Aiuto su cisco 877 su server 2003 con 2 skd di rete

[joesca]

Salve a tutti, spero mi potete aiutare. Ho un cisco 877 connesso con ip lan 192.168.0.1 connesso alla seconda scheda di rete di un 2003 server , con ip 192.168.0.100
La navigazione avviene tranquillamente se metto come gtw l'ip della prima skeda di rete del 2003 server (192.168.1.153). Però ora è nato il problema che dovrei fare un uscire un ip privato nattare il cisco sull ip della rete privata che è 192.168.1.104 ed aprire un range di porte udp e tcp 6000-60015 tcp e 60000-60051 udp. Purtroppo non ho molta dimestichezza con il cisco, quindi confido nella Vs esperienza
Saluti
Giuseppe

[@lan72]

ciao x la nat non è un problema ma sarebbe meglio che prima posti la conf del router per capire meglio come fare

[joesca]

Ti posto la configurazione. A parte le porte per la videoconferenza e il desktop remoto non mi servono altre porte aperte, quindi puoi fare tutte le modifiche che ritieni opportuno.
Grazie per l'aiuto


NVRAM config last updated at 17:06:55 PCTime Thu Jul 17 2008 by gscaletta
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname routernav
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$WLJo$R/Q1g/1AmyONThL2qGxUi1
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 151.99.125.1
ip name-server 212.216.112.112
ip ssh time-out 60
ip ssh authentication-retries 2
ip port-map h323 port tcp from 1718 to 1720 list 4 description videoc tcp
ip port-map h323 port tcp from 60000 to 60100 list 5 description videocon
ip port-map h323callsigalt port udp from 1718 to 1720 list 7 description conf udp
ip port-map h323callsigalt port udp from 60000 to 60100 list 8 description confer udp6
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 h323callsigalt
ip inspect name DEFAULT100 h323gatestat
ip inspect name DEFAULT100 skinny
ip inspect name DEFAULT100 sip-tls
ip inspect name DEFAULT100 sip
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 h323callsigalt
ip inspect name sdm_ins_in_100 h323gatestat
ip inspect name sdm_ins_in_100 skinny
ip inspect name sdm_ins_in_100 sip-tls
ip inspect name sdm_ins_in_100 sip
!
!
crypto pki trustpoint TP-self-signed-2432481988
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2432481988
revocation-check none
rsakeypair TP-self-signed-2432481988
!
!
crypto pki certificate chain TP-self-signed-2432481988
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343332 34383139 3838301E 170D3032 30333031 30313437
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34333234
38313938 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009EBF 58143DE6 AB14A815 B25A53B3 3F1BD493 50D75860 0183E02E 73EF7C03
FCC8C0BF BC748652 CA9C9B7F A9A2FD1A 53841672 B8E4F1AF ECAA6A1B 1A66783A
152CF409 E008D931 B2F90EB8 B77E4E39 9C62ACFB 06D5F466 3C153B39 EBC326FC
9AA7E146 390C8401 AD876419 EC093629 6C81CC99 320ACE4D 22F13C70 3D83AA03
D87B0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18726F75 7465726E 61762E79 6F757264 6F6D6169 6E2E636F
6D301F06 03551D23 04183016 8014BE3B CE7AD186 AB2A2524 42C76C20 73692FDB
3206301D 0603551D 0E041604 14BE3BCE 7AD186AB 2A252442 C76C2073 692FDB32
06300D06 092A8648 86F70D01 01040500 03818100 7EFFFDFA 0DEF0AA0 6FCAB2B9
47A41064 B5D92756 E3F13DCF 6282C671 E779483E 706601CD 3F125BA4 375CBDD8
3ED69EBD F305A43B 8B78B17D 0A2E8683 A6EDDA02 DF530FB4 5AD7EBF4 A53DD148
BC770B43 18278AC9 48160833 E3A85685 D9E636A3 4CA7AA0D D8FCD881 A5FAA172
7ADAEEFD 0C870666 D40ABE7F 60B4E07E EFD871B4
quit
username gscaletta privilege 15 secret 5 $1$YGoW$3kPgNE3OE/cPG1XEkhCiU.
!
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip address 88.41.x.x 255.255.255.240
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect DEFAULT100 out
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
protocol ip 88.41.36.97 broadcast
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source list 9 interface ATM0.1 overload
ip nat inside source static tcp 192.168.0.100 3389 interface ATM0.1 3389
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.104
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.104
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.0.104
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 192.168.0.104
access-list 6 remark SDM_ACL Category=1
access-list 6 permit 192.168.0.104
access-list 7 remark SDM_ACL Category=1
access-list 7 permit 192.168.0.104
access-list 8 remark SDM_ACL Category=1
access-list 8 permit 192.168.0.104
access-list 9 remark SDM_ACL Category=2
access-list 9 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 88.41.36.96 0.0.0.15 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 88.41.36.x eq 60000
access-list 101 permit udp any host 88.41.36.x eq 1718
access-list 101 permit tcp any host 88.41.36.x eq 1718
access-list 101 permit tcp any host 88.41.36.x eq 1719
access-list 101 permit tcp any host 88.41.36.x eq 1720
access-list 101 permit udp any host 88.41.36.x
access-list 101 permit udp host 212.216.112.112 eq domain host 88.41.36.100
access-list 101 permit udp host 151.99.125.1 eq domain host 88.41.36.100
access-list 101 permit tcp any host 88.41.36.x eq 3389
access-list 101 remark vpn
access-list 101 permit tcp any host 88.41.36.x eq 1723
access-list 101 remark vpn
access-list 101 permit tcp any host 88.41.36.x eq 1701
access-list 101 permit udp any host 88.41.36.x eq 60000
access-list 101 permit tcp any host 88.41.36.x eq 6000
access-list 101 permit tcp 0.0.0.104 255.255.255.0 host 88.41.36.100
access-list 101 deny tcp host 88.41.36.100 0.0.0.104 255.255.255.0
access-list 101 permit icmp any host 88.41.36.x echo-reply
access-list 101 permit icmp any host 88.41.36.x time-exceeded
access-list 101 permit icmp any host 88.41.36.x unreachable
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

[@lan72]

ciao ma che subnet hai impostato nelle due sk di rete, e poi quando dici navigo tranquillamente, da quale sk

[joesca]

Allora , io ho un server 2003 con 2 skd di rete, l'interna con ip 192.168.1.153
e l'esterna ,collegata al router, con ip 192.168.0.100 , mentre il router ha 192.168.0.1. Mettendo come gtw il 192.168.1.153 , i pc della lan navigano tranquillamente. Il mio problema è quello di fare un portforwarding su un ip della rete interna. Spero di essere stato più chiaro.
Grazie

[@lan72]

non sono del tutto sicuro per il fatto che il router è il terminale che deve uscire sono su reti diverse ma puoi fare una prova.

vai in modalità conf t e in global inserisci questi

ip nat inside source static tcp 192.168.1.104 6000 interface ATM0.1 6000
ip nat inside source static udp 192.168.1.104 6000 interface ATM0.1 6000

in pratica fai il forword dell'ip 192.168.1.104 sulla porta tcp e udp 6000, per fare la altre inserisci le altre porte come sopra.


non dimenticarti dal momento che hai le ACL abilitate sulla ATM0.1 di far passare gli ip esterni sulla porta 6000 così

access-list 101 permit tcp any any eq 6000
access-list 101 permit udp any any eq 6000

[joesca]

Ho fatto le prove come hai detto tu , ma non funziona il discorso del nat. Pensi sia possibile trovare una soluzione diversa?