Cấu hình Auto Secure Trong trường hợp router của bạn có kết nối ra Internet, Auto Secure sẽ thực hiện thêm vài tác vụ liên quan đến cổng kết nối ra Internet. Dưới đây ra thực hiện cấu hình router dùng chức năng Auto Secure cho một router có hai cổng. Cổng thứ nhất F0/0 kết nốI vào mạng bên trong. Cổng thứ hai, F0/1 kết nối ra môi trường bên ngoài, Internet. Đầu tiên ta gán địa chỉ private cho cổng F0/0 là cổng kết nốI vào bên trong LAN của doanh nghiệp. Demo#conf t Enter configuration commands, one per line. End with CNTL/Z. Demo(config)#int f0/0 Demo(config-if)#ip add 192.168.1.1 255.255.255.0 Demo(config-if)#no shut Demo(config-if)#exit Demo(config)# *Dec 2 04:13:59.103: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Dec 2 04:14:00.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Sau đó, ta cấu hình cổng F0/1. Giả sử cổng này kết nốI ra ngoài Internet. Địa chỉ IP của cổng được xin từ DHCP. Chú ý cách dùng câu lệnh ip address của cổng này. Demo#conf t Enter configuration commands, one per line. End with CNTL/Z. Demo(config)#int f0/1 Demo(config-if)#ip add Demo(config-if)#ip address ? A.B.C.D IP address dhcp IP Address negotiated via DHCP pool IP Address autoconfigured from a local DHCP pool Demo(config-if)#ip address dhcp Demo(config-if)#no shut Demo(config-if)#exit Như vậy câu lệnh ip address, ngoài tuỳ chọn quen thuộc là gán một địa chỉ cụ thể, còn có các tuỳ chọn cho phép xin IP từ một DHCP server. Ta kiểm tra trạng thái các cổng và địa chỉ IP của nó. Demo#sh ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.1 YES manual up up FastEthernet0/1 10.215.219.32 YES DHCP up up Serial0/1/0 unassigned YES unset administratively down down Serial0/2/0 unassigned YES unset administratively down down Thỉnh thoảng, trong khi cấu hình các router đấu nốI ra Internet, bạn cũng cần chỉ định địa chỉ DNS mà router sẽ dùng để phần giảI tên. Câu lệnh chỉ định DNS server được thực hiện như dướI đây. Trong ví dụ này, địa chỉ DNS server của VNN được dùng. Demo#conf t Enter configuration commands, one per line. End with CNTL/Z. Demo(config)#ip name-server 203.162.4.191 Demo(config)#exit Lúc này, bảng định tuyến của router sẽ như dướI đây. Chú ý các địa chỉ gateway of last resort là do DHCP server cấp xuống. Demo#sh ip ro Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.215.219.254 to network 0.0.0.0 10.0.0.0/24 is subnetted, 1 subnets C 10.215.219.0 is directly connected, FastEthernet0/1 C 192.168.1.0/24 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [254/0] via 10.215.219.254 Sau đây ta sẽ dùng Auto Secure để tăng cường tính bảo mật của thiết bị. Ví dụ này khác ví dụ trước ở điểm, router này có kết nốI ra Internet. Demo#auto secure AutoSecure Configuration *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Router sẽ bắt đầu thu thập thông tin từ ngườI quản trị. Đầu tiên AutoSecure sẽ hỏI router này có kết nốI ra Internet không? Nếu có, có bao nhiêu cổng kết nốI ra Internet. Mặc định, router cho rằng có 1 cổng kết nốI ra Internet. Cần chú ý là nếu bạn muốn dừng quá trình này, bạn có thể dùng tổ hợp phím Control-C. Is this router connected to internet? [no]: yes *Dec 2 04:21:16.671: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up Enter the number of interfaces facing the internet [1]: Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.1 YES manual up up FastEthernet0/1 10.215.219.32 YES DHCP up up Serial0/1/0 unassigned YES unset administratively down down Serial0/2/0 unassigned YES unset administratively down down Router sau đó sẽ hỏi những cổng nào trong các cổng trên của router. Enter the interface name that is facing the internet: F0/1 Invalid interface name Enter the interface name that is facing the internet: FastEthernet0/1 Sau khi ta nhập vào cổng kết nốI ra Internet, router tự động tắt một số dịch vụ của router. Securing Management plane services Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Router yêu cầu nhập vào security banner. Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: $This config is for user VnPro$ Router yêu cầu cài đặt các mật khẩu. Enable secret is either not configured or is the same as enable password Enter the new enable secret: Confirm the enable secret : passwords do not match Enter the new enable secret: Confirm the enable secret : passwords do not match Enter the new enable secret: Confirm the enable secret : Enter the new enable password: % Password too short - must be at least 6 characters. Password configuration failed Enter the new enable password: Confirm the enable password: Configuration of local user database Enter the username: vnpro Enter the password: % Password too short - must be at least 6 characters. Password configuration failed Enter the password: Confirm the password: Configuring AAA local authentication Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 3 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 3 Router yêu cầu cấu hình SSH. Configure SSH server? [yes]: Enter the domain-name: vnpro.org Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services Enabling CEF (This might impact the memory requirements for your platform) Configuring the named ACLs for Ingress Filtering autosec_iana_reserved_block: This block is subjected to change by IANA. For an updated list, visit www.iana.org/assignments/ipv4-address-space. 1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8, 41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8, 103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 197/8, 201/8 autosec_private_block: 10/8, 172.16/12, 192.168/16 autosec_complete_block: This block is a combination of the autosec_iana_reserved_block, autosec_private_block, and any packet with a source address of multicast (224/4), class E (240/4), 0/8, 169.254/16, 192.0.2/24, and 127/8. Tiếp theo, router yêu cầu cấu hình các ACL để lọc các gói tin trên cổng bên ngoài. Configuring Ingress Filtering replaces the existing acl on external interfaces, if any, with Ingress Filtering acl. Configure Ingress Filtering on edge interfaces? [yes]: [1] Apply autosec_iana_reserved_block acl on all edge interfaces [2] Apply autosec_private_block acl on all edge interfaces [3] Apply autosec_complete_bogon acl on all edge interfaces Enter your selection [3]: Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: y This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd ^CThis config is for user VnPro^C security passwords min-length 6 security authentication failure rate 10 log enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0 enable password 7 075E731F1A5C4F52 username vnpro password 7 025756085F5359 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet line tty 1 login authentication local_auth exec-timeout 15 0 login block-for 3 attempts 3 within 3 ip domain-name vnpro.org crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial0/2/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef access-list compiled ip access-list extended autosec_iana_reserved_block deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list exit ip access-list extended autosec_private_block deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any exit ip access-list extended autosec_complete_bogon deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list exit interface FastEthernet0/1 ip access-group autosec_complete_bogon in exit access-list 100 permit udp any any eq bootpc interface FastEthernet0/1 ip verify unicast source reachable-via rx allow-default 100 ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface FastEthernet0/1 ip inspect autosec_inspect out ! end Router sẽ hỏI bạn có muốn áp dụng cấu hình này hay không. Apply this configuration to running-config? [yes]: Applying the config generated to running-config The name for the keys will be: Demo.vnpro.org % The key modulus size is 1024 bits % Generating 1024 bit RSA keys [OK] Demo#sh run Building configuration Current configuration : 9519 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Demo ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 logging buffered 4096 debugging logging console critical enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0 enable password 7 075E731F1A5C4F52 aaa new-model ! ! aaa authentication login local_auth local ! aaa session-id common ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route no ip gratuitous-arps ip cef ! ! no ip dhcp use vrf connected ! ! no ip bootp server ip domain name vnpro.org ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect audit-trail ip inspect udp idle-time 1800 ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 no ip ips deny-action ips-interface login block-for 3 attempts 3 within 3 ! no ftp-server write-enable ! username vnpro password 7 025756085F5359 archive log config logging enable ! ! no crypto isakmp ccm ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto no mop enabled ! interface FastEthernet0/1 ip address dhcp ip access-group autosec_complete_bogon in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip inspect autosec_inspect out duplex auto speed auto no mop enabled ! ip classless ! ! no ip http server no ip http secure-server ! ip access-list extended autosec_complete_bogon deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any . configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco. com. every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You. THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary