Problema con le rotte

[Chick75]

Ciao a tutti, ho questo problemino:

LAN --> PIX --> 1801

La lan interna dovrebbe poter vedere (pingare, telnettare) il router 1801 che sta dopo il pix...
Non ho ben chiaro di come fare...

Grazie in anticipo a tutti....

Vi posto le conf dei due apparati:

Router Cisco 1801:
1801#sh run
Building configuration...

Current configuration : 2235 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1801
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$QQo1$hWpwHWYv/ZvaYuyt.zEuK/
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
dns-server 212.216.172.222 212.216.172.162
lease 0 2
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip access-group 110 in
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname aliceadsl
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 1723 interface Dialer0 1723
ip nat inside source static tcp 10.10.10.2 25 interface Dialer0 25
ip nat inside source static tcp 10.10.10.2 443 interface Dialer0 443
ip nat inside source static tcp 10.10.10.2 80 interface Dialer0 80
!
access-list 1 permit 0.0.0.0 0.0.0.255
access-list 2 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

PIX 501:

User Access Verification

Password:
Type help or '?' for a list of available commands.
Pix501> en
Password: ***********
Pix501# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Pix501
domain-name pixfirewall.it
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list 2 permit gre any any
access-list 2 permit tcp any any eq pptp
access-list 2 permit tcp any any eq smtp
access-list 2 permit tcp any any eq www
access-list 2 permit tcp any any eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.0
ip address inside 172.20.200.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.20.200.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp 172.20.200.254 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 172.20.200.254 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.20.200.254 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.20.200.254 www netmask 255.255.255.255 0 0
access-group 2 in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.20.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.20.200.2-172.20.200.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
terminal width 80
Cryptochecksum:726d7a7b7d99a305f77777083c5ceda7
: end
Pix501#

[luca.prina]

Ciao,
non vorrei dire una scemata ma..
sul pix l'access list 'inbound' non l'hai applicata da nessuna parte...
per permettere gli echo-reply dell' ICMP io uso di solito

Codice: Seleziona tutto

access-list OUTSIDE_IN permit icmp any any echo-reply 
access-list OUTSIDE_IN permit icmp any any source-quench 
access-list OUTSIDE_IN permit icmp any any unreachable 
access-list OUTSIDE_IN permit icmp any any time-exceeded 

ovviamente applicata in ingresso sulla outside.
Per il telnet del router credo tu debba specificare le credenziali di login:

Codice: Seleziona tutto

line vty 0 4
password 'quellochevuoi'
login

oltre ovviamente alla password di ena ...ma quella mi sembra impostata.
spero di non aver detto cretinate... saluti a tutti e... auguri
Luca

[Chick75]

Perfetto grazie!! Funziona..!!