Announcement

Collapse
No announcement yet.

show that internet traffic is blocked from ISP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • show that internet traffic is blocked from ISP

    Hi
    How can i verify that traffic originating from Internet is blocked from ISP? Internet is represented by Loopback 198.7.125.7 at ISP. Firewall is deployed at s1r and e1r in topology as shown.


    configs:

    s1r

    hostname s1r !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$UlmK$LYVNqPRA88QXc2tVvMZA01
    !
    aaa new-model
    !
    !
    !
    !
    aaa session-id common
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    ip domain name kvarka.local
    login on-failure log
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    username sshadmin password 7 104D000A061843
    username admin privilege 15 secret 5 $1$TISL$sBk8ixrPpvSDOA96825pn0
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 5
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    !
    class-map type inspect match-any VPN-PASS-CLASS
    match access-group name VPN-ACL
    class-map type inspect match-any IN-TO-DMZ-CLASS
    match access-group name IN-TO-DMZ-ACL
    class-map type inspect match-any DMZ-TO-IN-CLASS
    match access-group name DMZ-TO-IN-ACL
    class-map type inspect match-any IN-TO-OUT-CLASS
    match access-group name IN-TO-OUT-ACL
    class-map type inspect match-any OUT-TO-IN-CLASS
    match access-group name OUT-TO-IN-ACL
    match access-group name DC-REPLICATION
    class-map type inspect match-any OUT-TO-DMZ-CLASS
    match access-group name OUT-TO-DMZ-ACL
    class-map type inspect match-any DC-REPLICATION
    match access-group name DC-REPLICATION
    !
    !
    policy-map type inspect OUT-TO-DMZ-POLICY
    class type inspect OUT-TO-DMZ-CLASS
    inspect
    class type inspect VPN-PASS-CLASS
    pass
    class class-default
    policy-map type inspect DMZ-TO-OUT-POLICY
    class type inspect VPN-PASS-CLASS
    pass
    class class-default
    policy-map type inspect IN-TO-DMZ-POLICY
    class type inspect IN-TO-DMZ-CLASS
    pass
    class class-default
    policy-map type inspect DMZ-TO-IN-POLICY
    class type inspect DMZ-TO-IN-CLASS
    pass
    class class-default
    policy-map type inspect IN-TO-OUT-POLICY
    class type inspect IN-TO-OUT-CLASS
    inspect
    class type inspect DC-REPLICATION
    pass
    class class-default
    policy-map type inspect OUT-TO-IN-POLICY
    class type inspect OUT-TO-IN-CLASS
    inspect
    class type inspect DC-REPLICATION
    pass
    class class-default
    !
    zone security INSIDE
    zone security OUTSIDE
    zone security DMZ
    zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
    service-policy type inspect IN-TO-OUT-POLICY
    zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
    service-policy type inspect OUT-TO-DMZ-POLICY
    zone-pair security IN-TO-DMZ source INSIDE destination DMZ
    service-policy type inspect IN-TO-DMZ-POLICY
    zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
    service-policy type inspect OUT-TO-IN-POLICY
    zone-pair security DMZ-TO-IN source DMZ destination INSIDE
    service-policy type inspect DMZ-TO-IN-POLICY
    zone-pair security DMZ-TO-OUT source DMZ destination OUTSIDE
    service-policy type inspect DMZ-TO-OUT-POLICY
    !
    !
    !
    interface Loopback0
    no ip address
    !
    interface FastEthernet0/0
    description Connects to DMZ
    no ip address
    zone-member security DMZ
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.30
    encapsulation dot1Q 30
    ip address 200.20.16.161 255.255.255.248
    zone-member security DMZ
    !
    interface FastEthernet0/0.100
    encapsulation dot1Q 100
    ip address 200.20.16.178 255.255.255.252
    zone-member security DMZ
    !
    interface FastEthernet0/1
    description Connects to s1s
    no ip address
    zone-member security INSIDE
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.10
    encapsulation dot1Q 10
    ip address 200.20.16.1 255.255.255.192
    ip helper-address 200.20.16.131
    ip helper-address 205.205.2.131
    zone-member security INSIDE
    !
    interface FastEthernet0/1.20
    encapsulation dot1Q 20
    ip address 200.20.16.65 255.255.255.192
    ip helper-address 200.20.16.131
    ip helper-address 205.205.2.131
    zone-member security INSIDE
    !
    interface FastEthernet0/1.30
    encapsulation dot1Q 30
    ip address 200.20.16.129 255.255.255.240
    ip helper-address 200.20.16.131
    ip helper-address 205.205.2.131
    zone-member security INSIDE
    !
    interface FastEthernet0/1.40
    encapsulation dot1Q 40
    ip address 200.20.16.145 255.255.255.240
    ip helper-address 200.20.16.131
    ip helper-address 205.205.2.131
    zone-member security INSIDE
    !
    interface FastEthernet0/1.100
    encapsulation dot1Q 100
    ip address 200.20.16.174 255.255.255.252
    zone-member security INSIDE
    !
    interface Serial1/0
    description Connects to ISP
    ip address 200.20.16.169 255.255.255.252
    zone-member security OUTSIDE
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    serial restart-delay 0
    !
    router ospf 1
    log-adjacency-changes
    passive-interface FastEthernet0/0
    network 10.0.0.0 0.0.255.255 area 0
    network 200.20.16.0 0.0.0.63 area 0
    network 200.20.16.64 0.0.0.63 area 0
    network 200.20.16.128 0.0.0.15 area 0
    network 200.20.16.144 0.0.0.15 area 0
    network 200.20.16.160 0.0.0.7 area 0
    network 200.20.16.168 0.0.0.3 area 0
    network 200.20.16.172 0.0.0.3 area 0
    network 200.20.16.176 0.0.0.3 area 0
    !
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended DC-REPLICATION
    permit ip 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit ip 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    ip access-list extended DMZ-TO-IN-ACL
    permit ip 200.20.16.160 0.0.0.7 200.20.16.0 0.0.0.255
    ip access-list extended IN-TO-DMZ-ACL
    permit ip any 200.20.16.160 0.0.0.7
    ip access-list extended IN-TO-OUT-ACL
    permit tcp 200.20.16.0 0.0.0.255 host 198.7.125.7 eq www
    ip access-list extended OUT-TO-DMZ-ACL
    permit ip 205.205.2.0 0.0.0.255 200.20.16.160 0.0.0.7
    permit gre any 200.20.16.160 0.0.0.7
    permit udp any 200.20.16.160 0.0.0.7
    permit tcp any 200.20.16.160 0.0.0.7 eq ftp
    permit tcp any 200.20.16.160 0.0.0.7 eq www
    permit tcp any 200.20.16.160 0.0.0.7 eq telnet
    permit tcp any 200.20.16.160 0.0.0.7 eq smtp
    permit tcp any 200.20.16.160 0.0.0.7 eq echo
    permit icmp any 200.20.16.160 0.0.0.7 echo
    permit tcp any 200.20.16.160 0.0.0.7 eq 1723
    permit esp any 200.20.16.160 0.0.0.7
    permit udp any 200.20.16.160 0.0.0.7 eq isakmp
    permit udp any 200.20.16.160 0.0.0.7 eq non500-isakmp
    permit tcp any 200.20.16.160 0.0.0.7 gt 1023 established
    ip access-list extended OUT-TO-IN-ACL
    permit icmp any 200.20.16.0 0.0.0.255 unreachable
    ip access-list extended VPN-ACL
    permit gre any any
    permit tcp any any eq 1723
    !
    logging trap debugging
    logging facility local3
    logging 200.20.16.165
    !
    !
    !
    !
    control-plane
    !
    banner motd No Unauthorized Access!
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    password 7 047802150C2E0D
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    privilege level 15
    logging synchronous
    transport input ssh
    line vty 5 15
    logging synchronous
    transport input all
    !
    ntp source Serial1/0
    ntp master

    !
    webvpn cef
    !
    end


    Pretty much the same config on e1r router except DMZ class-map etc.


    /Lars


Working...
X