Cisco 1700 e Linea Interbusiness HDSL - Problema Navigazione

[sacc82]

ho inserito "bandwith 2048" sia in serial0 che in serial0.1, ma non cambia nulla.


eseguendo il comando "terminal monitor" vedo dei messaggi in console:

3w5d: %FW-4-ALERT_OFF: calming down, count (3/400) current 1-min rate: 314
3w5d: %FW-4-ALERT_ON: getting aggressive, count (3/500) current 1-min rate: 501
3w5d: %FW-4-ALERT_ON: getting aggressive, count (4/500) current 1-min rate: 501
3w5d: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 314
3w5d: %FW-4-ALERT_ON: getting aggressive, count (4/500) current 1-min rate: 501
3w5d: %FW-4-ALERT_OFF: calming down, count (2/400) current 1-min rate: 362


vogliono dire qualcosa di significativo?

[valerio1976]

essendo sempre fuori sede non ho avuto modo di provare la tua configurazione ... domani mattina sono in uffcio faccio la tua identica conf. e cosi vedo magari quello che non va e ti faccio sapere


ciao

[sacc82]

valerio ti ringrazio della disponibilità!
io sono all'estero da domani per 10 gg.. quindi con calma quando vuoi se mi sai dire qualcosa e lasciarmelo scritto qui mi faresti un favore enorme!
Grazie ancora per la tua disponibilità dimostrata !

[valerio1976]

questo errore è perchè hai un attacco DoS !

Allora fai cosi:

in modalità conf

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug date
service timestamps log dateti
service password-encryption
no cdp run
no service udp-small-servers
service udp-small-servers
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifi
logging console critical
logging monitor notifications

ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600

poi:

access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *************************************************************
access-list 131 remark *** traffico dns e ntp ***
access-list 131 permit udp host 208.67.222.222 eq domain any
access-list 131 permit udp host 151.99.125.1 eq domain any
access-list 131 permit udp host 207.46.197.32 eq ntp any
access-list 131 permit udp host 192.43.244.18 eq ntp any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log

e sotto la s0.1 taggarle con il seguente comando:

ip access-group 131 in
e
ip inspect myfw out

poi sotto le interfaccie:

no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp adjust-mss 1460


e sappimi dire....cmq poi contralla i vari pc che sono collegati a quel router molto probabilmente ci sono dei servizi sospetti LOL


ciao

[sacc82]

Eccomi!!!!!!!! Tornato!!!!

Allora...

i comandi:

logging count
logging userinfo

non me li prende:

Codice: Seleziona tutto

Router(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host
  buffered             Set buffered logging parameters
  console              Set console logging level
  exception            Limit size of exception flush output
  facility             Facility parameter for syslog messages
  history              Configure syslog history table
  host                 Set syslog server host name or IP address
  monitor              Set terminal line (monitor) logging level
  on                   Enable logging to all supported destinations
  rate-limit           Set messages per second limit
  source-interface     Specify interface for source address in logging transactions
  trap                 Set syslog server logging level

in più mi hai detto di mettere :

no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp adjust-mss 1460

sotto le interfacce... ma quali interfacce? tutte?

eth0, serial0, serial0.1... ?

Grazie 1000!

[sacc82]

anche i comandi :

ip virtual-reassembly
ip tcp adjust-mss 1460

non me li riconosce.... questi li ho dati all'interno di interface ser0.1

Codice: Seleziona tutto

Router(config-subif)#ip ?
Interface IP configuration subcommands:
  access-group        Specify access control for packets
  accounting          Enable IP accounting on this interface
  address             Set the IP address of an interface
  audit               Apply IDS audit name
  auth-proxy          Apply authenticaton proxy
  authentication      authentication subcommands
  bandwidth-percent   Set EIGRP bandwidth limit
  broadcast-address   Set the broadcast address of an interface
  dhcp                Configure DHCP parameters for this interface
  directed-broadcast  Enable forwarding of directed broadcasts
  hello-interval      Configures IP-EIGRP hello interval
  helper-address      Specify a destination address for UDP broadcasts
  hold-time           Configures IP-EIGRP hold time
  inspect             Apply inspect name
  irdp                ICMP Router Discovery Protocol
  mask-reply          Enable sending ICMP Mask Reply messages
  mtu                 Set IP Maximum Transmission Unit
  nat                 NAT interface commands
  nhrp                NHRP interface subcommands
  ospf                OSPF interface commands
  policy              Enable policy routing
  probe               Enable HP Probe support
  proxy-arp           Enable proxy ARP
  rarp-server         Enable RARP server for static arp entries
  redirects           Enable sending ICMP Redirect messages
  rip                 Router Information Protocol
  route-cache         Enable fast-switching cache for outgoing packets
  security            DDN IP Security Option
  split-horizon       Perform split horizon
  summary-address     Perform address summarization
  unnumbered          Enable IP processing without an explicit address
  unreachables        Enable sending ICMP Unreachable messages
  verify              Enable per packet validation
  vrf                 VPN Routing/Forwarding parameters on the interface

[valerio1976]

Eccomi!!!!!!!! Tornato!!!!

Allora...

i comandi:

logging count
logging userinfo

non me li prende:

Codice: Seleziona tutto

Router(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host
  buffered             Set buffered logging parameters
  console              Set console logging level
  exception            Limit size of exception flush output
  facility             Facility parameter for syslog messages
  history              Configure syslog history table
  host                 Set syslog server host name or IP address
  monitor              Set terminal line (monitor) logging level
  on                   Enable logging to all supported destinations
  rate-limit           Set messages per second limit
  source-interface     Specify interface for source address in logging transactions
  trap                 Set syslog server logging level

in più mi hai detto di mettere :

no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp adjust-mss 1460

sotto le interfacce... ma quali interfacce? tutte?

eth0, serial0, serial0.1... ?

Grazie 1000!

ciao si puoi metterli sotto tutte le interfaccia non ti prende i comandi molto probabilmente la tua ios non li suporta va beh fa niente

[sacc82]

mi spiace... ho dato tutte le modifiche che mi hai detto, ma il problema persiste..

ti riporto la configurazione attuale:

Codice: Seleziona tutto

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service udp-small-servers
!
hostname Router
!
logging exception 100000
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
logging monitor notifications
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx 
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx 
!
memory-size iomem 25
ip subnet-zero
!
ip inspect name myfw http java-list 10
ip inspect name myfw ftp timeout 3600
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0
 ip address 192.168.1.253 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect myfw in
 speed auto
!
interface Serial0
 bandwidth 2048
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 encapsulation frame-relay
 load-interval 30
 no fair-queue
!
interface Serial0.1 point-to-point
 bandwidth 2048
 ip address 94.xxx.xxx.xx0 255.255.255.252
 ip access-group 131 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect myfw out
 frame-relay interface-dlci 363 IETF   
!
ip nat inside source static 192.168.1.60 94.xxx.xxx.xx5
ip nat inside source static 192.168.1.239 94.xxx.xxx.xx6
ip nat inside source static 192.168.1.50 94.xxx.xxx.xx8
ip nat inside source static 192.168.1.51 94.xxx.xxx.xx7
ip nat inside source static 192.168.1.61 94.xxx.xxx.xx9
ip nat inside source static 192.168.1.10 94.xxx.xxx.xx0
ip nat inside source static 192.168.1.62 94.xxx.xxx.xx1
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no ip http server
!
access-list 101 deny   ip any host 94.xxx.xxx.xx5
access-list 101 deny   ip any host 94.xxx.xxx.xx6
access-list 101 deny   ip any host 94.xxx.xxx.xx7
access-list 101 deny   ip any host 94.xxx.xxx.xx8
access-list 101 deny   ip any host 94.xxx.xxx.xx9
access-list 101 permit tcp any host 94.xxx.xxx.xx0 eq 3101
access-list 101 deny   ip any host 94.xxx.xxx.xx0
access-list 101 deny   ip any host 94.xxx.xxx.xx1
access-list 101 deny   ip any host 94.xxx.xxx.xx2
access-list 131 remark ************************************************************* 
access-list 131 remark *** ACL ANTI-SPOOFING *** 
access-list 131 deny   ip host 0.0.0.0 any log
access-list 131 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP *** 
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny   icmp any any
access-list 131 remark *** traffico dns e ntp *** 
access-list 131 permit udp host 208.67.222.222 eq domain any
access-list 131 permit udp host 151.99.125.1 eq domain any
access-list 131 permit udp host 207.46.197.32 eq ntp any
access-list 131 permit udp host 192.43.244.18 eq ntp any
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI *** 
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   udp any any eq netbios-ns
access-list 131 deny   udp any any eq netbios-dgm
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq netbios-ss
access-list 131 deny   tcp any any eq 445
access-list 131 deny   tcp any any eq 593
access-list 131 deny   tcp any any eq 2049
access-list 131 deny   udp any any eq 2049
access-list 131 deny   tcp any any eq 2000
access-list 131 deny   tcp any any range 6000 6010
access-list 131 deny   udp any any eq 1433
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 5554
access-list 131 deny   udp any any eq 9996
access-list 131 deny   udp any any eq 113
access-list 131 deny   udp any any eq 3067
access-list 131 deny   tcp any any eq 8888
access-list 131 deny   tcp any any eq 8594
access-list 131 deny   tcp any any eq 8563
access-list 131 deny   tcp any any eq 7778
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI *** 
access-list 131 deny   ip any any log
no cdp run
!
line con 0
 exec-timeout 1 30
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx 
 login
line aux 0
line vty 0 4
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx 
 login
!
end

[valerio1976]

qui trovi le info

http://translate.googleusercontent.com/ ... 6tlC_tz7Iw

[KalTorak]

Solitamente la difficoltà nella navigazione è un problema di mtu e mss (mss=mtu-40)

eth0
ip tcp adjust-mss 1452

[mako]

sorry evertbody.....


ma un bel sh int s0 s0.1 e sh int fa0 ?????


sono al 100 % "pulite" queste int ????

[sacc82]

ragazzi
ringrazio tutti per la vostra collaborazione, ma chissà perchè quella configurazione dà quei problemi (tra l'altro con alcuni siti va veloce altri invece si pianta la navigazione.... boh! )

cmq posto qui la soluzione che ho trovato... ovvero una rebuild completa della configurazione cambiando la struttura...

Codice: Seleziona tutto

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password 7 xxxxxxxxxx
!
memory-size iomem 25
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0
 ip address 192.168.1.253 255.255.255.0 secondary
 ip address 94.xxx.xxx.195 255.255.255.248
 ip nat inside
 speed auto
!
interface Serial0
 bandwidth 1024
 no ip address
 encapsulation frame-relay
!
interface Serial0.1 point-to-point
 bandwidth 1024
 ip address 94.xxx.xxx.130 255.255.255.252
 ip nat outside
 frame-relay interface-dlci 363 IETF   
!
ip nat pool net-ibs 94.xxx.xxx.196 94.xxx.xxx.196 netmask 255.255.255.248
ip nat inside source list 1 pool net-ibs overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no ip http server
!
access-list 1 permit 192.168.1.61
access-list 1 permit 192.168.1.60
access-list 1 permit 192.168.1.51
access-list 1 permit 192.168.1.50
access-list 1 permit 192.168.1.239
!
line con 0
line aux 0
line vty 0 4
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 login
!
no scheduler allocate
end

ora funziona come un orologio!

rock'n'roll!