tcp-udp eq domain
tcp-udp eq 88
tcp eq 3268
tcp eq 3269
tcp range 49152 56535
tcp eq 3389
tcp eq 5357
!
object-group network domain_controllers
host 192.168.200.20
host 192.168.200.24
!
object-group service dri-net_server
tcp eq 135
tcp eq 139
tcp eq 3306
tcp eq 445
tcp range 1048 1050
tcp eq domain
tcp eq 3289
!
object-group service finansije_server
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 445
tcp eq www
tcp eq 5357
!
object-group service paragraflex_server
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 445
tcp eq 5357
tcp eq 6190
!
object-group service sharepoint_application_service
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 2103
tcp eq 2105
tcp eq 2107
tcp eq 1801
tcp eq smtp
tcp eq 4361
tcp eq 8080
tcp eq 4860
tcp eq 445
tcp eq 1053
tcp eq 5357
tcp range www 82
!
object-group service sharepoint_web_application
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 2103
tcp eq 2105
tcp eq 2107
tcp eq 1801
tcp eq 8080
tcp eq 445
tcp eq 1044
tcp eq 1060
tcp eq 1074
tcp range 1025 1028
tcp eq 1102
tcp eq www
!
object-group network sharepoint_web_servers
range 192.168.200.36 192.168.200.37
host 192.168.200.13
host 192.168.200.17
!
object-group service terminal_server
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 1947
tcp eq 445
tcp eq 5357
!
object-group service virtual_server_services
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 2179
tcp eq 445
tcp eq 2301
tcp eq 2381
icmp echo
icmp echo-reply
!
object-group network virtual_servers
host 192.168.200.11
host 192.168.200.25
host 192.168.200.41
!
object-group network wsus_servers
host 192.168.200.12
host 192.168.200.27
host 192.168.200.15
!
object-group service wsus_services
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 445
tcp eq www
tcp eq 5357
tcp eq 8531
tcp eq 443
tcp eq 8530
icmp echo
icmp echo-reply
!
username administrator privilege 15 password 7 01230717481C091D250D1F5B4A
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 192.168.0.253 255.255.255.0
ip access-group domain_controller in
ip mask-reply
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 192.168.200.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
ip route 192.168.50.0 255.255.255.0 192.168.0.10 permanent
!
ip access-list extended allow_all
remark CCP_ACL Category=1
permit tcp any host 192.168.0.26 eq 6190
permit tcp any host 192.168.0.28 eq 3389 log
permit tcp any host 192.168.0.33 eq 3389 log
permit icmp any host 192.168.0.20
permit ip any any log
ip access-list extended client_domain_controller
remark CCP_ACL Category=16
permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq telnet
permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq 22
permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq www
permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq 443
permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq cmd
deny tcp any host 192.168.200.254 eq telnet
deny tcp any host 192.168.200.254 eq 22
deny tcp any host 192.168.200.254 eq www
deny tcp any host 192.168.200.254 eq 443
deny tcp any host 192.168.200.254 eq cmd
deny udp any host 192.168.200.254 eq snmp
permit tcp host 192.168.200.20 any range 49152 56535 established log
permit udp host 192.168.200.20 any range 49152 56535 log
permit tcp host 192.168.200.41 any eq 3389
permit udp host 192.168.200.20 any eq domain log
permit tcp host 192.168.200.20 any eq domain established log
permit ip any any
ip access-list extended domain_controller
remark CCP_ACL Category=1
permit tcp host 192.168.0.61 host 192.168.0.253 eq telnet
permit tcp host 192.168.0.61 host 192.168.0.253 eq www
permit tcp host 192.168.0.61 host 192.168.0.253 eq 443
permit udp host 192.168.0.24 eq domain any
permit udp host 192.168.0.20 eq domain any
permit object-group terminal_server any host 192.168.200.22 log
permit object-group dri-net_server any host 192.168.200.31 log
permit object-group paragraflex_server any host 192.168.200.26 log
remark SPSQL_server
permit object-group SPSQL_server any object-group SQL_servers log
permit object-group backup_servers any object-group backup_server log
permit object-group virtual_server_services any object-group virtual_servers log
permit object-group WDS_server any host 192.168.200.28 log
remark wsus servers
permit object-group wsus_services any object-group wsus_servers log
permit object-group sharepoint_web_application any object-group sharepoint_web_servers log
permit object-group finansije_server any host 192.168.200.23 log
remark sharepoint_application_server
permit object-group sharepoint_application_service any host 192.168.200.33 log
remark active_directory
permit object-group domain_controller any object-group domain_controllers log
remark ping na sharepoint
permit icmp host 192.168.0.33 any log
permit tcp host 192.168.0.40 eq www any log
deny udp any host 192.168.0.253 eq snmp
deny tcp any host 192.168.0.253 eq cmd
deny tcp any host 192.168.0.253 eq 22
deny ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255 log
ip access-list extended insideinterface_out
remark CCP_ACL Category=1
permit ip any host 192.168.200.17
ip access-list extended sql
remark CCP_ACL Category=1
permit ip any host 192.168.0.34
permit tcp any host 192.168.0.34
permit ip any host 192.168.0.61
deny ip any any
!
access-list 1 permit 192.168.0.61
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 permit ip host 192.168.0.61 any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 100 in
exec-timeout 40 0
privilege level 15
password 7 097C4F1A0A1218000F4D557878
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 
Odgovor na temu

gogo82

Član broj: 228454
Poruke: 118



+8 Profil

icon Re: access list na routeru31.07.2015. u 15:04 - pre 46 meseci
Citat:
gogi100: dakle, konfigurisem cisco router 1921. treba da povezem dve mreze 192.168.200.0/24 i 192.168.0.0/24. na eksternom gigabitethernet0/0 sam kreirao inbound access-list tako da racunari iz mreze 192.168.0.0/24 bez problema pristupaju serverima u mrezi 192.168.200.0/24. medjutim racunari iz mreze 192.168.200.0/24 ne mogu pristupati serverima u mrezi 192.168.0.0/24. kad ova access lista nije postavljena sve radi u oba smera. medjutim ja hocu da ogranicim saobracaj na odredjene protokole.


nisam detaljno pregledao konfiguraciju, ali ako sam dobro shvatio pitanjem otprilike imamo ovakvo stanje:

Konfiguracija za interfejs na kojem je mreza 192.168.0.0/24 izgleda ovako:
Citat:

interface GigabitEthernet0/0
description $ETH-WAN$
ip address 192.168.0.253 255.255.255.0


Konfiguracija za interfejs na kojem je mreza 192.168.200.0/24 izgleda ovako:
Citat:

interface GigabitEthernet0/1
description $ETH-LAN$
ip address 192.168.200.254 255.255.255.0


Imas sledece Zahteve koje si naveo:
Citat:

1. da racunari iz mreze 192.168.0.0/24 bez problema pristupaju serverima u mrezi 192.168.200.0/24.
2. racunari iz mreze 192.168.200.0/24 ne mogu pristupati serverima u mrezi 192.168.0.0/24
3. medjutim ja hocu da ogranicim saobracaj na odredjene protokole


Zahtev pod 1 i 3:
-u access listu koju si stavio na IN smer treba da odredis koji saobracaj iz mreze 192.168.0.0/24 moze da ide u mrezu 192.168.200.0/24.
-primer:
Citat:

ip access-list etended acl_test1
permit tcp host 192.168.0.100 192.168.200.0 0.0.0.255 eq 22
permit tcp host 192.168.0.54 192.168.200.0 0.0.0.255 eq 3389
permit tcp host 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255 eq 22

-ovu access listu primeni u interfejs g0/0 u IN smeru

Zahtev pod 2:
-kreiraj jos jednu access listu na sledeci nacin
Citat:

ip access-list extended acl_test2
permit tcp any any established
deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip any any (opciono)

- ovu access-listu treba da primenis na interfejs g0/1 u IN smeru

I na kraju pitanje: zbog cega ti je potrebno NAT-ovanje??




Pozdrav!
Gogo82
 
Odgovor na temu

gogi100
Goran Ljubic

Član broj: 40722
Poruke: 940
*.dynamic.isp.telekom.rs.



+3 Profil

icon Re: access list na routeru31.07.2015. u 17:59 - pre 46 meseci
Nat je ostao od prethodne konfiguracije. Da li to mogu skloniti ako nema nat?
 
Odgovor na temu

gogo82

Član broj: 228454
Poruke: 118



+8 Profil

icon Re: access list na routeru31.07.2015. u 18:13 - pre 46 meseci
ako ti ne treba NAT ukloni ga.
Pozdrav!
Gogo82
 
Odgovor na temu

gogo82

Član broj: 228454
Poruke: 118



+8 Profil

icon Re: access list na routeru31.07.2015. u 18:18 - pre 46 meseci
Još jedno pitanje: ima li ovo neke veze sa tvojim prethodnim postom i sa ovom šemom http://static.elitesecurity.org/uploads/3/5/3588324/network.jpg ?
AKo ima, onda možda i trebaš zadržati NAT ako ti je on potreban za izlaz podmreže 192.168.200.0/24 na Internet?

Pozdrav!
Gogo82
 
Odgovor na temu

gogi100
Goran Ljubic

Član broj: 40722
Poruke: 940
212.200.247.*



+3 Profil

icon Re: access list na routeru31.07.2015. u 19:25 - pre 46 meseci
Ima veze, ali sam internet rešio na drugi način, pa mi nat tu ne treba. Dakle, samo mi treba izlaz mreže 192.168.200 prema mreži 192.168.0.0 i obratno
 
Odgovor na temu

gogi100
Goran Ljubic

Član broj: 40722
Poruke: 940
*.mediaworksit.net.



+3 Profil

icon Re: access list na routeru24.08.2015. u 11:42 - pre 45 meseci
pokusao sam sa sledecom konfiguracijom na ruteru sa access listama,ali opet radne stanice pristupaju severima,medjutim serveri ne mogu radnim stanicama. kada uklonim permit pravila sa vrha onda sve radi ok. zasto?

interface GigabitEthernet0/0
description $ETH-WAN$
ip address 192.168.0.253 255.255.255.0
ip access-group Outside_in in
ip mask-reply
ip nbar protocol-discovery
ip flow ingress
ip flow egress
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 192.168.200.254 255.255.255.0
ip access-group Inside_in in
ip flow ingress
duplex auto
speed auto
!

ip access-list extended Inside_in
remark CCP_ACL Category=1
remark Auto generated by CCP for NTP (123) 192.168.0.20
permit udp host 192.168.0.20 eq ntp host 192.168.200.254 eq ntp
permit ip any any
ip access-list extended Outside_in
remark CCP_ACL Category=1
remark Auto generated by CCP for NTP (123) 192.168.0.20
permit udp host 192.168.0.20 eq ntp host 192.168.0.253 eq ntp
permit ip host 192.168.0.61 host 192.168.0.253
permit udp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535
permit tcp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535
permit object-group pinging_service object-group REMOTE_DESKTOP_client object-group Pinged_server log
permit object-group RDP_service object-group REMOTE_DESKTOP_client object-group Pinged_server log
deny object-group virtual_server_services object-group *_mreze object-group virtual_servers
deny object-group paragraflex_server object-group *_mreze host 192.168.200.26
deny object-group wsus_services object-group *_mreze object-group wsus_servers
deny object-group sharepoint_web_application object-group *_mreze object-group sharepoint_web_servers log
deny object-group SPSQL_server object-group *_mreze object-group SQL_servers
deny object-group dri-net_server 192.168.0.0 0.0.0.255 host 192.168.200.31 log
deny object-group domain_controller object-group *_mreze object-group domain_controllers log
deny object-group WDS_server object-group *_mreze host 192.168.200.28
permit ip object-group *_mreze 192.168.200.0 0.0.0.255 log
 
Odgovor na temu

protecteur
student

Član broj: 250613
Poruke: 21
81.93.77.*



+1 Profil

icon Re: access list na routeru24.08.2015. u 15:47 - pre 45 meseci
Ako nije problem da postavis kompletan conf router-a sa tim novim object grupama, obzirom da ih ne vidim u configu u prvom postu...
 
Odgovor na temu

gogi100
Goran Ljubic

Član broj: 40722
Poruke: 940
*.mediaworksit.net.



+3 Profil

icon Re: access list na routeru25.08.2015. u 06:41 - pre 45 meseci
konfiguracija


Building configuration...

Current configuration : 10115 bytes
!
! Last configuration change at 15:13:17 PCTime Fri Aug 21 2015 by administrator
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname servers-r
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
enable secret 5 $1$zUjL$rAvZbXspCYjotGe/jL48T1
enable password 7 097C4F1A0A1218000F4D557878
!
no aaa new-model
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
!
!
ip port-map user-paragraf port tcp 6190 list 2
!
!
!
ip domain name dri.local
ip name-server 192.168.0.20
ip name-server 192.168.0.24
ip cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2259530887
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2259530887
revocation-check none
rsakeypair TP-self-signed-2259530887
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2259530887
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323539 35333038 3837301E 170D3135 30373038 31333139
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32353935
33303838 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B259 D0C431C4 B525F2EE 1D9BF630 C149CE34 786795EC B6355D65 A8EF7B3D
C65EEAC8 729155F5 5BC853AE 976AC249 B40FFED6 59CF457F 0F4FA191 2080218C
4380C255 33DAEF9C E103307A 69477BC6 5A740E2C D944326B 461DC373 2F1F6CE2
F1B8C22E A5010323 815804D3 7C3BAFB2 62BC7842 C8D0D506 0FB9CA8B 0F49236E
AE8B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A5124D 5912F9BC C4109E65 E49489B7 24AC8345 22301D06
03551D0E 04160414 A5124D59 12F9BCC4 109E65E4 9489B724 AC834522 300D0609
2A864886 F70D0101 05050003 81810033 1A9BEBA8 0736025C 5740E525 0A45910B
406A0CFA F2ADE31F 76D92B73 40EBBF98 F2E261C0 247D6BD9 94D3AE79 313D7AE4
0CA635B3 A62205B4 67F9CD78 6CD47554 F5F184BD C88BB35C C01E44AD E8491DF7
0A46F0AF 39867593 6F21B2D3 E8B5B787 D430E64B F3F7A7D3 C2D54690 E31E2B35
E77E55D8 02E035B1 0965616F 00AC1A
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1921/K9 sn FCZ163293TE
!
!
object-group network *
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.50.0 255.255.255.0
!
object-group network backup_server
host 192.168.0.152
host 192.168.0.32
range 192.168.0.29 192.168.0.30
!
object-group network SQL_servers
host 192.168.200.14
host 192.168.200.34
host 192.168.200.16
!
object-group network wsus_servers
host 192.168.200.12
host 192.168.200.27
host 192.168.200.15
!
object-group network sharepoint_web_servers
range 192.168.200.36 192.168.200.37
host 192.168.200.13
host 192.168.200.17
!
object-group network virtual_servers
host 192.168.200.11
host 192.168.200.25
host 192.168.200.41
!
object-group network domain_controllers
host 192.168.200.20
host 192.168.200.24
!
object-group network Pinged_server
group-object backup_server
group-object SQL_servers
group-object wsus_servers
group-object sharepoint_web_servers
group-object virtual_servers
group-object domain_controllers
host 192.168.200.22
host 192.168.200.26
host 192.168.200.23
host 192.168.200.31
host 192.168.200.28
host 192.168.200.33
!
object-group service RDP_service
tcp eq 3389
!
object-group network REMOTE_DESKTOP_client
host 192.168.0.123
host 192.168.0.188
host 192.168.0.61
192.168.50.0 255.255.255.0
!
object-group service SPSQL_server
description sql server for sharepoint
tcp eq 5357
tcp eq 49207
tcp range 49152 49155
tcp eq 49177
tcp eq 47001
tcp eq 5985
!
object-group service WDS_server
tcp eq 5985
tcp eq 5357
tcp eq 1027
tcp eq 14236
tcp eq 1033
tcp eq 5040
tcp eq 3389
icmp echo
icmp echo-reply
!
object-group service backup_servers
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 9876
tcp eq 445
tcp eq 2301
tcp eq 2381
tcp eq 3260
!
object-group service domain_controller
tcp eq 49188
tcp eq 49177
tcp eq 47001
tcp eq 5985
tcp eq 5357
icmp echo
icmp echo-reply
tcp lt 3389
!
object-group service *_server
tcp eq 3306
tcp eq www
tcp eq 1025
tcp range 1029 1030
!
object-group service finansije_server
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 445
tcp eq www
tcp eq 5357
!
object-group service paragraflex_server
tcp eq 5357
tcp eq 5985
tcp eq 47001
icmp echo
icmp echo-reply
!
object-group network ping_server
host 192.168.0.61
192.168.50.0 255.255.255.0
!
object-group service pinging_service
icmp echo-reply
icmp echo
!
object-group service sharepoint_application_service
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 2103
tcp eq 2105
tcp eq 2107
tcp eq 1801
tcp eq smtp
tcp eq 4361
tcp eq 8080
tcp eq 4860
tcp eq 445
tcp eq 1053
tcp eq 5357
tcp range www 82
!
object-group service sharepoint_web_application
tcp eq 2103
tcp eq 2105
tcp eq 2107
tcp eq 1801
tcp range 1025 1028
tcp eq 49098
tcp eq 1065
tcp eq 1063
tcp eq 1043
tcp eq 47001
tcp eq 5985
tcp eq 1110
tcp eq 5357
tcp eq 23456
tcp range 32843 32844
!
object-group service terminal_server
tcp eq 135
tcp eq 139
tcp eq 3389
tcp eq 1947
tcp eq 445
tcp eq 5357
!
object-group service virtual_server_services
tcp eq 2179
tcp eq 2301
tcp eq 2381
tcp eq 49166
tcp eq 55478
tcp eq 47001
tcp eq 5985
tcp eq 55480
tcp range 49152 49155
tcp range 49161 49163
!
object-group service wsus_services
tcp eq 5357
tcp range 49152 49155
tcp eq 49194
tcp eq 49176
!
username administrator privilege 15 password 7 01230717481C091D250D1F5B4A
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 192.168.0.253 255.255.255.0
ip access-group Outside_in in
ip mask-reply
ip nbar protocol-discovery
ip flow ingress
ip flow egress
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 192.168.200.254 255.255.255.0
ip access-group Inside_in in
ip flow ingress
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip flow-export destination 192.168.0.61 2055
ip flow-top-talkers
top 10
sort-by packets
cache-timeout 1000
!
ip route 0.0.0.0 0.0.0.0 192.168.0.254 255 permanent
ip route 192.168.1.0 255.255.255.0 192.168.0.254 4 permanent
ip route 192.168.2.0 255.255.255.0 192.168.0.254 5 permanent
ip route 192.168.3.0 255.255.255.0 192.168.0.254 3 permanent
ip route 192.168.4.0 255.255.255.0 192.168.0.254 7 permanent
ip route 192.168.5.0 255.255.255.0 192.168.0.254 2 permanent
ip route 192.168.7.0 255.255.255.0 192.168.0.254 6 permanent
ip route 192.168.8.0 255.255.255.0 192.168.0.254 8 permanent
ip route 192.168.50.0 255.255.255.0 192.168.0.10 permanent
!
ip access-list extended Inside_in
remark CCP_ACL Category=1
remark Auto generated by CCP for NTP (123) 192.168.0.20
permit udp host 192.168.0.20 eq ntp host 192.168.200.254 eq ntp
permit ip any any
ip access-list extended Outside_in
remark CCP_ACL Category=1
remark Auto generated by CCP for NTP (123) 192.168.0.20
permit udp host 192.168.0.20 eq ntp host 192.168.0.253 eq ntp
permit ip host 192.168.0.61 host 192.168.0.253
permit udp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535
permit tcp host 192.168.0.20 192.168.200.0 0.0.0.255 range 49152 56535
permit object-group pinging_service object-group REMOTE_DESKTOP_client object-group Pinged_server log
permit object-group RDP_service object-group REMOTE_DESKTOP_client object-group Pinged_server log
deny object-group virtual_server_services object-group *object-group virtual_servers
deny object-group paragraflex_server object-group * host 192.168.200.26
deny object-group wsus_services object-group *object-group wsus_servers
deny object-group sharepoint_web_application object-group *object-group sharepoint_web_servers log
deny object-group SPSQL_server object-group * object-group SQL_servers
deny object-group dri-net_server 192.168.0.0 0.0.0.255 host 192.168.200.31 log
deny object-group domain_controller object-group *object-group domain_controllers log
deny object-group WDS_server object-group * host 192.168.200.28
permit ip object-group * 192.168.200.0 0.0.0.255 log
ip access-list extended outside_out
remark CCP_ACL Category=1
permit icmp 192.168.200.0 0.0.0.255 object-group DRI_mreze
permit ip any any
!
logging trap debugging
logging source-interface GigabitEthernet0/0
logging 192.168.0.61
access-list 1 permit 192.168.0.61
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.200.26
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 permit ip host 192.168.0.61 any
!
!
snmp-server ifindex persist
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 100 in
exec-timeout 40 0
privilege level 15
password 7 097C4F1A0A1218000F4D557878
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.168.0.20 prefer source GigabitEthernet0/0
!
end

 
Odgovor na temu

[es] :: Enterprise Networking :: access list na routeru

[ Pregleda: 2325 | Odgovora: 8 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.