設定後のコンフィグはこんな感じになりました。
細かいパラメータはこれから少しずつつめていく予定です。
≪全コンフィグ≫
ix2015(config)# show run
Current configuration : 5621 bytes
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2010 (magellan-sec) Software, Version 7.3.21, RELEASE SOFTWARE
! Compiled Nov 17-Thu-2005 11:45:52 JST #2
! Current time Feb 08-Fri-2008 23:14:35 JST
!
!
hostname ix2015
timezone +09 00
!
!
username admin password hash 00000000000000000000 administrator
!
!
!
!
ntp ip enable
ntp server 210.173.160.27
ntp server 210.173.160.57
ntp server 210.173.160.87
ntp interval 3600
!
!
!
!
syslog ip host 172.16.100.1
!
!
ip route default FastEthernet0/0.1
ip route 220.210.194.0/25 FastEthernet0/0.2
ip route 220.210.195.0/26 FastEthernet0/0.2
ip route 220.210.195.64/26 FastEthernet0/0.2
ip route 220.210.196.0/25 FastEthernet0/0.2
ip route 220.210.196.128/26 FastEthernet0/0.2
ip route 220.210.197.0/25 FastEthernet0/0.2
ip route 220.210.198.0/26 FastEthernet0/0.2
ip route 220.210.199.32/27 FastEthernet0/0.2
ip route 220.210.199.64/28 FastEthernet0/0.2
ip route 220.210.199.144/28 FastEthernet0/0.2
ip route 220.210.199.160/27 FastEthernet0/0.2
ip route 220.210.199.192/27 FastEthernet0/0.2
ip route 220.210.199.200/29 FastEthernet0/0.2
ip dhcp enable
ip access-list management permit ip src 172.16.100.0/24 dest any
ip access-list all-forward permit ip src any dest any
ip access-list nbt-block deny tcp src any sport any dest any dport range 137 139
ip access-list nbt-block deny udp src any sport any dest any dport range 137 139
ip access-list nbt-block deny tcp src any sport any dest any dport eq 445
ip access-list nbt-block deny udp src any sport any dest any dport eq 445
ip access-list specialuse deny ip src 0.0.0.0/8 dest any
ip access-list specialuse deny ip src 10.0.0.0/8 dest any
ip access-list specialuse deny ip src 172.16.0.0/12 dest any
ip access-list specialuse deny ip src 192.168.0.0/16 dest any
ip access-list specialuse deny ip src 127.0.0.0/8 dest any
ip access-list specialuse deny ip src 169.254.0.0/16 dest any
ip access-list specialuse deny ip src 192.0.2.0/24 dest any
ip access-list specialuse deny ip src 224.0.0.0/3 dest any
ip access-list drop_prxychk deny tcp src 218.41.48.139/32 sport any dest any dport eq 80
ip access-list guest-in deny ip src any dest 172.16.0.0/16
ip access-list guest-in permit ip src any dest any
ip ufs-cache max-entries 20000
ip ufs-cache enable
!
!
!
!
snmp-agent ip enable
snmp-agent ip community public management
!
!
dns cache enable
!
proxy-dns ip enable
proxy-dns ip query-interval 1
proxy-dns interface FastEthernet0/0.1 priority 200
!
telnet-server ip enable
telnet-server ip access-list management
!
!
!
!
!
!
!
!
ppp profile flets-square
authentication myname guest@flets
authentication password guest@flets guest
!
ppp profile internet
authentication myname hogehoge@hoge.ne.jp
authentication password hogehoge@hoge.ne.jp ISP-Password
!
ip dhcp profile dhcp_guest
assignable-range 192.168.10.201 192.168.10.220
subnet-mask 255.255.255.0
dns-server 192.168.10.254
!
ip dhcp profile dhcp_local
assignable-range 172.16.100.201 172.16.100.220
subnet-mask 255.255.255.0
dns-server 172.16.100.254
!
class-map match-any ch_class1
match input-interface FastEthernet0/1.0 high
match local-generate-packet high
match any low
!
policy-map qos-policy1
class ch_class1
class class-local
class class-default
!
device FastEthernet0/0
!
device FastEthernet0/1
!
device FastEthernet1/0
!
device BRI1/0
isdn switch-type hsd128k
!
interface FastEthernet0/0.0
no ip address
no shutdown
!
interface FastEthernet0/1.0
description LOCAL-NET
ip address 172.16.100.254/24
ip dhcp binding dhcp_local
no shutdown
!
interface FastEthernet1/0.0
description GUEST
ip address 192.168.10.254/24
ip dhcp binding dhcp_guest
ip filter guest-in 100 in
no shutdown
!
interface BRI1/0.0
encapsulation ppp
no auto-connect
no ip address
shutdown
!
interface FastEthernet0/0.1
description PPPoE_ISP
encapsulation pppoe
auto-connect
ppp binding internet
ip address ipcp
ip mtu 1454
ip tcp adjust-mss 1414
ip napt enable
ip napt translation max-entries 30000
ip napt service http 172.16.100.1 none tcp 80
ip napt service ping 172.16.100.1 none icmp any
ip napt service SSH 172.16.100.1 none tcp 22
ip napt service SMTP 172.16.100.1 none tcp 25
ip napt service SMTP-587 172.16.100.1 none tcp 587
ip napt service IMAP4-SSL 172.16.100.1 none tcp 993
ip napt service LimeCHAT_FT 172.16.100.10 none tcp 1096
ip napt service MSNMessenger_APWB 172.16.100.10 none tcp 1503
ip napt service MSNMessenger_FT 172.16.100.10 none tcp 6891-6900
ip filter nbt-block 10 in
ip filter specialuse 20 in
ip filter drop_proxychk 100 in
ip filter all-forward 65000 in
ip filter nbt-block 10 out
ip filter all-forward 65000 out
service-policy enable
service-policy output qos-policy1
no shutdown
!
interface FastEthernet0/0.2
description PPPoE_FLETS-SQUARE
encapsulation pppoe
auto-connect
ppp binding flets-square
ip address ipcp
ip mtu 1454
ip tcp adjust-mss 1414
ip napt enable
ip filter nbt-block 10 in
ip filter specialuse 20 in
ip filter all-forward 65000 in
ip filter nbt-block 10 out
ip filter all-forward 65000 out
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
ix2015(config)#
細かいパラメータはこれから少しずつつめていく予定です。
≪全コンフィグ≫
ix2015(config)# show run
Current configuration : 5621 bytes
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2010 (magellan-sec) Software, Version 7.3.21, RELEASE SOFTWARE
! Compiled Nov 17-Thu-2005 11:45:52 JST #2
! Current time Feb 08-Fri-2008 23:14:35 JST
!
!
hostname ix2015
timezone +09 00
!
!
username admin password hash 00000000000000000000 administrator
!
!
!
!
ntp ip enable
ntp server 210.173.160.27
ntp server 210.173.160.57
ntp server 210.173.160.87
ntp interval 3600
!
!
!
!
syslog ip host 172.16.100.1
!
!
ip route default FastEthernet0/0.1
ip route 220.210.194.0/25 FastEthernet0/0.2
ip route 220.210.195.0/26 FastEthernet0/0.2
ip route 220.210.195.64/26 FastEthernet0/0.2
ip route 220.210.196.0/25 FastEthernet0/0.2
ip route 220.210.196.128/26 FastEthernet0/0.2
ip route 220.210.197.0/25 FastEthernet0/0.2
ip route 220.210.198.0/26 FastEthernet0/0.2
ip route 220.210.199.32/27 FastEthernet0/0.2
ip route 220.210.199.64/28 FastEthernet0/0.2
ip route 220.210.199.144/28 FastEthernet0/0.2
ip route 220.210.199.160/27 FastEthernet0/0.2
ip route 220.210.199.192/27 FastEthernet0/0.2
ip route 220.210.199.200/29 FastEthernet0/0.2
ip dhcp enable
ip access-list management permit ip src 172.16.100.0/24 dest any
ip access-list all-forward permit ip src any dest any
ip access-list nbt-block deny tcp src any sport any dest any dport range 137 139
ip access-list nbt-block deny udp src any sport any dest any dport range 137 139
ip access-list nbt-block deny tcp src any sport any dest any dport eq 445
ip access-list nbt-block deny udp src any sport any dest any dport eq 445
ip access-list specialuse deny ip src 0.0.0.0/8 dest any
ip access-list specialuse deny ip src 10.0.0.0/8 dest any
ip access-list specialuse deny ip src 172.16.0.0/12 dest any
ip access-list specialuse deny ip src 192.168.0.0/16 dest any
ip access-list specialuse deny ip src 127.0.0.0/8 dest any
ip access-list specialuse deny ip src 169.254.0.0/16 dest any
ip access-list specialuse deny ip src 192.0.2.0/24 dest any
ip access-list specialuse deny ip src 224.0.0.0/3 dest any
ip access-list drop_prxychk deny tcp src 218.41.48.139/32 sport any dest any dport eq 80
ip access-list guest-in deny ip src any dest 172.16.0.0/16
ip access-list guest-in permit ip src any dest any
ip ufs-cache max-entries 20000
ip ufs-cache enable
!
!
!
!
snmp-agent ip enable
snmp-agent ip community public management
!
!
dns cache enable
!
proxy-dns ip enable
proxy-dns ip query-interval 1
proxy-dns interface FastEthernet0/0.1 priority 200
!
telnet-server ip enable
telnet-server ip access-list management
!
!
!
!
!
!
!
!
ppp profile flets-square
authentication myname guest@flets
authentication password guest@flets guest
!
ppp profile internet
authentication myname hogehoge@hoge.ne.jp
authentication password hogehoge@hoge.ne.jp ISP-Password
!
ip dhcp profile dhcp_guest
assignable-range 192.168.10.201 192.168.10.220
subnet-mask 255.255.255.0
dns-server 192.168.10.254
!
ip dhcp profile dhcp_local
assignable-range 172.16.100.201 172.16.100.220
subnet-mask 255.255.255.0
dns-server 172.16.100.254
!
class-map match-any ch_class1
match input-interface FastEthernet0/1.0 high
match local-generate-packet high
match any low
!
policy-map qos-policy1
class ch_class1
class class-local
class class-default
!
device FastEthernet0/0
!
device FastEthernet0/1
!
device FastEthernet1/0
!
device BRI1/0
isdn switch-type hsd128k
!
interface FastEthernet0/0.0
no ip address
no shutdown
!
interface FastEthernet0/1.0
description LOCAL-NET
ip address 172.16.100.254/24
ip dhcp binding dhcp_local
no shutdown
!
interface FastEthernet1/0.0
description GUEST
ip address 192.168.10.254/24
ip dhcp binding dhcp_guest
ip filter guest-in 100 in
no shutdown
!
interface BRI1/0.0
encapsulation ppp
no auto-connect
no ip address
shutdown
!
interface FastEthernet0/0.1
description PPPoE_ISP
encapsulation pppoe
auto-connect
ppp binding internet
ip address ipcp
ip mtu 1454
ip tcp adjust-mss 1414
ip napt enable
ip napt translation max-entries 30000
ip napt service http 172.16.100.1 none tcp 80
ip napt service ping 172.16.100.1 none icmp any
ip napt service SSH 172.16.100.1 none tcp 22
ip napt service SMTP 172.16.100.1 none tcp 25
ip napt service SMTP-587 172.16.100.1 none tcp 587
ip napt service IMAP4-SSL 172.16.100.1 none tcp 993
ip napt service LimeCHAT_FT 172.16.100.10 none tcp 1096
ip napt service MSNMessenger_APWB 172.16.100.10 none tcp 1503
ip napt service MSNMessenger_FT 172.16.100.10 none tcp 6891-6900
ip filter nbt-block 10 in
ip filter specialuse 20 in
ip filter drop_proxychk 100 in
ip filter all-forward 65000 in
ip filter nbt-block 10 out
ip filter all-forward 65000 out
service-policy enable
service-policy output qos-policy1
no shutdown
!
interface FastEthernet0/0.2
description PPPoE_FLETS-SQUARE
encapsulation pppoe
auto-connect
ppp binding flets-square
ip address ipcp
ip mtu 1454
ip tcp adjust-mss 1414
ip napt enable
ip filter nbt-block 10 in
ip filter specialuse 20 in
ip filter all-forward 65000 in
ip filter nbt-block 10 out
ip filter all-forward 65000 out
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
ix2015(config)#