Hello colleagues, I want to configure CBAC on a Cisco 2620 with the following interfaces (I have also attached a drawing of the network): FastEthernet0/0 ip address 192.168.19.2/24 FastEthernet0/0.2 ip address 10.33.128.2/19 FastEthernet0/0.3 ip address 192.168.14.2/24 FastEthernet0/0.4 ip address 193.67.42.194 Here are the conditions that I want to meet: 1) 192.168.19.0/24, 10.33.128.0/19, 192.168.14.0/24 should be denied access to 193.67.42.192/26 2) ICMP control traffic from 192.168.19.0/24, 10.33.128.0/19, 192.168.14.0/24 to 193.67.42.192/26 should be allowed 3) 193.67.42.192/26 must have unrestricted access to 192.168.19.0/24, 10.33.128.0/19, 192.168.14.0/24 4) Return traffic to 193.67.42.192/26 from all locations (also to 192.168.19.0/24, 10.33.128.0/19, 192.168.14.0/24) must be inspected by CBAC 5) Inbound traffic from Serial0 naar 192.168.19.0/24, 10.33.128.0/19, 192.168.14.0/24 must be unrestricted, inbound traffic from Serial0 to 193.67.42,192/26 must be inspected by CBAC Here is the config I have come up with: ! version 12.0 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption ! ! logging buffered 10000 debugging aaa new-model aaa authentication login vty-access group tacacs+ line enable aaa authentication login console group tacacs+ line enable aaa authentication enable default group tacacs+ enable aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting commands 15 default start-stop group tacacs+ enable secret 5 $1$R01/$R/DrSZ6e00rjUJ8NcSdLo1 enable password 7 1534041E107E2525 ! ! ! ! ! memory-size iomem 10 clock timezone cet 1 clock summer-time cet recurring last Sun Mar 3:00 last Sun Oct 3:00 no ip subnet-zero ip domain-name capgemini.nl ip name-server 10.32.64.32 ! ip audit notify log ip audit po max-events 100 ipx routing 0030.1955.1860 ! ip inspect name beheerfw cuseeme timeout 3600 ip inspect name beheerfw ftp timeout 3600 ip inspect name beheerfw rcmd timeout 3600 ip inspect name beheerfw realaudio timeout 3600 ip inspect name beheerfw smtp timeout 3600 ip inspect name beheerfw tftp timeout 30 ip inspect name beheerfw udp timeout 15 ip inspect name beheerfw tcp timeout 3600 ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.19.2 255.255.255.0 no ip redirects no ip directed-broadcast no ip proxy-arp keepalive 3 speed 100 full-duplex ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 10.33.128.2 255.255.224.0 no ip directed-broadcast ipx encapsulation NOVELL-ETHER ! interface FastEthernet0/0.3 encapsulation dot1Q 502 ip address 192.168.14.2 255.255.255.0 no ip directed-broadcast ! interface FastEthernet0/0.4 encapsulation dot1Q 4 ip address 193.67.42.194 255.255.255.192 no ip directed-broadcast ip inspect beheerfw out ip access-group 102 in ipx encapsulation NOVELL-ETHER ! interface Serial0/0 bandwidth 2048 ip address 10.36.96.2 255.255.224.0 no ip redirects no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache no keepalive ! router rip network 10.0.0.0 network 192.168.14.0 network 192.168.19.0 ! ip classless ip route 0.0.0.0 0.0.0.0 10.36.96.1 no ip http server ! ! dialer-list 1 protocol ip permit access-list 102 permit icmp any any echo-reply log access-list 102 permit icmp any any time-exceeded log access-list 102 permit icmp any any packet-too-big log access-list 102 permit icmp any any traceroute access-list 102 permit icmp any any unreachable access-list 102 deny ip 192.168.19.0 0.0.0.255 193.67.42.192 0.0.0.63 log access-list 102 deny ip 10.33.128.0 0.0.0.255 193.67.42.192 0.0.0.63 log access-list 102 deny ip 192.168.14.0 0.0.0.255 193.67.42.192 0.0.0.63 log access-list 102 deny ip any host 255.255.255.255 log access-list 102 deny ip any any log snmp-server engineID local 000000090200003019551860 snmp-server community 8xYchi9 RW 25 snmp-server community public view v1default RO snmp-server host 193.78.95.57 public snmp-server host 194.229.160.67 public ! ! ! tacacs-server host 194.229.163.68 tacacs-server key GHosa7X ! ! line con 0 password 7 09681F081700 login authentication console transport input none line aux 0 line vty 0 4 password 7 0222555A0503 login authentication vty-access ! ntp clock-period 17180275 ntp server 10.32.32.33 end I am not sure if I am missing a major concept here. I appreciate your help. Thanks in advance. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. [GroupStudy.com removed an attachment of type image/gif which had a name of CBAC.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=4508&t=4508 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
