!
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname border
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$jXfg$3OY1xeyi4OoLarvTw10AN1
!
aaa new-model
!
!
aaa authentication attempts login 2
aaa authentication fail-message C
The password error,Please try_again
aaa authentication password-prompt Password-Error,try-again!
aaa authentication username-prompt Password:
aaa authentication login manage_access local
!
!
aaa session-id common
memory-size iomem 5
clock timezone gmt 8
!
!
ip cef
no ip domain lookup
ip domain name xiaohe.com
!
!
no ip bootp server
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username xiaohe privilege 15 secret 5 $1$jXfg$3OY1xeyi4OoLarvTw10AN1
archive
log config
hidekeys
!
!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
class-map match-any down-2M
match access-group name to-vlan10
match access-group name to-vlan20
class-map match-any down-1M
match access-group name to-vlan30
class-map match-any 1M
match access-group name to-vlan30
class-map match-any 2M
match access-group name to-vlan10
match access-group name to-vlan20
!
!
policy-map traffic-control-down
class down-2M
police 2000000 2500000 conform-action transmit exceed-action drop
class down-1M
police 1000000 1250000 conform-action transmit exceed-action drop
policy-map traffic-control
class 2M
police 2000000 2500000 conform-action transmit exceed-action drop
class 1M
police 1000000 1250000 conform-action transmit exceed-action drop
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip access-group DefenceVirus in
ip nat inside
ip virtual-reassembly
ip ospf cost 100
duplex auto
speed auto
priority-group 1
service-policy input traffic-control
service-policy output traffic-control-down
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip access-group DefenceVirus in
ip nat inside
ip virtual-reassembly
ip ospf cost 200
duplex auto
speed auto
priority-group 1
service-policy input traffic-control
service-policy output traffic-control-down
!
interface FastEthernet1/0
ip address 222.xx.xx.4 255.255.255.240 secondary
ip address 222.xx.xx.3 255.255.255.240
ip access-group Deny_Pri_IP in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2/0
!
interface FastEthernet2/1
!
interface FastEthernet2/2
!
interface FastEthernet2/3
!
interface FastEthernet2/4
!
interface FastEthernet2/5
!
interface FastEthernet2/6
!
interface FastEthernet2/7
!
interface FastEthernet2/8
!
interface FastEthernet2/9
!
interface FastEthernet2/10
!
interface FastEthernet2/11
!
interface FastEthernet2/12
!
interface FastEthernet2/13
!
interface FastEthernet2/14
!
interface FastEthernet2/15
!
interface Vlan1
no ip address
!
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 1.1.1.0 0.0.0.255 area 0
network 192.168.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 222.xx.xx.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 172.16.1.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.10.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.20.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.30.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.40.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.1.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.10.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.20.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.30.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.40.0 255.255.255.0 192.168.1.2 track 2
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
ip nat pool web 222.xx.xx.4 222.xx.xx.4 netmask 255.255.255.240
ip nat pool internet 222.xx.xx.3 222.xx.xx.3 netmask 255.255.255.240
ip nat inside source list 1 pool internet overload
ip nat inside source list 2 pool internet overload
ip nat inside source list 3 pool internet overload
ip nat inside source list 4 pool internet overload
ip nat inside source list 5 pool internet overload
ip nat inside source list 6 pool internet overload
ip nat inside source list web pool web overload
ip nat inside source static tcp 172.16.40.200 8080 222.xx.xx.4 8080 extendable
ip nat inside source static tcp 172.16.40.200 2700 222.xx.xx.4 2700 extendable
ip nat inside source static tcp 172.16.40.201 21 222.xx.xx.4 21 extendable
ip nat inside source static tcp 172.16.40.201 80 222.xx.xx.4 80 extendable
ip nat inside source static tcp 172.16.40.201 3389 222.xx.xx.4 3389 extendable
!
!
ip access-list standard Deny_Pri_IP
deny 10.0.0.0 0.255.255.255
deny 172.16.0.0 0.15.255.255
deny 192.168.0.0 0.0.255.255
permit any
!
ip access-list standard web
permit 172.16.40.0 0.0.0.255
ip access-list extended DefenceVirus
deny tcp any any eq 27665
deny tcp any any eq 16660
deny tcp any any eq 65000
deny tcp any any eq 33270
deny tcp any any eq 39168
deny tcp any any eq 6711
deny tcp any any eq 6712
deny tcp any any eq 6776
deny tcp any any eq 6669
deny tcp any any eq 2222
deny tcp any any eq 7000
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any eq 4444
deny tcp any any eq 5554
deny tcp any any eq 9996
deny tcp any any eq 3332
deny tcp any any eq 1068
deny tcp any any eq 455
deny udp any any eq 31335
deny udp any any eq 27444
deny udp any any eq 135
deny udp any any eq 136
deny udp any any eq 445
deny udp any any eq 4444
permit ip any any
ip access-list extended to-vlan10
permit ip any 172.16.10.0 0.0.0.255
ip access-list extended to-vlan20
permit ip any 172.16.20.0 0.0.0.255
ip access-list extended to-vlan30
permit ip any 172.16.30.0 0.0.0.255
ip sla 1
icmp-echo 192.168.0.2 source-interface FastEthernet0/0
timeout 999
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.1.2 source-interface FastEthernet0/1
timeout 999
frequency 3
ip sla schedule 2 life forever start-time now
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 2 permit 172.16.10.0 0.0.0.255
access-list 3 permit 172.16.20.0 0.0.0.255
access-list 4 permit 172.16.30.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 110 deny udp any any eq snmptrap
access-list 110 deny udp any any eq snmp
access-list 110 permit ip any any
access-list 110 deny tcp any any eq telnet
access-list 110 deny tcp any any range exec cmd
access-list 110 deny tcp any any eq sunrpc
access-list 110 deny udp any any eq sunrpc
access-list 110 deny tcp any any range 135 445
access-list 110 deny tcp any any eq ftp
access-list 110 deny icmp any any echo log
access-list 110 deny icmp any any redirect log
access-list 110 deny icmp any any mask-request log
access-list 110 permit icmp any any
access-list 110 permit icmp any any echo
access-list 110 deny udp any any eq 33400
access-list 110 permit udp any any eq 33400
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny ip 172.16.0.0 0.15.255.255 any log
access-list 110 deny ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny ip 192.168.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 0.255.255.255 any
access-list 110 deny ip 1.0.0.0 0.255.255.255 any
access-list 110 deny ip 2.0.0.0 0.255.255.255 any
access-list 110 deny ip 5.0.0.0 0.255.255.255 any
access-list 110 deny ip 14.0.0.0 0.255.255.255 any
access-list 110 deny ip 23.0.0.0 0.255.255.255 any
access-list 110 deny ip 27.0.0.0 0.255.255.255 any
access-list 110 deny ip 31.0.0.0 0.255.255.255 any
access-list 110 deny ip 36.0.0.0 0.255.255.255 any
access-list 110 deny ip 37.0.0.0 0.255.255.255 any
access-list 110 deny ip 39.0.0.0 0.255.255.255 any
access-list 110 deny ip 42.0.0.0 0.255.255.255 any
access-list 110 deny ip 46.0.0.0 0.255.255.255 any
access-list 110 deny ip 49.0.0.0 0.255.255.255 any
access-list 110 deny ip 50.0.0.0 0.255.255.255 any
access-list 110 deny ip 100.0.0.0 0.255.255.255 any
access-list 110 deny ip 101.0.0.0 0.255.255.255 any
access-list 110 deny ip 102.0.0.0 0.255.255.255 any
access-list 110 deny ip 103.0.0.0 0.255.255.255 any
access-list 110 deny ip 104.0.0.0 0.255.255.255 any
access-list 110 deny ip 105.0.0.0 0.255.255.255 any
access-list 110 deny ip 106.0.0.0 0.255.255.255 any
access-list 110 deny ip 107.0.0.0 0.255.255.255 any
access-list 110 deny ip 175.0.0.0 0.255.255.255 any
access-list 110 deny ip 176.0.0.0 0.255.255.255 any
access-list 110 deny ip 177.0.0.0 0.255.255.255 any
access-list 110 deny ip 179.0.0.0 0.255.255.255 any
access-list 110 deny ip 181.0.0.0 0.255.255.255 any
access-list 110 deny ip 182.0.0.0 0.255.255.255 any
access-list 110 deny ip 185.0.0.0 0.255.255.255 any
access-list 110 deny ip 198.18.0.0 0.1.255.255 any
access-list 110 deny ip 223.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.0.255.255 any
access-list 110 remark Other bogons deny ip 224.0.0.0 15.255.255.255 any
access-list 110 remark Other bogons deny ip 240.0.0.0 15.255.255.255 any
access-list 110 remark Other bogons deny ip 0.0.0.0 0.255.255.255 any
access-list 110 remark Other bogons deny ip 169.254.0.0 0.0.255.255 any
access-list 110 remark Other bogons deny ip 192.0.2.0 0.0.0.255 any
access-list 110 remark permit all other traffic permit ip any any
priority-list 1 protocol ip high tcp telnet
priority-list 1 protocol ip low tcp ftp
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd C
This Router is for xiaohe and thank you again!
!
line con 0
logging synchronous
login authentication manage_access
line aux 0
line vty 0 4
login authentication manage_access
transport input telnet
!
ntp clock-period 17207853
ntp source FastEthernet1/0
ntp server 129.6.15.28
!
end
本文出自 “yexusky' b109” 博客,请务必保留此出处http://yexusky.blog.51cto.com/223988/818722