Cisco IOS – Provisioning Router Professionale
Obiettivi: VLAN, Inter-VLAN Routing, DHCP, NAT, ACL, SSH, VPN (IPsec), sicurezza
! === Impostazioni di base ===
hostname Router-Core
no ip domain-lookup
ip domain-name azienda.local
username admin privilege 15 secret Sup3rSicuro456
crypto key generate rsa modulus 2048
! === Interfacce e VLAN ===
interface GigabitEthernet0/0
description WAN
ip address dhcp
no shutdown
interface GigabitEthernet0/1
description TRUNK LAN
switchport mode trunk
no shutdown
interface Vlan10
ip address 192.168.10.1 255.255.255.0
interface Vlan20
ip address 192.168.20.1 255.255.255.0
! === DHCP Server ===
ip dhcp pool VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.4.4
! === NAT ===
ip access-list standard NAT_LIST
permit 192.168.0.0 0.0.255.255
ip nat inside source list NAT_LIST interface GigabitEthernet0/0 overload
! === Sicurezza ===
line vty 0 4
transport input ssh
login local
banner motd ^CUnauthorized Access Prohibited^C
! === VPN IPsec ===
crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
crypto isakmp key StrongSecret123 address 198.51.100.1
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 198.51.100.1
set transform-set VPN-SET
match address 101
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
interface GigabitEthernet0/0
crypto map VPN-MAP
[19:46, 04/05/2025] Luca Angeli: Ubiquiti EdgeRouter Script.Ubiquiti EdgeRouter (EdgeOS) – Provisioning Avanzato
Obiettivi: VLAN, NAT, Firewall, DHCP, SSH, IPsec VPN, hardening
=== Identità e accesso ===
set system host-name Router-Core
set system login user admin authentication plaintext-password ‘Sup3rSicuro456’
set service ssh port 2222
=== Interfacce VLAN ===
set interfaces ethernet eth1 vif 10 address 192.168.10.1/24
set interfaces ethernet eth1 vif 20 address 192.168.20.1/24
=== DHCP Server ===
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 default-router 192.168.10.1
set service dhcp-server shared-network-name VLAN10 subnet 192.168.10.0/24 range 0 start 192.168.10.100 end 192.168.10.200
set service dhcp-server shared-network-name VLAN20 subnet 192.168.20.0/24 default-router 192.168.20.1
set service dhcp-server shared-network-name VLAN20 subnet 192.168.20.0/24 range 0 start 192.168.20.100 end 192.168.20.200
=== NAT ===
set service nat rule 5000 type masquerade
set service nat rule 5000 outbound-interface eth0
=== Firewall Base ===
set firewall name LAN-LOCAL default-action drop
set firewall name LAN-LOCAL rule 10 action accept
set interfaces ethernet eth1 firewall in name LAN-LOCAL
=== IPsec VPN ===
set vpn ipsec esp-group VPN-ESP proposal 1 encryption aes128
set vpn ipsec esp-group VPN-ESP proposal 1 hash sha1
set vpn ipsec ike-group VPN-IKE proposal 1 dh-group 2
set vpn ipsec ike-group VPN-IKE proposal 1 encryption aes128
set vpn ipsec ike-group VPN-IKE proposal 1 hash sha1
set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret StrongSecret123
set vpn ipsec site-to-site peer 198.51.100.1 default-esp-group VPN-ESP
set vpn ipsec site-to-site peer 198.51.100.1 ike-group VPN-IKE
set vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.2
set vpn ipsec site-to-site peer 198.51.100.1 tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer 198.51.100.1 tunnel 1 remote prefix 192.168.30.0/24
commit
save
