2514 Router version 11.3.3.T ! no service tcp-small-servers no service udp-small-servers service passWord-encryption no cdp running no ip source-route enable secret ! !--- Here we have a syslog server. ! logging 192.168.27.131 ! !--- This command enables the logging of session information (addresses and bytes). ! ip inspect audit-trail ! !--- Sets the length of time a TCP session is still managed after no activity. ! ip inspect tcp idle-time 14400 ! !--- Sets the length of time a UDP session is still managed after no activity. ! ip inspect udp idle-time 1800 ! !--- Sets the length of time a DNS name lookup session is still managed !--- after no activity. ! ip inspect dns-timeout 7 ! !--- Sets up inspection list "standard" !--- to be used for inspection of inbound Ethernet 0 !--- and inbound serial (applied to both interfaces). ! ip inspect name standard cuseeme ip inspect name standard FTP ip inspect name standard h323 ip inspect name standard http ip inspect name standard rcmd ip inspect name standard realaudio ip inspect name standard smtp ip inspect name standard sqlnet ip inspect name standard streamworks ip inspect name standard tcp ip inspect name standard tftp ip inspect name standard udp ip inspect name standard vdolive
interface ethernet 0
ip address 192.168.27.129 255.255.255.128 ! !--- Apply access list to allow all legitimate traffic from inside network !--- but PRevent spoofing. ! ip access-group 101 in ! !--- Apply an access list to allow some ICMP traffic; deny all else. !--- The inspection list will add entries to this list to permit !--- return traffic for connections established from inside. ! ip access-group 102 out ! !--- Apply inspection list "standard" for !--- inspection of inbound Ethernet traffic. ! ip inspect standard in
no ip directed-broadcast no cdp enable
interface ethernet 1 ip address 192.168.27.1 255.255.255.128
! !--- Apply the access list to permit DMZ traffic (except spoofing) !--- DMZ interface inbound. ! ip access-group 111 in ! !--- Apply the access list to permit DNS, www, FTP, SMTP, POP3, Telnet !--- to DMZ interface outbound. ! !--- Inspection configured on other interfaces will add temporary entries !--- to this list. ! ip access-group 112 out
no ip directed-broadcast no cdp enable
interface serial 0
ip address 200.200.200.1 255.255.255.0
! !--- Apply the access list to prevent spoofing. ! ip access-group 121 in
! !--- Allow ping replies from inside or DMZ; permit inside traffic back out. !--- Inspection will add temporary entries to this list. ! ip access-group 122 out
! !--- Apply inspection list "standard" for !--- inspection of inbound serial traffic. ! ip inspect standard in
no ip directed-broadcast no cdp enable
! !--- Access list 20 will be used to control which !--- network management stations can access via SNMP. ! access-list 20 permit 192.168.27.5 ! !--- We use an access list to allow all legitimate traffic from !--- the inside network but prevent spoofing. ! access-list 101 permit ip 192.168.27.128 0.0.0.127 any access-list 101 deny ip any any ! !--- Allow some ICMP traffic; deny all else. !--- The inspection list will add entries to this list to permit !--- return traffic for connections established from inside. ! access-list 102 permit icmp any 192.168.27.128 0.0.0.127 administratively-prohibited access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo-reply access-list 102 permit icmp any 192.168.27.128 0.0.0.127 packet-too-big access-list 102 permit icmp any 192.168.27.128 0.0.0.127 time-exceeded access-list 102 permit icmp any 192.168.27.128 0.0.0.127 traceroute access-list 102 permit icmp any 192.168.27.128 0.0.0.127 unreachable access-list 102 deny ip any any ! ! !--- The access list permits DMZ traffic (except spoofing) !--- on DMZ interface inbound. ! access-list 111 permit ip 192.168.27.0 0.0.0.127 any access-list 111 deny ip any any ! ! !--- This access list permits DNS, www, FTP, SMTP, POP3, Telnet to DMZ !--- interface outbound. Inspection configured on other interfaces !--- will add temporary entries to this list. ! access-list 112 permit udp any host 192.168.27.3 eq domain access-list 112 permit tcp any host 192.168.27.3 eq domain access-list 112 permit tcp any host 192.168.27.3 eq www access-list 112 permit tcp any host 192.168.27.3 eq ftp access-list 112 permit tcp any host 192.168.27.3 eq smtp access-list 112 permit tcp 192.168.27.128 0.0.0.127 host 192.168.27.3 eq pop3 access-list 112 permit tcp 192.168.27.128 0.0.0.127 any eq telnet access-list 112 permit icmp any 192.168.27.0 0.0.0.127 administratively-prohibited access-list 112 permit icmp any 192.168.27.0 0.0.0.127 echo access-list 112 permit icmp any 192.168.27.0 0.0.0.127 echo-reply access-list 112 permit icmp any 192.168.27.0 0.0.0.127 packet-too-big access-list 112 permit icmp any 192.169.27.0 0.0.0.127 time-exceeded access-list 112 permit icmp any 192.168.27.0 0.0.0.127 traceroute access-list 112 permit icmp any 192.168.27.0 0.0.0.127 unreachable access-list 112 deny ip any any ! !--- Access list to prevent spoofing. ! access-list 121 deny ip 192.168.27.0 0.0.0.255 any access-list 121 deny ip 127.0.0.0 0.255.255.255 any access-list 121 permit ip any any ! ! !--- Access list for ping replies from inside or DMZ; permit inside traffic back out. !--- Inspection will add temporary entries to this list. ! access-list 122 permit icmp 192.168.27.0 0.0.0.255 any echo-reply access-list 122 permit icmp 192.168.27.0 0.0.0.255 any time-exceeded access-list 122 deny ip 192.168.27.0 0.0.0.127 any access-list 122 permit ip 192.168.27.128 0.0.0.127 any ! !--- Apply access list 20 for SNMP process. ! snmp-server community secret RO 20 ! line con 0 exec-timeout 5 0 password 7 14191D1815023F2036 login local line vty 0 4 exec-timeout 5 0 password 7 14191D1815023F2036 login local length 35 end
