Код: Выделить всё
! Last configuration change at 19:51:15 UA Sat May 3 2008 by root
! NVRAM config last updated at 21:07:45 UA Sat May 3 2008
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname firewall
!
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
enable secret 5 **************
!
username ******* password 7 *************
username ****** privilege 15 password 7 ***********
clock timezone UA 2
ip subnet-zero
ip icmp rate-limit unreachable 1000
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host ********* 192.168.20.4 ******** enable
ip rcmd remote-host ********* 192.168.20.1 ******** enable
ip rcmd remote-host ********* 192.168.20.1 ******** enable
ip cef
ip ftp username ***************
ip ftp password 7 **************
ip domain-name lutacom.net
ip name-server 192.168.20.1
!
virtual-profile virtual-template 2
virtual-profile aaa
vpdn enable
vpdn aaa attribute nas-ip-address vpdn-nas
vpdn aaa attribute nas-port vpdn-nas
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 2
ip mtu adjust
!
!
interface Loopback0
ip address 192.168.4.1 255.255.255.255
ip nat inside
!
interface Ethernet0
ip address 195.64.142.30 255.255.255.252
ip access-group inet_in in
ip verify unicast reverse-path
no ip unreachables
no ip proxy-arp
ip nat outside
rate-limit output access-group 2020 8000 1500 2000 conform-action transmit exceed-action drop
ip route-cache same-interface
media-type 10BaseT
snmp ifindex persist
traffic-shape rate 10000000 250000 250000 1000
!
interface Virtual-Template2
ip unnumbered Loopback0
ip access-group 2000 in
ip access-group 2001 out
ip verify unicast reverse-path
no ip unreachables
no ip proxy-arp
ip nat inside
rate-limit output access-group 2020 8000 1500 2000 conform-action transmit exceed-action drop
ip route-cache flow
peer default ip address pool pptp_client
ppp authentication ms-chap chap
!
interface FastEthernet0
ip address 192.168.20.2 255.255.255.0
no ip proxy-arp
ip nat inside
ip route-cache same-interface
half-duplex
snmp ifindex persist
!
interface FastEthernet1
ip address 192.168.30.8 255.255.254.0
ip access-group access_30 in
ip verify unicast reverse-path
no ip unreachables
no ip proxy-arp
ip nat inside
rate-limit output access-group 2020 128000 1500 2000 conform-action transmit exceed-action drop
full-duplex
snmp ifindex persist
traffic-shape rate 10000000 250000 250000 1000
!
ip local pool pptp_client 192.168.4.2 192.168.5.254
ip nat translation timeout 180
ip nat inside source route-map to_inet interface Ethernet0 overload
ip nat inside source static tcp 192.168.20.4 80 interface Ethernet0 80
ip nat inside source static tcp 192.168.20.1 25 interface Ethernet0 25
ip nat inside source static udp 192.168.20.1 53 interface Ethernet0 53
ip nat inside source static tcp 192.168.20.1 53 interface Ethernet0 53
ip classless
ip route 0.0.0.0 0.0.0.0 195.64.142.29
no ip http server
!
!
ip access-list extended access_30
permit tcp any host 192.168.30.8 eq 1723
permit gre any host 192.168.30.8
permit tcp any host 192.168.30.8 eq 22
permit ip host 192.168.30.2 any
permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 echo log
permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 unreachable log
permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 source-quench log
permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 echo-reply
ip access-list extended from_20
permit ip host 192.168.20.248 any log
permit ip any any
ip access-list extended inet_in
permit tcp any host 195.64.142.30 gt 1023 established
permit tcp any host 195.64.142.30 eq www
permit tcp any host 195.64.142.30 eq smtp
permit tcp any host 195.64.142.30 eq domain
permit udp any host 195.64.142.30 eq domain
permit udp any eq ntp host 195.64.142.30 eq ntp
permit ip any 194.116.195.208 0.0.0.15
permit icmp any host 195.64.142.30 echo
permit icmp any host 195.64.142.30 unreachable
permit icmp any host 195.64.142.30 source-quench
permit icmp any host 195.64.142.30 echo-reply
permit udp any eq 28960 host 195.64.142.30
permit tcp any eq 28960 host 195.64.142.30 established
permit udp any eq domain host 195.64.142.30
ip access-list extended to_20
deny ip 192.168.4.0 0.0.1.255 192.168.20.0 0.0.0.255
permit ip host 192.168.30.2 192.168.20.0 0.0.0.255
deny ip 192.168.30.0 0.0.1.255 192.168.20.0 0.0.0.255
permit ip any any
ip access-list extended to__inet
deny tcp 192.168.4.0 0.0.1.255 any eq smtp
deny ip any host 255.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 194.116.195.208 0.0.0.15
permit tcp 192.168.4.0 0.0.1.255 any
permit udp 192.168.4.0 0.0.1.255 any
permit tcp 192.168.20.0 0.0.0.255 any
permit udp 192.168.20.0 0.0.0.255 any
permit icmp 192.168.4.0 0.0.1.255 any
permit icmp 192.168.20.0 0.0.0.255 any
ip radius source-interface FastEthernet0
access-list 2 permit 192.168.20.4
access-list 2 permit 192.168.20.1
access-list 2000 deny ip any 192.168.0.0 0.0.255.255
access-list 2000 deny ip any 194.116.195.208 0.0.0.15
access-list 2000 deny tcp any any eq smtp
access-list 2000 deny ip any 192.168.4.0 0.0.1.255
access-list 2000 deny ip any host 192.168.5.255
access-list 2000 deny ip any host 255.255.255.255
access-list 2000 permit ip 194.116.195.208 0.0.0.15 any
access-list 2000 permit ip 192.168.4.0 0.0.1.255 any
access-list 2001 deny ip 192.168.0.0 0.0.255.255 any
access-list 2001 deny ip 194.116.195.208 0.0.0.15 any
access-list 2001 deny tcp any eq smtp any
access-list 2001 permit ip any 192.168.4.0 0.0.1.255
access-list 2001 permit ip any 194.116.195.208 0.0.0.15
access-list 2001 deny ip any any
access-list 2020 permit icmp any any echo-reply
access-list 2020 permit icmp any any log
access-list 2100 permit tcp host 195.64.142.30 eq www any
route-map to_inet permit 10
match ip address to__inet
!
snmp-server community public RO
snmp-server community private RW 2
snmp-server ifindex persist
snmp-server location Firewall
snmp-server enable traps tty
snmp-server manager
radius-server configure-nas
radius-server host 192.168.20.4 auth-port 1812 acct-port 1813 key 7 ***********************
radius-server attribute 32 include-in-access-req
radius-server attribute 44 include-in-access-req
!
line con 0
line aux 0
line vty 0 4
!
ntp clock-period 17179976
ntp server 213.41.245.21
ntp server 62.66.254.154
ntp server 210.64.9.140
ntp server 85.25.252.58
ntp server 195.234.188.26
ntp server 76.169.239.34
ntp server 80.96.148.132
ntp server 88.191.21.6
ntp server 134.99.176.3
ntp server 138.236.128.117
ntp server 128.10.252.10
ntp server 69.182.190.97
end