! Listing 8.29: Router External #2 configuration including typical protective features and access lists for an external router attaching to the Internet ! !Copyright (C) 2001 by Vincent C Jones. All Rights Reserved. ! !Revision History: ! 1 Jul 2001: Missing IP address on interface Serial2/0. ! Unneeded "default-information originate" deleted. version 11.0 ! no service finger service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname External_2 ! enable secret ! no ip bootp server ip subnet-zero no ip source-route no ip domain-lookup ! interface Loopback0 description Target address for IBGP neighboring ip address 192.168.0.2 255.255.255.255 ! interface FastEthernet0/0 description No Man's Land LAN #1 ip address 100.0.0.34 255.255.255.224 ip access-group 193 in no ip redirects no ip directed-broadcast ip ospf message-digest-key 100 md5 LongStrongKey ! interface FastEthernet1/0 description No Man's Land LAN #2 ip address 101.0.0.33 255.255.255.224 ip access-group 193 in no ip redirects no ip directed-broadcast ip ospf message-digest-key 100 md5 LongStrongKey ! interface Serial2/0 description Link to the ISP providing 101.0.0.0/24 ip address 120.0.0.1 255.255.255.252 ip access-group 191 in ip access-group 192 out no ip unreachables no ip directed-broadcast no ip proxy-arp bandwidth 1544 ntp disable ! router ospf 1 network 100.0.0.32 0.0.0.31 area 666 network 101.0.0.32 0.0.0.31 area 666 network 120.0.0.0 0.0.0.3 area 666 network 192.168.0.0 0.0.0.255 area 666 area 666 authentication message-digest ! router bgp 60000 no synchronization network 100.0.0.0 mask 255.255.255.0 network 101.0.0.0 mask 255.255.255.0 aggregate-address 120.0.0.0 255.255.255.252 summary-only redistribute connected neighbor 120.0.0.2 remote-as 55555 neighbor 120.0.0.2 version 4 neighbor 120.0.0.2 filter-list 10 out neighbor 192.168.0.1 remote-as 60000 neighbor 192.168.0.1 update-source Loopback0 neighbor 192.168.0.1 version 4 neighbor 192.168.0.1 password SamePasswordAsOnPeer no auto-summary ! ip classless ip default-network 192.41.177.0 !MAE-East ip default-network 198.32.200.0 !MAE-West ! ip route 100.0.0.0 255.255.255.0 Null0 ip route 100.0.0.8 255.255.255.248 100.0.0.46 ip route 100.0.0.16 255.255.255.240 100.0.0.46 ip route 100.0.0.64 255.255.255.192 100.0.0.46 ip route 101.0.0.0 255.255.255.0 Null0 ip route 101.0.0.8 255.255.255.248 101.0.0.46 ip route 101.0.0.16 255.255.255.240 101.0.0.46 ip route 101.0.0.64 255.255.255.192 101.0.0.46 ! no ip http server ! 11.2 default ip as-path access-list 10 permit ^(_60000)*$ no logging buffered no logging console logging trap debugging logging 100.0.0.9 logging 101.0.0.9 ! ! Filter to block all access access-list 90 deny any ! Filter defining systems allowed telnet access access-list 91 permit 100.0.0.10 access-list 91 permit 101.0.0.10 ! Filter defining systems allowed SNMP access access-list 92 permit 100.0.0.11 access-list 92 permit 101.0.0.11 ! Definition of Acceptable traffic from the Internet access-list 191 deny ip 192.168.0.0 0.0.255.255 any log access-list 191 deny ip 172.16.0.0 0.15.255.255 any log access-list 191 deny ip 10.0.0.0 0.255.255.255 any log access-list 191 deny ip 127.0.0.0 0.255.255.255 any log access-list 191 deny ip 255.0.0.0 0.255.255.255 any log access-list 191 deny ip 224.0.0.0 7.255.255.255 any log access-list 191 deny ip host 0.0.0.0 any log access-list 191 deny ip 100.0.0.0 0.0.0.255 any log access-list 191 deny ip 101.0.0.0 0.0.0.255 any log access-list 191 deny ip 110.0.0.0 0.0.0.3 any log access-list 191 permit ip host 120.0.0.2 100.0.0.8 0.0.0.7 access-list 191 permit ip host 120.0.0.2 101.0.0.8 0.0.0.7 access-list 191 deny ip 120.0.0.0 0.0.0.3 any log access-list 191 deny ip any host 100.0.0.34 log access-list 191 deny ip any host 101.0.0.33 log access-list 191 deny ip any 100.0.0.8 0.0.0.7 log access-list 191 deny ip any 101.0.0.8 0.0.0.7 log access-list 191 permit ip any 100.0.0.0 0.0.0.255 access-list 191 permit ip any 101.0.0.0 0.0.0.255 access-list 191 deny ip any any log ! Definition of acceptable traffic to the Internet access-list 192 deny ip any 192.168.0.0 0.0.255.255 log access-list 192 deny ip any 172.16.0.0 0.15.255.255 log access-list 192 deny ip any 10.0.0.0 0.255.255.255 log access-list 192 deny ip host 100.0.0.34 any log access-list 192 deny ip host 101.0.0.33 any log access-list 192 permit ip 100.0.0.8 0.0.0.7 host 110.0.0.2 access-list 192 permit ip 101.0.0.8 0.0.0.7 host 110.0.0.2 access-list 192 deny ip 100.0.0.8 0.0.0.7 any log access-list 192 deny ip 101.0.0.8 0.0.0.7 any log access-list 192 permit ip 100.0.0.0 0.0.0.255 any access-list 192 permit ip 101.0.0.0 0.0.0.255 any access-list 192 deny ip any any log ! Definition of acceptable traffic from the inside access-list 193 permit ip 100.0.0.8 0.0.0.7 host 100.0.0.34 access-list 193 permit ip 101.0.0.8 0.0.0.7 host 101.0.0.33 access-list 193 permit ospf host 100.0.0.33 host 224.0.0.5 access-list 193 permit ospf host 101.0.0.34 host 224.0.0.5 access-list 193 permit ospf host 100.0.0.33 host 100.0.0.34 access-list 193 permit ospf host 101.0.0.34 host 101.0.0.33 access-list 193 permit tcp host 192.168.0.1 host 192.168.0.2 eq 179 access-list 193 permit tcp host 192.168.0.1 eq 179 host 192.168.0.2 established access-list 193 deny ip any 100.0.0.0 0.0.0.255 log access-list 193 deny ip any 101.0.0.0 0.0.0.255 log access-list 193 permit ip 100.0.0.8 0.0.0.7 host 120.0.0.1 access-list 193 permit ip 101.0.0.8 0.0.0.7 host 120.0.0.1 access-list 193 permit ip 100.0.0.8 0.0.0.7 host 120.0.0.2 access-list 193 permit ip 101.0.0.8 0.0.0.7 host 120.0.0.2 access-list 193 deny ip any 110.0.0.0 0.0.0.3 log access-list 193 deny ip any 120.0.0.0 0.0.0.3 log access-list 193 deny ip 100.0.0.8 0.0.0.7 any log access-list 193 deny ip 101.0.0.8 0.0.0.7 any log access-list 193 permit ip 100.0.0.0 0.0.0.255 any access-list 193 permit ip 101.0.0.0 0.0.0.255 any access-list 193 deny ip any any log no cdp run ! snmp-server community AccessCommunity RO 92 snmp-server trap-authentication snmp-server enable traps snmp-server host 100.0.0.11 TrapCommunity snmp-server host 101.0.0.11 TrapCommunity ! line con 0 transport input none ! line aux 0 access-class 90 in transport input none ! line vty 0 4 login password PickAGoodOne access-class 91 in ! end