Доброе время суток!
Нужна помощь в настройке железки.
Досталась от ушедшего админа, а я сам не конфигурил раньше.
Задача закрыть дыры если есть, оптимизировать конфиг если нужно и сделать доступным почтовый сервер.
Текущий конфиг:
Current configuration : 4878 bytes
!
! Last configuration change at 22:24:47 NN Tue Jul 30 2013 by xx
! NVRAM config last updated at 22:24:50 NN Tue Jul 30 2013 by xx
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO891
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
clock timezone NN 7 0
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.10.1
!
!
ip cef
no ip bootp server
ip domain name XYZ.local
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server 8.8.8.8
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
ip inspect name INSPECT_OUT sip
ip inspect name INSPECT_OUT icmp router-traffic
no ipv6 cef
!
multilink bundle-name authenticated
crypto pki token default removal timeout 0
!
!
license udi pid CISCO891-K9 sn XXXXXXXXX
!
!
archive
log config
logging enable
hidekeys
username root privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any CCP-Management-1
match dscp cs2
!
!
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 20
police cir 512000
conform-action transmit
exceed-action drop
class CCP-Signaling-1
bandwidth percent 5
police cir 64000
conform-action transmit
exceed-action drop
class CCP-Routing-1
bandwidth percent 5
police cir 64000
conform-action transmit
exceed-action drop
class CCP-Management-1
bandwidth percent 5
police cir 32000
conform-action transmit
exceed-action drop
class CCP-Transactional-1
bandwidth percent 5
police cir 32000
conform-action transmit
exceed-action drop
class class-default
fair-queue
random-detect
police cir 1024000
conform-action transmit
exceed-action drop
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description === INTERNET ===
ip address aaa.bbb.ccc.38 255.255.255.224
ip access-group FIREWALL in
no ip redirects
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip inspect INSPECT_OUT out
no ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
service-policy output CCP-QoS-Policy-1
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description === LAN ===
ip address 192.168.10.1 255.255.255.0
ip accounting output-packets
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip dns server
no ip nat service sip udp port 5060
ip nat inside source list NAT interface FastEthernet8 overload
ip nat inside source static udp 192.168.10.4 5060 interface FastEthernet8 5060
ip nat inside source static tcp 192.168.10.5 995 interface FastEthernet8 995
ip nat inside source static tcp 192.168.10.5 993 interface FastEthernet8 993
ip nat inside source static tcp 192.168.10.5 25 interface FastEthernet8 25
ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.33
!
ip access-list extended FIREWALL
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip any host 112.25.138.20
deny ip host 112.25.138.20 any
deny udp 112.25.0.0 0.0.255.255 host 192.168.10.4 eq 5060
deny tcp 112.25.0.0 0.0.255.255 host 192.168.10.4
deny ip 112.0.0.0 0.255.255.255 any
permit tcp any host aaa.bbb.ccc.38 eq www
permit tcp any host aaa.bbb.ccc.38 eq 443
permit udp any host aaa.bbb.ccc.38 eq 5060
permit tcp any host aaa.bbb.ccc.38 eq 993
permit tcp any host aaa.bbb.ccc.38 eq 995
permit tcp any host aaa.bbb.ccc.38 eq smtp
deny ip any any
ip access-list extended NAT
permit ip 192.168.10.0 0.0.0.255 any
!
logging esm config
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
ntp update-calendar
ntp server 192.168.10.2 prefer source FastEthernet0
endГде,
aaa.bbb.ccc.38 - внешний IP адрес маршрутизатора
192.168.10.4 - Asterisk (IP-АТС)
192.168.10.5 - MS Exchange Server 2013
192.168.10.2 - DC, DNS, DHCP, NTP Server внутренней сети
112.25.138.20 - IP с которого пытались когда-то подломить Asterisk
aaa.bbb.ccc.33 - шлюз провайдера
Для корректной работы Exchange нужны порты:
80
443
993
995
25
про 53 не знаю нужен или нет
Exchange Server подключен в общий коммутатор, в который и маршрутизатор (если нужна такая информация)
Из внутренней сетки Telnet заходит на 25 порт, из внешней нет (((
Почта не бегает.
В чём тут грабли?