CiscoForums.it

Salve a tutti,
devo pubblicare su internet un server ftp e ho aggiunto la regola del nat, ma credo le access-list mi bloccano, la connessione è fastweb ed è stato aggiunto a valle un altro router cisco per fare i vari nat che servono, per cui sulla config ci sono lato wan una sottorete 10.0.0.0 e lato lan 192.168.1.0, non capisco perchè non funzioni, mi pare lato acl ci sia tutto...o no?!

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pincopallo
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxx.xxxxxx.xxxxxx.xxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name edilportale.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2741982093
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2741982093
revocation-check none
rsakeypair TP-self-signed-2741982093
!
!
crypto pki certificate chain TP-self-signed-2741982093
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373431 39383230 3933301E 170D3036 30313330 32313432
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37343139
38323039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AC53 50C8F9F8 8BB9D4BC F1E0E8AF C6379CF4 A1DCD797 0D784928 248EE0E4
6A61B5C6 8E51B542 4A47EE34 21831646 5D7ED6C1 F93FF4BD 405522C2 27E3A0B1
F79782C2 11012005 072CAC80 302FFBC4 2886BDA8 6FA10A89 397FFAF9 F1FB704E
F0AF2271 9CD1BE3B C0730511 F0E501AD 933B7941 072F1D20 B14D7616 D6CFBFBC
0D290203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B456469 6C706F72 74616C65 2E656469 6C706F72 74616C65
2E636F6D 301F0603 551D2304 18301680 1407AFBE CB455F7C 80613BAC CBB2B512
96FADDA1 BF301D06 03551D0E 04160414 07AFBECB 455F7C80 613BACCB B2B51296
FADDA1BF 300D0609 2A864886 F70D0101 04050003 8181008C BB38643C 3868FD80
DA3A3205 2CE0146D 18769438 78BF9D84 DD082159 8712740F 5741951E C56238DB
2C7FB7AC D6609AA5 DB7D5845 33BD1479 7194835F B407ED19 E3D91121 A1FF1CFF
FCE7ED06 F740BB98 74518E60 DA71639C C604E1B7 95477466 56FC3FEC 0E76D5C8
A0420D50 4E7D3719 D2DAE680 23CD650F DE6183D9 BC064D
quit
username yyyyyy password 7 vvvvvvvvv
username yyyyyy password 7 vvvvvvvvv
!
!
!
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
ip address 10.0.0.3 255.255.255.0
ip access-group 119 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.3 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
no ip http server
ip http secure-server
ip nat pool edil 10.0.0.4 10.0.0.4 prefix-length 24
ip nat inside source list 1 pool edil overload
ip nat inside source static tcp 192.168.1.253 20 interface FastEthernet4 20
ip nat inside source static tcp 192.168.1.253 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.1.97 3389 10.0.0.5 3389 extendable
ip nat inside source static 192.168.1.254 10.0.0.6
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 deny ip 10.0.0.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 119 deny ip 192.168.1.0 0.0.0.255 any
access-list 119 permit icmp any host 10.0.0.3 echo-reply
access-list 119 permit icmp any host 10.0.0.3 time-exceeded
access-list 119 permit icmp any host 10.0.0.3 unreachable
access-list 119 permit ip 82.91.xxx.xxx 0.0.0.7 192.168.1.0 0.0.0.255
access-list 119 permit ip 82.91.xxx.xxx 0.0.0.7 10.0.0.0 0.0.0.255
access-list 119 permit ip host 89.119.xxx.xxx 192.168.1.0 0.0.0.255
access-list 119 permit ip host 89.119.xxx.xxx 10.0.0.0 0.0.0.255
access-list 119 permit ip 85.20.xxx.xxx 0.0.0.7 192.168.1.0 0.0.0.255
access-list 119 permit ip 85.20.xxx.xxx 0.0.0.7 10.0.0.0 0.0.0.255
access-list 119 permit ip host 84.220.41.244 10.0.0.0 0.0.0.255
access-list 119 permit tcp any host 10.0.0.6 eq 1723
access-list 119 permit udp any host 10.0.0.6 eq 1723
access-list 119 permit gre any host 10.0.0.6
access-list 119 permit tcp any host 10.0.0.5 eq 3389
access-list 119 permit tcp host 138..xx.xx.xx 0.0.0.0 255.255.255.0 eq 1433
access-list 119 permit tcp host 138..xx.xx.xx 0.0.0.0 255.255.255.0 eq 1434
access-list 119 permit tcp host 138.xx.xx.xx 0.0.0.0 255.255.255.0 eq 1954
access-list 119 permit udp host 138.xx.xx.xx 0.0.0.0 255.255.255.0 eq 1434
access-list 119 permit tcp any host 10.0.0.6 eq www
access-list 119 permit tcp any host 10.0.0.6 eq 443
access-list 119 permit udp any 10.0.0.0 0.0.0.255 eq domain
access-list 119 permit udp any 192.168.1.0 0.0.0.255 eq domain
access-list 119 permit tcp any 10.0.0.0 0.0.0.255 gt 1023 established
access-list 119 permit udp any 192.168.1.0 0.0.0.255 gt 1023 log
access-list 119 permit tcp any eq ftp 10.0.0.0 0.0.0.255 eq ftp
access-list 119 permit tcp any eq ftp 192.168.1.0 0.0.0.255 eq ftp
access-list 119 permit tcp any eq ftp-data 10.0.0.0 0.0.0.255 gt 1023
access-list 119 permit tcp any eq ftp-data 192.168.1.0 0.0.0.255 gt 1023
access-list 119 permit udp any 10.0.0.0 0.0.0.255 gt 1023
access-list 119 permit udp any 192.168.1.0 0.0.0.255 gt 1023
access-list 119 deny ip 10.0.0.0 0.255.255.255 any
access-list 119 deny ip 172.16.0.0 0.15.255.255 any
access-list 119 deny ip 192.168.0.0 0.0.255.255 any
access-list 119 deny ip 127.0.0.0 0.255.255.255 any
access-list 119 deny ip 224.0.0.0 0.255.255.255 any
access-list 119 deny ip host 255.255.255.255 any
access-list 119 deny ip host 0.0.0.0 any
access-list 119 deny ip any any log
no cdp run
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

DOpo varie peripezie ho configurato il tutto in modo che con ftp attivo funziona, la cosa buffa è che l'ftp passivo non va e la cosa mi fa ridere perchè in genere la modalità passiva si usa dietro a firewall et simila.
Non sono praticissimo di server ftp, possibile che vada abilitato sul server la modalità passiva?! E io mi danno l'anima per nulla?!

ciao, premesso che fastweb che hai tu, ha un ip pubblico, oppure che tu usi il tuo ip nat per far accedere altri fastweb, devi abilitare il passive mode sul programma che usi.

io uso serv-u e nei setting avanzati, metto: force passive mode data transfer , use this ip: e li metto ip di internet;

poi metto un pasv port range; in genere se per ftp uso la porta 20000; al router apro dalla 20000 alla 2005; la 20000 la uso per ftp e dalla 20001 alla 20005 la uso per il passive port

spero di esserti stato utile