AIUTO questione strana cisco 877!

[franzall]

Ciao a tutti,
ho un problema strano con un CISCO 877 che avevo precedentemente configurato grazie all'aiuto di questo forum:
Il router è configurato con una vpn site to site e un forwarding attivato; il tutto funzionava correttamente fino ad uno spegnimento improvviso del router poi al suo riavvio sono cominciati i problemi:
la rete interna non nattava più cioè non si andava in internet e il port forwarding non funzionava mentre la VPN era regolarmente attiva.
La configurazione che funzionava è la seguente(almeno credo sia corretta):
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO877-XXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9vlm$gqKylyjR1kz1MFLIBQFry.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.119
ip dhcp excluded-address 192.168.0.161 192.168.0.254
!
ip dhcp pool Sp-dhcp
import all
network 192.168.0.0 255.255.255.0
dns-server 194.179.1.100 194.179.1.101
default-router 192.168.0.1
netbios-name-server 10.0.0.9
domain-name xxxxxxxx
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name xxxxxxxxxxx
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-1671104223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1671104223
revocation-check none
rsakeypair TP-self-signed-1671104223
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-1671104223
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363731 31303432 3233301E 170D3032 30333031 30303035
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373131
30343232 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F6BD BC4AFE37 0FF8DB64 7F56C319 6DAAD221 B1849AB9 1E473216 3C5244CF
60BF7157 BEBC881B 120D39BD 1FE43DAF BC42EE52 AE3F0A72 B9A92EE9 CBE4F604
4D1DFD6D 5E35004D AE5F812C 63FE01DA 14D5E41E 3C8599D8 470798EF 1AEA3C4C
A6AAE8B7 B28173BA 0ECE756C 4690CDA1 B21DE43A 0D8239C9 5A7DAAA5 C22A70B8
F73F0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82214349 53434F38 37372D53 5041474E 412E666F 726D706C
61737467 726F7570 2E657330 1F060355 1D230418 30168014 940238E9 98CF4ED2
5990BF5A 7DB3DE7D 02B68DBC 301D0603 551D0E04 16041494 0238E998 CF4ED259
90BF5A7D B3DE7D02 B68DBC30 0D06092A 864886F7 0D010104 05000381 8100432A
3EF6071F AF743FE2 CED7EC59 062C924E C82AA7A5 EE00E7CD 07A3D7C0 922363D9
F11CE7BF 2BE0F245 D8D8EA55 C456DAFA 808E2680 E52D360D AE5D0B5E 9857362E
2C6D3CA0 F8DA75D9 841BFBE3 31416CE3 5884C348 6348E363 FCE155A3 D221B7EC
617F2F81 AF6648D9 5306440B 115C44F0 232F7879 2BA563D1 1129D526 5A68
quit
username admin privilege 15 view root secret 5 $1$caB5$Gtq/l9gnKcOmKHUi/mzTw1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key limone address xx.xx.xx.98
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxx.xx.xx.98
set peer xx.xx.xx.98
set transform-set ESP-3DES-SHA
match address 102
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address xx.xx.xx.56 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
pvc 8/32
protocol ip xx.xx.xx.2 broadcast
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.2
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.0.230 5900 xx.xx.xx.56 5900 route-map POL-NAT extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit xx.xx.xx.98
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq telnet
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 22
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq www
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 443
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq cmd
access-list 100 deny tcp any host 192.168.0.1 eq telnet
access-list 100 deny tcp any host 192.168.0.1 eq 22
access-list 100 deny tcp any host 192.168.0.1 eq www
access-list 100 deny tcp any host 192.168.0.1 eq 443
access-list 100 deny tcp any host 192.168.0.1 eq cmd
access-list 100 deny udp any host 192.168.0.1 eq snmp
access-list 100 deny ip xx.xx.xx.0 0.0.0.63 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq telnet
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq 22
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq www
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq 443
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq cmd
access-list 101 deny udp any host xx.xx.xx.56 eq snmp
access-list 101 permit udp host xx.xx.xx.98 host xx.xx.xx.56 eq non500-isakmp
access-list 101 permit udp host xx.xx.xx.98 host xx.xx.xx.56 eq isakmp
access-list 101 permit esp host xx.xx.xx.98 host xx.xx.xx.56
access-list 101 permit ahp host xx.xx.xx.98 host xx.xx.xx.56
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip host xx.xx.xx.98 any
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny ip any any
access-list 105 remark ACL PENELOPE*******************************
access-list 105 remark SDM_ACL Category=18
access-list 105 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 log
access-list 105 permit ip any any
no cdp run

route-map SDM_RMAP_1 permit 1
match ip address 103

route-map POL-NAT permit 1
match ip address 105
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 104 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Per risolvere il problema del nat della rete interna ho cambiato la regola di nat in questa maniera:
ip nat inside source list 103 interface ATM0.1 overload

così facendo il nat verso internet funziona ma non il port forwarding, invece lasciando
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload devo assolutamente cancellare:
ip nat inside source static tcp 192.168.0.230 5900 xx.xx.xx.56 5900 route-map POL-NAT extendable
altrimenti non funziona nulla.

Esiste un conflitto fra le ACL o le route-map?

Grazie in anticipo.

Francesco.

[Renato.Efrati]

sposto che eri nella sezione sbagliata.

[franzall]

In che senso sbagliata?

Grazie