Uruchamiam w małym oddziale 1841, który póki co jedyne składa VPN do centrali żeby mieć DNS z HQ i to tylko dla wewnętrznej domeny (AD DS), resztę puszcza bezpośrednio do Internetu.
Łącze to 20mbps download 8mbps upload z lokalnej osiedlówki po radiu, ja dostaje Ethernet, później jest jakaś "czarna skrzynka" i antena na dachu. W moim LANie kilkunastu użytkowników.
Ruch to głownie: HTTP(S), FTP, DNS.
Wykorzystywane funkcjonalności:
DHCP
NAT
DNS forwarder
CBAC
VPN S2S do ASA w HQ
Kilka prostych ACL
Kod: Zaznacz cały
Cisco 1841 (revision 4.1) with 239616K/22528K bytes of memory.
Processor board ID .....
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Nie wiem jak to ugryźć, będę wdzięczny za jakieś sugestie, jak dalej ugryźć temat.
Poniżej trochę danych:
Kod: Zaznacz cały
R-002#sh proc cpu history
R-002 09:58:18 AM Tuesday Dec 30 2014 UTC
12222222222 22222555558888887777999997777777777666667777
200000444448888811111333334444449999000003333311111000007777
100
90 *****
80 *************** ****
70 ************************* ****
60 **********************************
50 ***************************************
40 ***************************************
30 ***************************************
20 ********** ********************************************
10 ************************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
897592 35122421324338535441776778998889988888877876688888888
829208780834626216033285184553862990630016719006192455728247
100 **
90 ** * ** * ** ** * *** * *
80 *** * * ** ***##*#*##*####* *** **#*##*#
70 #** * * ** #*#############**### ########
60 #** * * * *#*##############################
50 ##*** * * * ** * * *################################
40 ###** ** * * ****** *################################
30 ###*#* ** * * *######## *################################
20 #####* ##***#****######### *################################
10 ##########################*#################################
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
973534343765947849999999884455557575444544425774545548443453454444353526
584378886590940298999692225001169203668360368067290258178118826416741247
100 * * ******
90 * * ******* *
80 ** * * * ********* * * *
70 ** ** * ** **#****** * * ** * *
60 #* ** * ** *###***** ** * *** * *
50 #* * * * **** ****###*#**** ************* ********** * * *** * * * *
40 #* ***************###*#******************** ************************ * *
30 ##****************###*#*********************************************** *
20 ##***************########***********************************************
10 ##***************#########******#***************************************
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
R-002#
unknown protocol to w większośći CDP jakie rozsyłane jest przez urządzenia operatora.
Kod: Zaznacz cały
R-002#sh int fa 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is ..... (bia .....)
Description: OUTSIDE 25/8
Internet address is CCC.CCC.CCC.181/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 10/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 1w4d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 4181000 bits/sec, 381 packets/sec
5 minute output rate 507000 bits/sec, 225 packets/sec
129736521 packets input, 2833127475 bytes
Received 3393804 broadcasts (0 IP multicasts)
0 runts, 0 giants, 134 throttles
7829 input errors, 0 CRC, 0 frame, 1 overrun, 7827 ignored
0 watchdog
0 input packets with dribble condition detected
70298491 packets output, 1778943957 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
526959 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
R-002#
Kod: Zaznacz cały
R-002#sh run
Building configuration...
Current configuration : 6716 bytes
!
! Last configuration change at 09:20:46 UTC Tue Dec 30 2014 by .....
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R-002
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address XXX.XXX.10.116
ip dhcp excluded-address XXX.XXX.10.62
ip dhcp excluded-address XXX.XXX.10.100 XXX.XXX.10.149
ip dhcp excluded-address XXX.XXX.10.201 XXX.XXX.10.202
ip dhcp excluded-address XXX.XXX.10.50 XXX.XXX.10.51
ip dhcp excluded-address XXX.XXX.10.149 XXX.XXX.10.254
ip dhcp excluded-address XXX.XXX.10.14
!
ip dhcp pool DHCP-POOL-LAN
network XXX.XXX.10.0 255.255.255.0
dns-server XXX.XXX.10.254
default-router XXX.XXX.10.254
lease 0 12
!
!
!
ip cef
ip inspect name CBAC-FA0/1-IN tcp
ip inspect name CBAC-FA0/1-IN udp
ip inspect name CBAC-FA0/1-IN dns
ip inspect name CBAC-FA0/1-IN ftp
ip inspect name CBAC-FA0/1-IN ntp
ip inspect name CBAC-FA0/1-IN imap
ip inspect name CBAC-FA0/1-IN imap3
ip inspect name CBAC-FA0/1-IN imaps
ip inspect name CBAC-FA0/1-IN pop3
ip inspect name CBAC-FA0/1-IN pop3s
ip inspect name CBAC-FA0/1-IN icmp
ip inspect name CBAC-FA0/1-IN ftps
ip inspect name CBAC-FA0/1-IN http
ip inspect name CBAC-FA0/1-IN https
ip inspect name CBAC-FA0/1-IN ssh
ip inspect name CBAC-FA0/0-OUT tcp router-traffic
ip inspect name CBAC-FA0/0-OUT udp router-traffic
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint .....
!
!
crypto pki certificate chain .....
!
!
license udi pid CISCO1841 sn .....
license accept end user agreement
archive
log config
hidekeys
username .....
!
redundancy
!
!
ip ssh source-interface FastEthernet0/1
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ..... address AAA.AAA.AAA.30 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CM-OUTSIDE 10 ipsec-isakmp
set peer AAA.AAA.AAA.30
set ip access-group ACL-VPN-S2S-R003-FILTER-IN in
set security-association lifetime kilobytes 1048576
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
set pfs group2
match address ACL-VPN-S2S-R003
qos pre-classify
!
!
!
!
!
interface FastEthernet0/0
description OUTSIDE 25/8
mac-address .....
ip address dhcp
ip access-group ACL-ACG-FA0/0-IN in
ip inspect CBAC-FA0/0-OUT out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map CM-OUTSIDE
!
interface FastEthernet0/1
description INSIDE
ip address XXX.XXX.10.254 255.255.255.0
ip access-group ACL-ACG-FA0/1-IN in
ip inspect CBAC-FA0/1-IN in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns view default
dns forwarder 8.8.8.8
dns forwarder 8.8.4.4
ip dns server
no ip nat service sip udp port 5060
ip nat inside source list ACL-NAT-INSIDE interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
!
ip access-list extended ACL-ACG-FA0/0-IN
permit udp any eq bootps any eq bootpc
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any host 255.255.255.255
deny ip any host CCC.CCC.CCC.255
permit ip host AAA.AAA.AAA.30 any
permit ip BBB.BBB.BBB.0 0.0.0.255 any
deny ip any any log
ip access-list extended ACL-ACG-FA0/1-IN
permit udp any eq bootpc any eq bootps
permit ip XXX.XXX.10.0 0.0.0.255 YYY.YYY.5.0 0.0.0.255
deny ip any YYY.YYY.5.0 0.0.0.255 log
permit udp XXX.XXX.10.0 0.0.0.255 host XXX.XXX.10.254 eq domain
permit tcp XXX.XXX.10.0 0.0.0.255 host XXX.XXX.10.254 eq domain
permit udp host XXX.XXX.10.62 any eq domain
permit tcp host XXX.XXX.10.62 any eq domain
deny udp any any eq domain log
deny tcp any any eq domain log
permit ip XXX.XXX.10.0 0.0.0.255 any
deny ip any any log
ip access-list extended ACL-NAT-INSIDE
deny ip XXX.XXX.10.0 0.0.0.255 YYY.YYY.0.0 0.0.255.255
permit ip XXX.XXX.10.0 0.0.0.255 any
ip access-list extended ACL-VPN-S2S-R003
permit ip XXX.XXX.10.0 0.0.0.255 YYY.YYY.5.0 0.0.0.255
ip access-list extended ACL-VPN-S2S-R003-FILTER-IN
permit ip YYY.YYY.5.0 0.0.0.255 host XXX.XXX.10.14
permit ip YYY.YYY.5.0 0.0.0.255 host XXX.XXX.10.62
permit ip YYY.YYY.5.0 0.0.0.255 host XXX.XXX.10.116
permit ip YYY.YYY.5.0 0.0.0.255 host XXX.XXX.10.201
permit ip YYY.YYY.5.0 0.0.0.255 host XXX.XXX.10.202
permit icmp YYY.YYY.5.0 0.0.0.255 XXX.XXX.10.0 0.0.0.255 echo
deny ip any any log
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
transport preferred none
transport input ssh
line vty 5 15
logging synchronous
transport preferred none
transport input ssh
!
scheduler allocate 20000 1000
end
R-002#