IP Inspect, ACL, NAT ed emule che non si connette

kikko · gio 05 mar , 2009 2:11 pm

Ciao a tutti,

dopo essere riuscito a far navigare il mio brand new 857 stò avendo delle difficoltà a far connettere emule (su alcuni server ottengo low id su altri timed out).

Chiedo cortesemente a qualche anima pia di dare un'occhiata alla mia conf per vedere se c'è qualche problema di config dei parametri ip inspect, del nat e delle acl (le porte di emule le ho cambiate dalle standard e sono differenziate per i 2 host che lo utilizzano).

La IOS è la 12.4(15)T6

questo è lo sh run (la config al 90% è quella di Wizard per la 20 mega adattata in pppoe).

Codice: Seleziona tutto


!
version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable password 7 oscurata
!
no aaa new-model
clock summer-time CET recurring last Sun Mar 1:00 last Sun Oct 1:00 1
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
!
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name cisco.com
ip name-server 193.70.152.15
ip name-server 208.67.222.222
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
!
username oscurata password 7 oscurata
! 
!
archive
 log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
!
!
interface Loopback0
 description INTERFACCIA VIRTUALE END-POINT VPN
 ip address 11.11.11.11 255.255.255.255
!
interface Null0
 no ip unreachables
!
interface ATM0
 mtu 1500
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 8/35 
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode adsl2 
 hold-queue 224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description CONNESSIONE LAN
 ip address 192.168.0.1 255.255.255.0
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip access-group 131 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1492
 ip inspect IDS out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname oscurata@liberotop
 ppp chap password 7 oscurata
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.3 39183 interface Dialer0 39183
ip nat inside source static udp 192.168.0.3 62192 interface Dialer0 62192
ip nat inside source static tcp 192.168.0.3 54165 interface Dialer0 54165
ip nat inside source static tcp 192.168.0.4 10532 interface Dialer0 10532
ip nat inside source static udp 192.168.0.4 6073 interface Dialer0 6073
!
!
access-list 100 remark *************************************************************
access-list 100 remark *** ACL PER PAT E NAT ***
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL VALERIO SNTP E P2P***
access-list 131 permit udp any any eq 163
access-list 131 permit tcp any host 192.168.0.3 eq 39183
access-list 131 permit udp any host 192.168.0.3 eq 62192
access-list 131 permit tcp any host 192.168.0.3 eq 54165
access-list 131 permit tcp any host 192.168.0.4 eq 10532
access-list 131 permit udp any host 192.168.0.4 eq 6073
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny   ip host 0.0.0.0 any log
access-list 131 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 192.0.0.0 0.0.0.255 any log
access-list 131 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny   icmp any any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   udp any any eq netbios-ns
access-list 131 deny   udp any any eq netbios-dgm
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq netbios-ss
access-list 131 deny   tcp any any eq 445
access-list 131 deny   tcp any any eq 593
access-list 131 deny   tcp any any eq 2049
access-list 131 deny   udp any any eq 2049
access-list 131 deny   tcp any any eq 2000
access-list 131 deny   tcp any any range 6000 6010
access-list 131 deny   udp any any eq 1433
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 5554
access-list 131 deny   udp any any eq 9996
access-list 131 deny   udp any any eq 113
access-list 131 deny   udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny   ip any any log
!
control-plane
!
banner motd 
***********************************************************************

	WARNING: System is RESTRICTED to authorized personnel ONLY!
	Unauthorized use of this system will be logged and
	prosecuted to the fullest extent of the law.

	If you are NOT authorized to use this system, LOG OFF NOW!

***********************************************************************

!
line con 0
 exec-timeout 120 0
 login local
 no modem enable
 transport output ssh
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 login local
 transport input telnet ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end

grazie a chi risponderà,

Vale

kikko · sab 07 mar , 2009 10:22 am

help!

Valerio

Wizard · lun 09 mar , 2009 3:56 pm

Ecco il problema:

access-list 131 permit tcp any host 192.168.0.3 eq 39183
access-list 131 permit udp any host 192.168.0.3 eq 62192
access-list 131 permit tcp any host 192.168.0.3 eq 54165
access-list 131 permit tcp any host 192.168.0.4 eq 10532
access-list 131 permit udp any host 192.168.0.4 eq 6073

Nn puoi fare le acl verso gli ip interni dato che su internet sono visti con l'ip della interface Dialer0 (come da regole di nat) quindi rifalle così:

Codice: Seleziona tutto

no access-l 131
access-list 131 remark *************************************************************
access-list 131 remark *** ACL VALERIO SNTP E P2P***
access-list 131 permit udp any any eq 163
access-list 131 permit tcp any any eq 39183
access-list 131 permit udp any any eq 62192
access-list 131 permit tcp any any eq 54165
access-list 131 permit tcp any any eq 10532
access-list 131 permit udp any any eq 6073
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny   ip host 0.0.0.0 any log
access-list 131 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 192.0.0.0 0.0.0.255 any log
access-list 131 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny   icmp any any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   udp any any eq netbios-ns
access-list 131 deny   udp any any eq netbios-dgm
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq netbios-ss
access-list 131 deny   tcp any any eq 445
access-list 131 deny   tcp any any eq 593
access-list 131 deny   tcp any any eq 2049
access-list 131 deny   udp any any eq 2049
access-list 131 deny   tcp any any eq 2000
access-list 131 deny   tcp any any range 6000 6010
access-list 131 deny   udp any any eq 1433
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 5554
access-list 131 deny   udp any any eq 9996
access-list 131 deny   udp any any eq 113
access-list 131 deny   udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny   ip any any log

kikko · lun 09 mar , 2009 9:58 pm

grazie Wizard, anzi grazie doppiamente (1 per la configurazione, 2 per l'aiuto!).

(le acl le studio al corso tra 2 settimane!!! non vedo l'ora!!)

Wizard · mar 10 mar , 2009 2:47 pm

(le acl le studio al corso tra 2 settimane!!! non vedo l'ora!!)

Si ma la sintassi delle acl era corretta!
Il probelema era proprio il concetto che era sbagliato!

kikko · dom 15 mar , 2009 2:26 pm

si me ne sono accorto

ho filtrato un inside local prima del nat

comunque al corso stò ancora al rip e cazzatelle varie, di sicurezza ne parliamo al modulo 3 a fine mese!

Gianremo.Smisek · lun 16 mar , 2009 1:10 pm

rip e cazzatelle varie?

aspetta che il routing si fa piu' pesante... poi vedi se sono cazzatelle

kikko · mar 17 mar , 2009 12:09 am

si, intendo dire cazzatelle perchè sono interessanti ed utili ma come concetto (a questo livello, ovverco ccna2) poco coinvolgenti (però ripeto, interessanti) anche perchè la pratica è iniziata da poco (praticamente ccna1 e metà del 2 sono teoria).

IO VOGLIO SMANETTA'!! (e ci stò riuscendo per fortuna)

IP Inspect, ACL, NAT ed emule che non si connette

Login • Iscriviti