Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: Re: Re: Re: router access control list

From: "Dixon, Wayne" <wcdixo () aurora lib il us>
Date: Mon, 6 Nov 2006 11:41:51 -0600
Here's the actual readable show run from apaez1084



Building configuration...

Current configuration : 4825 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CCMRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$0gQb$9PfhDWH7Liv/rqDDX1pLj/
!
username admin password 7 03095200030C2241
username CRWS_Bijoy privilege 15 password 7
08651D0A3E48033656045D0B190E34296661
77405140565603
username CRWS_Venky privilege 15 password 7
00404242330A0D274B2E1D413A3C1516435E
58507E7F7C7B6264
username CRWS_Sangeetha privilege 15 password 7
06425E657B1F0F38411843043F213A2A 757C63617040504F5754 username
CRWS_Ulags privilege 15 password 7 0242551F3C570900084158163632020A5F5D
7C7B777F6A6474
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.99
ip dhcp excluded-address 192.168.0.16
ip dhcp excluded-address 192.168.0.15
ip dhcp excluded-address 192.168.0.11
ip dhcp excluded-address 192.168.0.221
!
ip dhcp pool CLIENT
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
 description CRWS Generated text. Please do not delete
this:192.168.0.1-255.255. 255.0 
 ip address 192.168.0.1 255.255.255.0  
 ip nat inside  
 ip tcp adjust-mss 1452  
 hold-queue 100 out 
! 
interface ATM0 
 no ip address 
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 8/35
 pppoe-client dial-pool-number 1
!
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname ccmgroup () bellsouth net
 ppp chap password 7 014751530B5A5F58
 ppp pap sent-username ccmgroup () bellsouth net password 7
00504451540A5251 
 ppp ipcp dns request 
 ppp ipcp wins request 
!
ip nat inside source list 102 interface Dialer1 overload 
ip nat inside source static tcp 192.168.0.99 25 interface Dialer1 25 
ip nat inside source static tcp 192.168.0.99 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.99 80 interface Dialer1 80 
ip nat inside source static tcp 192.168.0.16 3399 interface Dialer1 3399

ip nat inside source static tcp 192.168.0.99 3389 interface Dialer1 3389

ip nat inside source static tcp 192.168.0.15 3391 interface Dialer1 3391

ip nat inside source static tcp 192.168.0.11 7603 interface Dialer1 7603

ip nat inside source static tcp 192.168.0.11 3390 interface Dialer1 3390

ip nat inside source static udp 192.168.0.11 7603 interface Dialer1 7603

ip nat inside source static tcp 192.168.0.99 443 interface Dialer1 443 
ip nat inside source static tcp 192.168.0.221 3395 interface Dialer1
3395 
ip nat inside source static tcp 192.168.0.11 47281 interface Dialer1
47281 
ip nat inside source static udp 192.168.0.11 47281 interface Dialer1
47281 
ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 
ip http server 
no ip http secure-server 
! 
! 
access-list 23 permit 192.168.0.0 0.0.0.255
 access-list 23 permit 10.10.10.0 0.0.0.255 
access-list 100 permit ip 192.168.0.0 0.0.255.255 any 
access-list 102 permit ip 192.168.0.0 0.0.0.255 any 
access-list 110 permit tcp any any eq www 
access-list 110 permit tcp any any eq 3390 
access-list 110 permit tcp any any eq 3389 
access-list 110 permit tcp any any eq ftp 
access-list 110 permit tcp any any eq ftp-data 
access-list 110 permit tcp any any eq pop3 
access-list 110 permit tcp any any eq smtp 
access-list 110 permit tcp any any eq 3399 
access-list 110 permit tcp any any eq 3391 
access-list 110 permit tcp any any eq 7603 
access-list 110 permit tcp any any eq 443 
access-list 110 permit tcp any any eq 3395 
access-list 110 permit tcp any any eq 47281 
access-list 110 permit udp any any eq 47281 
access-list 110 permit udp any any eq 7603 
access-list 110 permit tcp any any eq 8080 
access-list 110 permit tcp any any eq telnet 
access-list 111 permit tcp any any eq www 
access-list 111 permit tcp any any eq 3390 
access-list 111 permit tcp any any eq telnet 
dialer-list 1 protocol ip permit 
! 
control-plane 
!
!
line con 0
 exec-timeout 120 0 
 no modem enable 
 transport preferred all 
 transport output all 
 stopbits 1 line aux 0 
 transport preferred all 
 transport output all
line vty 0 4
 access-class 23 in 
 exec-timeout 120 0 
 login local  length 0 
 transport preferred all 
 transport input all 
 transport output all 
!
scheduler max-task-time 5000 
!
end





Wayne

 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of apaez1084 () gmail com
Sent: Monday, November 06, 2006 8:16 AM
To: security-basics () securityfocus com
Subject: Re: Re: Re: Re: Re: router access control list


ok the ACL 111 is just a test to see if its actually working. IM going
to paste my show run. Im sure is a problem with what interface im
puting. and weather is in or out. Maybe i still havind understood that
concept. But here we go, see if someone can help, and ask me anything
you want:

Building configuration...

Current configuration : 4825 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CCMRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$0gQb$9PfhDWH7Liv/rqDDX1pLj/
!
username admin password 7 03095200030C2241
username CRWS_Bijoy privilege 15 password 7
08651D0A3E48033656045D0B190E34296661
77405140565603
username CRWS_Venky privilege 15 password 7
00404242330A0D274B2E1D413A3C1516435E
58507E7F7C7B6264
username CRWS_Sangeetha privilege 15 password 7
06425E657B1F0F38411843043F213A2A 757C63617040504F5754 username
CRWS_Ulags privilege 15 password 7 0242551F3C570900084158163632020A5F5D
7C7B777F6A6474
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.99
ip dhcp excluded-address 192.168.0.16
ip dhcp excluded-address 192.168.0.15
ip dhcp excluded-address 192.168.0.11
ip dhcp excluded-address 192.168.0.221
!
ip dhcp pool CLIENT
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
 description CRWS Generated text. Please do not delete
this:192.168.0.1-255.255. 255.0  ip address 192.168.0.1 255.255.255.0
ip nat inside  ip tcp adjust-mss 1452  hold-queue 100 out ! interface
ATM0  no ip address  atm vc-per-vp 64  no atm ilmi-keepalive  pvc 8/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname ccmgroup () bellsouth net
 ppp chap password 7 014751530B5A5F58
 ppp pap sent-username ccmgroup () bellsouth net password 7
00504451540A5251  ppp ipcp dns request  ppp ipcp wins request ! ip nat
inside source list 102 interface Dialer1 overload ip nat inside source
static tcp 192.168.0.99 25 interface Dialer1 25 ip nat inside source
static tcp 192.168.0.99 21 interface Dialer1 21 ip nat inside source
static tcp 192.168.0.99 80 interface Dialer1 80 ip nat inside source
static tcp 192.168.0.16 3399 interface Dialer1 3399 ip nat inside source
static tcp 192.168.0.99 3389 interface Dialer1 3389 ip nat inside source
static tcp 192.168.0.15 3391 interface Dialer1 3391 ip nat inside source
static tcp 192.168.0.11 7603 interface Dialer1 7603 ip nat inside source
static tcp 192.168.0.11 3390 interface Dialer1 3390 ip nat inside source
static udp 192.168.0.11 7603 interface Dialer1 7603 ip nat inside source
static tcp 192.168.0.99 443 interface Dialer1 443 ip nat inside source
static tcp 192.168.0.221 3395 interface Dialer1 3395 ip nat inside
source static tcp 192.168.0.11 47281 interface Dialer1 47281 ip nat
inside source static udp 192.168.0.11 47281 interface Dialer1 47281 ip
classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http
secure-server ! ! access-list 23 permit 192.168.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255 access-list 100 permit ip
192.168.0.0 0.0.255.255 any access-list 102 permit ip 192.168.0.0
0.0.0.255 any access-list 110 permit tcp any any eq www access-list 110
permit tcp any any eq 3390 access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any eq ftp access-list 110 permit tcp any
any eq ftp-data access-list 110 permit tcp any any eq pop3 access-list
110 permit tcp any any eq smtp access-list 110 permit tcp any any eq
3399 access-list 110 permit tcp any any eq 3391 access-list 110 permit
tcp any any eq 7603 access-list 110 permit tcp any any eq 443
access-list 110 permit tcp any any eq 3395 access-list 110 permit tcp
any any eq 47281 access-list 110 permit udp any any eq 47281 access-list
110 permit udp any any eq 7603 access-list 110 permit tcp any any eq
8080 access-list 110 permit tcp any any eq telnet access-list 111 permit
tcp any any eq www access-list 111 permit tcp any any eq 3390
access-list 111 permit tcp any any eq telnet dialer-list 1 protocol ip
permit ! control-plane ! ! line con 0  exec-timeout 120 0  no modem
enable  transport preferred all  transport output all  stopbits 1 line
aux 0  transport preferred all  transport output all line vty 0 4
access-class 23 in  exec-timeout 120 0  login local  length 0  transport
preferred all  transport input all  transport output all ! scheduler
max-task-time 5000 ! end


Thanks For the help!!!


    

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: