Cisco 837, DMZ e PS2

[[email protected]]

Ciao a tutti
dovrei fare delle prove e mettere la ps2 attaccata al mio Cisco 837..
Mi hanno consigliato di metterla in DMZ..
Ora ho capito che attaccandola alla interfaccia FastEthernet 4 e dando un no shutdown alla interfaccia virtuale Ethernet 2, si abilita la DMZ..
Poi do un indirizzo alla interfaccia ethernet 2 (di un altra rete interna)..
Giusto??..
Poi che faccio?

[Wizard]

Dai un IP alla eth4
abiliti il NAT su quella interfaccia e fai la acl per la rete in dmz
Configuri le acl per bloccare l'accesso alla rete lan dalla dmz
Configuri le impostazioni ip sulla ps2

[[email protected]]

Dai un IP alla eth4
abiliti il NAT su quella interfaccia e fai la acl per la rete in dmz
Configuri le acl per bloccare l'accesso alla rete lan dalla dmz
Configuri le impostazioni ip sulla ps2

Ciao, sorry, ma non si riesce a dare un ip alla eth4 perchè dice "Ip addresses may not be configured on L2 Links"...
Lo riesco invece a dare alla ethernet 2 e nel log compare Switch port 4 now connected to e2 interface (appena faccio no shutdown)..

[Wizard]

Beh vabè, dai l'ip alla ethernet2 poi vedi.
Posta la config dopo

[[email protected]]

Beh vabè, dai l'ip alla ethernet2 poi vedi.
Posta la config dopo

Ecco la conf (ho messo la parte che interessa)...forse ho dimenticato qualcosa....


ip cef
ip name-server 85.37.17.47
ip name-server 151.99.125.3
ip inspect name LOW cuseeme
ip inspect name LOW dns
ip inspect name LOW ftp
ip inspect name LOW h323
ip inspect name LOW https
ip inspect name LOW icmp
ip inspect name LOW imap
ip inspect name LOW pop3
ip inspect name LOW netshow
ip inspect name LOW rcmd
ip inspect name LOW realaudio
ip inspect name LOW rtsp
ip inspect name LOW esmtp
ip inspect name LOW sqlnet
ip inspect name LOW streamworks
ip inspect name LOW tftp
ip inspect name LOW tcp
ip inspect name LOW udp
ip inspect name LOW vdolive
ip inspect name LOW sip
ip inspect name LOW fragment maximum 256 timeout 1
ip ssh time-out 15
ip ssh version 2
!
!
!
interface Ethernet0
ip address 192.168.20.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
ip address 192.168.100.1 255.255.255.0
ip access-group DMZ in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
!
interface FastEthernet1
description >>> Mario
duplex auto
speed auto
!
interface FastEthernet2
description >>> SOHO97
duplex auto
speed auto
!
interface FastEthernet3
description >>> Access Point
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
!
ip local pool VPN-CLIENT-POOL 172.18.10.10 172.18.10.50
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
!
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
no ip nat service sip udp port 5060
ip nat inside source list 150 interface Dialer0 overload
ip nat inside source static udp 192.168.20.10 6882 interface Dialer0 6882
ip nat inside source static udp 192.168.20.11 6881 interface Dialer0 6881
ip nat inside source static tcp 192.168.20.10 33916 interface Dialer0 33916
ip nat inside source static tcp 192.168.20.10 7954 interface Dialer0 7954
ip nat inside source static udp 192.168.20.10 23580 interface Dialer0 23580
ip nat inside source static udp 192.168.20.11 4673 interface Dialer0 4673
ip nat inside source static tcp 192.168.20.11 6881 interface Dialer0 6881
ip nat inside source static tcp 192.168.20.11 4662 interface Dialer0 4662
ip nat inside source static tcp 192.168.20.10 6882 interface Dialer0 6882
!
!
ip access-list extended DMZ
permit ip 192.168.100.0 0.0.0.255 any
deny ip any any
logging trap errors
access-list 1 remark PERMESSI PER IL TELNET
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 172.18.10.0 0.0.0.255 log
access-list 100 permit udp host 62.152.126.5 eq ntp host 192.168.20.1 eq ntp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 62.152.126.5 eq ntp any eq ntp
access-list 101 permit udp host 85.37.17.47 eq domain any
access-list 101 permit udp host 151.99.125.3 eq domain any
access-list 101 permit tcp host 63.208.196.95 eq www any
access-list 101 deny ip 192.168.20.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 7954
access-list 101 permit udp any any eq 23580
access-list 101 permit udp any any eq 4673
access-list 101 permit tcp any any eq 6881
access-list 101 permit udp any any eq 6881
access-list 101 permit udp any any eq 6882
access-list 101 permit tcp any any eq 4662
access-list 101 permit tcp any any eq 6882
access-list 101 permit tcp any any eq 7960
access-list 101 permit udp any any eq 7963
access-list 101 permit udp any any eq 23551
access-list 101 permit gre any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 150 deny ip 192.168.20.0 0.0.0.255 172.18.10.0 0.0.0.255
access-list 150 permit ip 192.168.20.0 0.0.0.255 any
no cdp run

[Wizard]

ip access-list extended DMZ
permit ip 192.168.100.0 0.0.0.255 any
deny ip any any

In questo modo non crei una dmz ma una "vlan".

[[email protected]]

ip access-list extended DMZ
permit ip 192.168.100.0 0.0.0.255 any
deny ip any any

In questo modo non crei una dmz ma una "vlan".

Lo so che rompo...ma nel mondo Cisco ci sono appena entrato e sto facendo le configurazioni cercando un po in giro el forum...
Non avendo trovato niente di DMZ, allora ho postato...

Puoi eventualmente aiutarmi con un esempio?

[Wizard]

no ip access-list extended DMZ
ip access-list extended DMZ
deny ip 192.168.100.0 0.0.0.255 192.168.20.1 0.0.0.255 log
permit ip any any

In questo modo blocchi l'accesso dalla rete dmz alla rete lan ma permetti alla rete dmz di uscire verso internet

[[email protected]]

no ip access-list extended DMZ
ip access-list extended DMZ
deny ip 192.168.100.0 0.0.0.255 192.168.20.1 0.0.0.255 log
permit ip any any

In questo modo blocchi l'accesso dalla rete dmz alla rete lan ma permetti alla rete dmz di uscire verso internet

SEI UN GRANDE!!!!

Naturalmente ho messo anche ip nat inside source list DMZ interface dialer 0
, perchè non funzionava...è giusta?

Grazie

[Wizard]

Crea una acl ad hoc per il nat

ip nat inside source list 141 interface dialer 0 overload

access-l 141 remark *** ACL PER NAT DMZ ***
access-l 141 permit ip 192.168.100.0 0.0.0.255 any

[[email protected]]

Crea una acl ad hoc per il nat

ip nat inside source list 141 interface dialer 0 overload

access-l 141 remark *** ACL PER NAT DMZ ***
access-l 141 permit ip 192.168.100.0 0.0.0.255 any

Grazie funziona perfettamente!!

[Ulisse31]

Vorrei fare una domanda io:
una conf del genere permete alla DMZ di uscire in internet, PERO' non permette l'accesso DALLA rete, cioè i computer che vogliono raggiungere la DMZ non possono (e invece dovrebbero). Quale sarebbe la modifica alla ACL per permettere una cosa del genere?