“:::Configure a Cisco Router 857 for a ADSL Line With Point-to-Point Protocol over ATM and a Dynamic IP Address:::”

Otro más: ideasnet

Here is the configuration of a Cisco Router 857 for a ADSL Line with Point-to-Point Protocol over ATM (PPPoA) using a Dynamic IP Address.

ROUTER-A

interface Fa0/0  

 description *** INTERNAL LINK DATA LAN ***

 ip address 192.168.0.254 255.255.255.0

 ip nat inside

!

interface ATM0/0/0

 description *** MAIN ADSL LINE ***

 no ip address

 load-interval 30

 no atm ilmi-keepalive

 dsl operating-mode auto 

 hold-queue 224 in

!         

interface ATM0/0/0.1 point-to-point

 description *** EXTERNAL LINK DATA FOR MAIN ADSL ***

 pvc 8/35 

 encapsulation aal5mux ppp dialer

 dialer pool-member 1

!

interface Dialer0

 description *** BANDWIDTH FOR MAIN ADSL LINE ***

 ip address negotiated

 ip access-group ACL_FIREWALL_IN in

 ip nat outside

 encapsulation ppp

 ip tcp header-compression passive

 dialer pool 1

 no cdp enable

 no ppp chap wait

 ppp pap sent-username XXXUSER1 password YYYPWD1

 no ppp pap wait

 !

ip nat inside source route-map NAT interface Dialer0 overload

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

dialer-list 1 protocol ip permit

!

ip access-list extended ACL_FIREWALL_IN

 remark *** FIREWALL FOR INBOUND TRAFFIC ***

 remark ************************************************

 remark *** STARTUP ACL FIREWALL FOR INBOUND TRAFFIC ***

 remark ************************************************

 remark 

 remark ************************************************

 remark *** PERMIT SSH AND TELNET INBOUND TRAFFIC ***

 permit tcp any any eq 22

 remark ************************************************

 remark *** PERMIT DNS INBOUND TRAFFIC ***

 permit udp host 82.x.x.1 eq domain any

 permit udp host 82.x.x.2 eq domain any

 remark ************************************************

 remark *** PERMIT ICMP INBOUND TRAFFIC ***

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit icmp any any unreachable

 permit icmp any any administratively-prohibited

 permit icmp any any packet-too-big

 permit icmp any any traceroute

 deny   icmp any any

 remark ************************************************

 remark *** DENY ANTI-SPOOFING INBOUND TRAFFIC ***

 deny   ip host 0.0.0.0 any log

 deny   ip 127.0.0.0 0.255.255.255 any log

 deny   ip 192.0.2.0 0.0.0.255 any log

 deny   ip 224.0.0.0 31.255.255.255 any log

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark ************************************************

 remark *** DENY VIRUS AND WORM INBOUND TRAFFIC ***

 deny   tcp any any eq 135

 deny   udp any any eq 135

 deny   udp any any eq netbios-ns

 deny   udp any any eq netbios-dgm

 deny   tcp any any eq 139

 deny   udp any any eq netbios-ss

 deny   tcp any any eq 445

 deny   tcp any any eq 593

 deny   tcp any any eq 2049

 deny   tcp any any range 6000 6010

 deny   udp any any eq 1433

 deny   udp any any eq 1434

 deny   udp any any eq 5554

 deny   udp any any eq 9996

 deny   udp any any eq 113

 deny   udp any any eq 3067

 remark ************************************************

 remark *** DENY UNAUTHORIZED ACCESS ***

 deny   ip any any log

 remark

 remark ********************************************

 remark *** END ACL FIREWALL FOR INBOUND TRAFFIC ***

 remark ********************************************

!

ip access-list extended NAT

 remark *** ACL FOR NAT ON ATM0/0/0 ***

 permit ip 192.168.0.0 0.0.0.255 any

!

!

route-map NAT permit 10

 description *** MAP THE OUTBOUND TRAFFIC TO DIALER0***

 match ip address NAT

 set interface Dialer0

“:::Configure a Cisco Router 857 for an ADSL Connection with a Internal PBX VoIP:::”

I’ve used this configuration for realizing  the following diagram:

WAN Network<–>(atm0)ROUTER(vlan0)<–>PBX VoIP

The connection used is an ADSL and the Cisco Router uses atm as interface for external connection, while to PBX uses a vlan0. The configuration provides a Zone Based Policy Firewall (ZBPF) and ACL as firewall.

ROUTER

ip cef

ip inspect log drop-pkt

ip inspect max-incomplete low 300

ip inspect max-incomplete high 400

ip inspect one-minute low 300

ip inspect hashtable-size 2048

ip inspect tcp synwait-time 20

ip inspect tcp max-incomplete host 300 block-time 60

ip inspect name IDS tcp

ip inspect name IDS udp

ip inspect name IDS ftp

ip inspect name IDS sip

!

ip name-server 82.x.x.1

ip name-server 82.x.x.2

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

interface ATM0

 no ip address

 load-interval 30

 no atm ilmi-keepalive

 dsl operating-mode auto 

 hold-queue 224 in

!         

interface ATM0.1 point-to-point

 description *** Link Data For ADSL ***

 pvc 8/35 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

interface ATM0.2 point-to-point

 description *** Link Voice For VoIP***

 pvc 8/36 

  vbr-rt 223 172 128

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

 !

!

interface Vlan1

 description ***Public IP for WAN and Private IP for LAN***

 ip address 178.x.x.1 255.255.255.252 secondary

 ip address 192.168.1.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 ip policy route-map PBR

!

interface Dialer1

 description ***Bandwidth For DATA***

 ip address negotiated

 ip access-group 103 in

 ip inspect IDS out

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 no cdp enable

 no ppp chap wait

 ppp pap sent-username XXXXUSERD password 7 XXXXPWD

 no ppp pap wait

!

interface Dialer2

 description ***Bandwidth For VoIP***

 ip address negotiated

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 2

 no cdp enable

 no ppp chap wait

 ppp pap sent-username XXXXUSERV password 7 XXXXPWV

 no ppp pap wait

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Dialer2 20

!

no ip http server

no ip http secure-server

no ip nat service sip udp port 5060

ip nat inside source list 100 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.253 22 81.x.x.1 2222 extendable

ip nat inside source static tcp 192.168.1.253 80 81.x.x.1 8080 extendable

!

ip access-list extended WILDIX

 permit ip 178.x.x.0 0.0.0.3 any

!

access-list 100 remark ***ACL NAT ON VC DATA***

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

!

access-list 103 remark ***ACL FIREWALL VC DATA***

access-list 103 remark ***CHECK SSH AND TELNET SERVICES***

access-list 103 permit tcp any any eq 22

access-list 103 permit tcp any any eq telnet

access-list 103 permit tcp any any eq 443

access-list 103 remark ******

access-list 103 remark ***OPEN PORTS 8080 AND 2222***

access-list 103 permit tcp any any eq 8080

access-list 103 permit tcp any any eq 2222

access-list 103 remark ******

access-list 103 remark ***DNS TRAFFIC***

access-list 103 permit udp host 82.x.x.1 eq domain any

access-list 103 permit udp host 82.x.x.2 eq domain any

access-list 103 remark ******

access-list 103 remark ***ICMP TRAFFIC***

access-list 103 permit icmp any any echo

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any time-exceeded

access-list 103 permit icmp any any unreachable

access-list 103 permit icmp any any administratively-prohibited

access-list 103 permit icmp any any packet-too-big

access-list 103 permit icmp any any traceroute

access-list 103 deny   icmp any any

access-list 103 remark ******

access-list 103 remark ***ANTI-SPOOFING***

access-list 103 deny   ip host 0.0.0.0 any log

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 103 deny   ip 192.0.2.0 0.0.0.255 any log

access-list 103 deny   ip 224.0.0.0 31.255.255.255 any log

access-list 103 deny   ip 10.0.0.0 0.255.255.255 any log

access-list 103 deny   ip 172.16.0.0 0.15.255.255 any log

access-list 103 deny   ip 192.168.0.0 0.0.255.255 any log

access-list 103 remark ******

access-list 103 remark ***BLOCK VIRUS AND WORM***

access-list 103 deny   tcp any any eq 135

access-list 103 deny   udp any any eq 135

access-list 103 deny   udp any any eq netbios-ns

access-list 103 deny   udp any any eq netbios-dgm

access-list 103 deny   tcp any any eq 139

access-list 103 deny   udp any any eq netbios-ss

access-list 103 deny   tcp any any eq 445

access-list 103 deny   tcp any any eq 593

access-list 103 deny   tcp any any eq 2049

access-list 103 deny   tcp any any range 6000 6010

access-list 103 deny   udp any any eq 1433

access-list 103 deny   udp any any eq 1434

access-list 103 deny   udp any any eq 5554

access-list 103 deny   udp any any eq 9996

access-list 103 deny   udp any any eq 113

access-list 103 deny   udp any any eq 3067

access-list 103 remark ******

access-list 103 remark ***BLOCK  UNAUTHORIZED ACCESS***

access-list 103 deny   ip any any log

no cdp run

!

route-map PBR permit 10

 match ip address WILDIX

 set interface Dialer2