Non riesco più a navigare con 850 perchè?
Inviato: mar 22 set , 2009 4:26 pm
Ho un cisco 850 su cui c'è una vpn ipsec che funziona correttamente e anche una pptp.
Ora ho aggiunto sulla rete un ftp server e volevo aggiungere un po' di restrizioni. Una volta fatto, funziona tutto per quel che riguarda l'ftp, ma da questo momento non posso più navigare in internet e non funziona più la vpn ipsec, cioè funziona (la lucetta sul router vpn è accesa e stabile) ma i pacchetti non passano all'interno
Riassumendo. Se tolgo l'access list 102 funziona tutto ma non sono protetto sull'ftp se la metto non navigo e non vedo la vpn ipsec dalla lan.
Immagino che sia sufficiente aggiungere per l'access list 102 la navigazione e la vpn ipsec ma non so davvero come fare. Ho provato a girare un po' qui sul forum (com'ho fatto fino ad ora per tutto il resto), ma non sono riuscito davvero a capire.
Ecco la configurazione
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 5120 informational
enable secret 5 $1$g/yY$nRMVhZyhSN2wqblzwVmgy/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
!
aaa session-id common
!
resource policy
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
!
!
ip cef
no ip bootp server
ip name-server 151.99.125.2
ip name-server 151.99.125.3
!
!
crypto pki trustpoint TP-self-signed-752872781
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-752872781
revocation-check none
rsakeypair TP-self-signed-752872781
!
!
crypto pki certificate chain TP-self-signed-752872781
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37353238 37323738 31301E17 0D303230 33303130 30303832
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 32383732
37383130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AC9F52DB CE380AC1 7E9F4955 C5DB54F9 5D0C34C0 586E37B5 58BCBF59 14F086C8
CAA7B2E6 3C489452 78627136 F4A6A76F 37EB02E6 E9C5F97B BA60E995 98C69ED3
EA5F2A19 683D3AE6 87340444 A5F0B789 62265159 761BA6EB 84445C32 46161DE5
0A1DA279 FE249388 958389C2 F2862A50 BD1E019C 59F6E501 C9B7AF59 0C75B857
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820654 72656E74 6F301F06 03551D23 04183016 801436CA 80438646
A4755B68 F3BB1A3A EAD4E15F FD6F301D 0603551D 0E041604 1436CA80 438646A4
755B68F3 BB1A3AEA D4E15FFD 6F300D06 092A8648 86F70D01 01040500 03818100
284FDC48 70FBBF26 736B34D4 8BBAEBF0 D0FCE1E6 8FD22B5D 1B1A09A5 FC568EE5
7A873CB3 24EBBC9D B0339885 F6BBDC74 090BD68D 5AEBAF9F 948F6A7F D4A27B97
17422CAE F77B17D6 F83500C9 20DB84D3 858101FA 82E5C14E 919BD5E5 35FC78B1
1D8A86FB 45571E5B 1FA4D9A6 41A1F908 515E4DFA FA20F1CD AAB5873E 404B424D
quit
username htc-yv password 7 00071A15075459
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key KEY address IPPUBBLICOREMOTO
!
!
crypto ipsec transform-set ts1 esp-aes 256 esp-sha-hmac
!
crypto map 1 10 ipsec-isakmp
set peer IPPUBBLICOREMOTO
set transform-set ts1
match address 105
!
!
!
interface ATM0
description Link to Yverdon router
mtu 1500
bandwidth 608
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address MIOIPPUBBLICO 255.255.255.248
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
protocol ip MIOIPBROADCAST broadcast
encapsulation aal5snap
!
crypto map 1
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encryption
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 192.168.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
no ip address
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NONAT interface ATM0.1 overload
ip nat inside source static tcp 192.168.5.2 20 MIOIPPUBBLICO 20 extendable
ip nat inside source static tcp 192.168.5.2 21 MIOIPPUBBLICO 21 extendable
ip nat inside source static tcp 192.168.5.2 1723 MIOIPPUBBLICO 1723 extendable
!
access-list 100 remark NAT
access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 remark telnet
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any eq telnet
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
access-list 102 remark ftp e globale
access-list 102 permit tcp host IPPUBBLICOREMOTO host MIOIPPUBBLICO eq ftp-data
access-list 102 permit tcp host IPPUBBLICOREMOTO host MIOIPPUBBLICO eq ftp
access-list 102 permit tcp any host MIOIPPUBBLICO eq 1723
access-list 102 permit gre any any
access-list 102 deny ip any any
access-list 105 remark VPN IPSEC
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 199 permit udp any any eq isakmp
access-list 199 permit icmp any any
route-map NONAT permit 10
match ip address 100
!
!
control-plane
!
banner motd ^C DISCONNECT WHEN YOU ARE AN AUTHORIZED^C
!
line con 0
password 7 06080622434208
logging synchronous
no modem enable
line aux 0
password 7 130B1E11040005
logging synchronous
line vty 0 4
access-class 101 in
privilege level 15
password 7 000A1A050B570A
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 162.23.41.34
end
Ora ho aggiunto sulla rete un ftp server e volevo aggiungere un po' di restrizioni. Una volta fatto, funziona tutto per quel che riguarda l'ftp, ma da questo momento non posso più navigare in internet e non funziona più la vpn ipsec, cioè funziona (la lucetta sul router vpn è accesa e stabile) ma i pacchetti non passano all'interno
Riassumendo. Se tolgo l'access list 102 funziona tutto ma non sono protetto sull'ftp se la metto non navigo e non vedo la vpn ipsec dalla lan.
Immagino che sia sufficiente aggiungere per l'access list 102 la navigazione e la vpn ipsec ma non so davvero come fare. Ho provato a girare un po' qui sul forum (com'ho fatto fino ad ora per tutto il resto), ma non sono riuscito davvero a capire.
Ecco la configurazione
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 5120 informational
enable secret 5 $1$g/yY$nRMVhZyhSN2wqblzwVmgy/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
!
aaa session-id common
!
resource policy
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
!
!
ip cef
no ip bootp server
ip name-server 151.99.125.2
ip name-server 151.99.125.3
!
!
crypto pki trustpoint TP-self-signed-752872781
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-752872781
revocation-check none
rsakeypair TP-self-signed-752872781
!
!
crypto pki certificate chain TP-self-signed-752872781
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37353238 37323738 31301E17 0D303230 33303130 30303832
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 32383732
37383130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AC9F52DB CE380AC1 7E9F4955 C5DB54F9 5D0C34C0 586E37B5 58BCBF59 14F086C8
CAA7B2E6 3C489452 78627136 F4A6A76F 37EB02E6 E9C5F97B BA60E995 98C69ED3
EA5F2A19 683D3AE6 87340444 A5F0B789 62265159 761BA6EB 84445C32 46161DE5
0A1DA279 FE249388 958389C2 F2862A50 BD1E019C 59F6E501 C9B7AF59 0C75B857
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820654 72656E74 6F301F06 03551D23 04183016 801436CA 80438646
A4755B68 F3BB1A3A EAD4E15F FD6F301D 0603551D 0E041604 1436CA80 438646A4
755B68F3 BB1A3AEA D4E15FFD 6F300D06 092A8648 86F70D01 01040500 03818100
284FDC48 70FBBF26 736B34D4 8BBAEBF0 D0FCE1E6 8FD22B5D 1B1A09A5 FC568EE5
7A873CB3 24EBBC9D B0339885 F6BBDC74 090BD68D 5AEBAF9F 948F6A7F D4A27B97
17422CAE F77B17D6 F83500C9 20DB84D3 858101FA 82E5C14E 919BD5E5 35FC78B1
1D8A86FB 45571E5B 1FA4D9A6 41A1F908 515E4DFA FA20F1CD AAB5873E 404B424D
quit
username htc-yv password 7 00071A15075459
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key KEY address IPPUBBLICOREMOTO
!
!
crypto ipsec transform-set ts1 esp-aes 256 esp-sha-hmac
!
crypto map 1 10 ipsec-isakmp
set peer IPPUBBLICOREMOTO
set transform-set ts1
match address 105
!
!
!
interface ATM0
description Link to Yverdon router
mtu 1500
bandwidth 608
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address MIOIPPUBBLICO 255.255.255.248
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
protocol ip MIOIPBROADCAST broadcast
encapsulation aal5snap
!
crypto map 1
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encryption
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 192.168.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
no ip address
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NONAT interface ATM0.1 overload
ip nat inside source static tcp 192.168.5.2 20 MIOIPPUBBLICO 20 extendable
ip nat inside source static tcp 192.168.5.2 21 MIOIPPUBBLICO 21 extendable
ip nat inside source static tcp 192.168.5.2 1723 MIOIPPUBBLICO 1723 extendable
!
access-list 100 remark NAT
access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 remark telnet
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any eq telnet
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
access-list 102 remark ftp e globale
access-list 102 permit tcp host IPPUBBLICOREMOTO host MIOIPPUBBLICO eq ftp-data
access-list 102 permit tcp host IPPUBBLICOREMOTO host MIOIPPUBBLICO eq ftp
access-list 102 permit tcp any host MIOIPPUBBLICO eq 1723
access-list 102 permit gre any any
access-list 102 deny ip any any
access-list 105 remark VPN IPSEC
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 199 permit udp any any eq isakmp
access-list 199 permit icmp any any
route-map NONAT permit 10
match ip address 100
!
!
control-plane
!
banner motd ^C DISCONNECT WHEN YOU ARE AN AUTHORIZED^C
!
line con 0
password 7 06080622434208
logging synchronous
no modem enable
line aux 0
password 7 130B1E11040005
logging synchronous
line vty 0 4
access-class 101 in
privilege level 15
password 7 000A1A050B570A
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 162.23.41.34
end