1841 IP Dinamico/Ftp/Porte

[fireblade]

Innanzitutto un buon weekend a tutto il forum.

Oggi senza morosa e con un pochino di tempo a disposizione mi vorrei dedicare alla modifica della configurazione del router di casa.

Dal momento che sono veramente ignorante in materia mi sono imbattuto nel seguente problema:

Vorrei aprire le porte con traffico libero in ingresso e in uscita dalla 1001 alla 1008 e le porte 1501 alla 1508 sia tcp/udp che puntino alla macchina con ip 192.168.2.12.

Ho un server ftp che è già stato configurato e funziona benissimo, vorrei fare in modo che, dato l'ip statico assegnato da dyn dns, il traffico ftp vada al server e qui ci siamo mentre il traffico sulle porte sopracitate puntino verso il 192.168.2.12

Posto la mia configurazione

Lo so... per chi è un gurù sarà una banalità ma per me sono graditissimi consigli e/o esempi per integrare la funzione sulla conf attuale.

!This is the running config of the router: 192.168.2.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$IXDf$xR8xUnUBUsNj7Va8eqJSB1
enable password MIAPASS
!
no aaa new-model
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool MIONETWORK
import all
network 192.168.2.0 255.255.255.0
dns-server 85.37.17.** 85.38.28.**
default-router 192.168.2.1
!
!
ip host dyns.net 213.232.93.**
ip name-server 85.37.17.**
ip name-server 85.38.28.**
ip ddns update method sdm_ddns1
HTTP
add http://www.dyns.net/postscript011.php?u ... **&domain=******
remove http://www.dyns.net/postscript011.php?u ... **&domain=******
!
!
!
crypto pki trustpoint TP-self-signed-564730499
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-564730499
revocation-check none
rsakeypair TP-self-signed-564730499
!
!
crypto pki certificate chain TP-self-signed-564730499
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886
1A22FFE4 AC21AFF3 861165A4 870E61B2 690E97F8 6FD3DC83 269DDAA8 7013A73B
76955849 FB2CD761 E63244E7 DCA726FF 08A7799E 9D0B9257 8AABE315 85DB2F8E
2D3F2BF0 B84BEB83 1FADDC6B 996C1474 814532BF 045124C9 AD7F9BAE 1FDD2495
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 801456F8 84AD8B32
C9331E56 AA926E4C 8FE4637D CCC4301D 0603551D 0E041604 1456F884 AD8B32C9
331E56AA 926E4C8F E4637DCC C4300D06 092A8648 86F70D01 01040500 03818100
53A0BAC3 5C0DA535
quit
username ****** privilege 15 secret 5 $1$ULcH$/JO.iGfbwKz0F2HfSxj.a0
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip ddns update hostname *****.**.**
ip ddns update sdm_ddns1 host 213.232.93.**
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname aliceadsl
ppp chap password 0 aliceadsl
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.2 21 interface Dialer0 21
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark *** ACL IN INGRESSO DA INTERNET ***
access-list 101 permit tcp host 213.232.93.** eq www any log
access-list 101 permit tcp any any eq ftp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp host 85.38.28.** eq domain any
access-list 101 permit udp host 85.37.17.** eq domain any
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password *******
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Grazie ancora un saluto Paolo

[fireblade]

Così che possa andare?

!This is the running config of the router: 192.168.2.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$IXDf$xR8xUnUBUsNj7Va8eqJSB1
enable password **********
!
no aaa new-model
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool ********
import all
network 192.168.2.0 255.255.255.0
dns-server 85.37.17.** 85.38.28.**
default-router 192.168.2.1
!
!
ip host dyns.net 213.232.93.**
ip name-server 85.37.17.**
ip name-server 85.38.28.**
ip ddns update method sdm_ddns1
HTTP
add http://www.dyns.net/postscript011.php?u ... **&domain=**.**
remove http://www.dyns.net/postscript011.php?u ... **&domain=**.**
!
!
!
crypto pki trustpoint TP-self-signed-564730499
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-564730499
revocation-check none
rsakeypair TP-self-signed-564730499
!
!
crypto pki certificate chain TP-self-signed-564730499
certificate self-signed 01
34393930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E0E734EA F69B5928 40C11DCA D7DC72DC B76B1D5E DBEC4D2D 3CC7F939 3BF50F1F
1A22FFE4 AC21AFF3 861165A4 870E61B2 690E97F8 6FD3DC83 269DDAA8 7013A73B
76955849 FB2CD761 E63244E7 DCA726FF 08A7799E 9D0B9257 8AABE315 85DB2F8E
2D3F2BF0 B84BEB83 1FADDC6B 996C1474 814532BF 045124C9 AD7F9BAE 1FDD2495
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 801456F8 84AD8B32
403C0A42 F7D0609A 4189A544 B341FE98 948AD2CC 5B4D56FD 6D79E509 F3AF46E4
6882176E E25DE881 0A343CA8 85062307 AEC5F60C 91803EEB 53A0BAC3 5C0DA535
quit
username *********
privilege 15 secret 5 $1$ULcH$/JO.iKz0F2HfSxj.a0
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip ddns update hostname ***********.***.**
ip ddns update sdm_ddns1 host 213.232.93.**
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname aliceadsl
ppp chap password 0 aliceadsl
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.2 21 interface Dialer0 21
ip nat inside source static tcp 192.168.2.12 1001 interface Dialer0 1001
ip nat inside source static tcp 192.168.2.12 1002 interface Dialer0 1002
ip nat inside source static tcp 192.168.2.12 1003 interface Dialer0 1003
ip nat inside source static tcp 192.168.2.12 1004 interface Dialer0 1004
ip nat inside source static tcp 192.168.2.12 1005 interface Dialer0 1005
ip nat inside source static tcp 192.168.2.12 1006 interface Dialer0 1006
ip nat inside source static tcp 192.168.2.12 1007 interface Dialer0 1007
ip nat inside source static tcp 192.168.2.12 1008 interface Dialer0 1008
ip nat inside source static tcp 192.168.2.12 1501 interface Dialer0 1501
ip nat inside source static tcp 192.168.2.12 1502 interface Dialer0 1502
ip nat inside source static tcp 192.168.2.12 1503 interface Dialer0 1503
ip nat inside source static tcp 192.168.2.12 1504 interface Dialer0 1504
ip nat inside source static tcp 192.168.2.12 1505 interface Dialer0 1505
ip nat inside source static tcp 192.168.2.12 1506 interface Dialer0 1506
ip nat inside source static tcp 192.168.2.12 1507 interface Dialer0 1507
ip nat inside source static tcp 192.168.2.12 1508 interface Dialer0 1508
ip nat inside source static udp 192.168.2.12 1001 interface Dialer0 1001
ip nat inside source static udp 192.168.2.12 1002 interface Dialer0 1002
ip nat inside source static udp 192.168.2.12 1003 interface Dialer0 1003
ip nat inside source static udp 192.168.2.12 1004 interface Dialer0 1004
ip nat inside source static udp 192.168.2.12 1005 interface Dialer0 1005
ip nat inside source static udp 192.168.2.12 1006 interface Dialer0 1006
ip nat inside source static udp 192.168.2.12 1007 interface Dialer0 1007
ip nat inside source static udp 192.168.2.12 1008 interface Dialer0 1008
ip nat inside source static udp 192.168.2.12 1501 interface Dialer0 1501
ip nat inside source static udp 192.168.2.12 1502 interface Dialer0 1502
ip nat inside source static udp 192.168.2.12 1503 interface Dialer0 1503
ip nat inside source static udp 192.168.2.12 1504 interface Dialer0 1504
ip nat inside source static udp 192.168.2.12 1505 interface Dialer0 1505
ip nat inside source static udp 192.168.2.12 1506 interface Dialer0 1506
ip nat inside source static udp 192.168.2.12 1507 interface Dialer0 1507
ip nat inside source static udp 192.168.2.12 1508 interface Dialer0 1508

!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark *** ACL IN INGRESSO DA INTERNET ***
access-list 101 permit tcp host 213.232.93.** eq www any log
access-list 101 permit tcp any any eq ftp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp host 85.38.28.** eq domain any
access-list 101 permit udp host 85.37.17.** eq domain any
access-list 101 remark *** ACL PORT FORWARDING ***
access-list 101 permit tcp any host 192.168.2.12 eq 1001
access-list 101 permit tcp any host 192.168.2.12 eq 1002
access-list 101 permit tcp any host 192.168.2.12 eq 1003
access-list 101 permit tcp any host 192.168.2.12 eq 1004
access-list 101 permit tcp any host 192.168.2.12 eq 1005
access-list 101 permit tcp any host 192.168.2.12 eq 1006
access-list 101 permit tcp any host 192.168.2.12 eq 1007
access-list 101 permit tcp any host 192.168.2.12 eq 1008
access-list 101 permit tcp any host 192.168.2.12 eq 1501
access-list 101 permit tcp any host 192.168.2.12 eq 1502
access-list 101 permit tcp any host 192.168.2.12 eq 1503
access-list 101 permit tcp any host 192.168.2.12 eq 1504
access-list 101 permit tcp any host 192.168.2.12 eq 1505
access-list 101 permit tcp any host 192.168.2.12 eq 1506
access-list 101 permit tcp any host 192.168.2.12 eq 1507
access-list 101 permit tcp any host 192.168.2.12 eq 1508
access-list 101 permit udp any host 192.168.2.12 eq 1001
access-list 101 permit udp any host 192.168.2.12 eq 1002
access-list 101 permit udp any host 192.168.2.12 eq 1003
access-list 101 permit udp any host 192.168.2.12 eq 1004
access-list 101 permit udp any host 192.168.2.12 eq 1005
access-list 101 permit udp any host 192.168.2.12 eq 1006
access-list 101 permit udp any host 192.168.2.12 eq 1007
access-list 101 permit udp any host 192.168.2.12 eq 1008
access-list 101 permit udp any host 192.168.2.12 eq 1501
access-list 101 permit udp any host 192.168.2.12 eq 1502
access-list 101 permit udp any host 192.168.2.12 eq 1503
access-list 101 permit udp any host 192.168.2.12 eq 1504
access-list 101 permit udp any host 192.168.2.12 eq 1505
access-list 101 permit udp any host 192.168.2.12 eq 1506
access-list 101 permit udp any host 192.168.2.12 eq 1507
access-list 101 permit udp any host 192.168.2.12 eq 1508
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password ****************
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

[fireblade]

Qualche consiglio?