CiscoForums.it

ciao a tutti mi potete aiutare a capire allora io ho questi ip

Ip assegnati 85.47.x.x 255.255.255.248
Ip gateway 85.47.x.y
punto punto 88.61.69.w 255.255.255.252


Current configuration : 4536 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable password 7 154658590779297029616C233306
!
no aaa new-model
memory-size iomem 15
no ip source-route
ip cef table event-log
ip cef
!
!
!
!
ip name-server 151.99.125.1
ip name-server 151.99.0.100
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
class-map match-any ADULT-URL
match protocol http url "*porn"
match protocol http url "porn*"
match protocol http url ".*xxx*."
match protocol http url ".xxx*."
match protocol http url ".*xxx."
match protocol http url "*facebook*"
match protocol http url "*youtube*"
match protocol http host "*youtube.com*|*video.google.com*"
match protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4"
match protocol http mime "video/3gpp|video/quicktime"
match protocol http url "*.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov"
match protocol http host "*facebook*"
match protocol http host "*porn*"
match protocol http host "*youtube*"
match protocol http host "*megavideo*"
!
!
policy-map FILTER-ADULT
class ADULT-URL
drop
!
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key 123456789 address xx.xx.xx.xx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer xx.xx.xx.xx
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set myset
match address 101
!
!
!
interface Loopback0
description ***default gateway***
ip address 85.47.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
crypto map mymap
!
interface FastEthernet0/0
description *** LAN Inside ***
ip address 192.168.11.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
service-policy input FILTER-ADULT
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description *** Point-to-Point Telecom ***
ip address 88.61.69.xx 255.255.255.0
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface Dialer0
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0/0/0.1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface Loopback0 overload
!
logging history notifications
access-list 101 remark ***********************************************
access-list 101 remark ** NAT Traveseral **
access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 224.0.0.0 31.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 deny ip 192.0.0.0 0.0.0.255 any
access-list 150 permit ip any any dscp 5
access-list 150 deny ip any any
no cdp run
!
route-map DENY-ADULT permit 10
match ip address 150
set interface Null0
!
!
!
control-plane
!
!
banner motd ^CCC
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************^C
!
line con 0
login
line aux 0
line vty 0 5

login
!
scheduler allocate 20000 1000
end

il problema è che dall' esterno ping la mia loopback ma come applico gli altri ip ?
sto impazzendo

Grazie

Current configuration : 4481 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname prova
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable password 7 154658590779297029616C233306
!
no aaa new-model
memory-size iomem 15
no ip source-route
ip cef table event-log
ip cef
!
!
!
!
ip name-server 151.99.125.1
ip name-server 151.99.0.100
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
class-map match-any ADULT-URL
match protocol http url "*porn"
match protocol http url "porn*"
match protocol http url ".*xxx*."
match protocol http url ".xxx*."
match protocol http url ".*xxx."
match protocol http url "*facebook*"
match protocol http url "*youtube*"
match protocol http host "*youtube.com*|*video.google.com*"
match protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4"
match protocol http mime "video/3gpp|video/quicktime"
match protocol http url "*.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov"
match protocol http host "*facebook*"
match protocol http host "*porn*"
match protocol http host "*youtube*"
match protocol http host "*megavideo*"
!
!
policy-map FILTER-ADULT
class ADULT-URL
drop
!
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key 12345 address 89.97.xxx.xxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 89.97.xxx.xxx
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set myset
match address 101
!
!
!
interface FastEthernet0/0
description *** LAN Inside ***
ip address 192.168.11.1 255.255.255.0 secondary
ip address 85.47.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
no keepalive
crypto map mymap
service-policy input FILTER-ADULT
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description *** Point-to-Point Telecom ***
ip unnumbered FastEthernet0/0
ip nat outside
ip virtual-reassembly
crypto map mymap
pvc 8/35
encapsulation aal5snap
!
!
interface Dialer0
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0/0/0.1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
!
logging history notifications
access-list 101 remark ***********************************************
access-list 101 remark ** NAT Traveseral **
access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 224.0.0.0 31.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 deny ip 192.0.0.0 0.0.0.255 any
access-list 150 permit ip any any dscp 5
access-list 150 deny ip any any
no cdp run
!
route-map DENY-ADULT permit 10
match ip address 150
set interface Null0
!
!
!
control-plane
!
!
banner motd ^CCC
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************^C
!
line con 0
login
line aux 0
line vty 0 5
login
!
scheduler allocate 20000 1000
end

in che senso come applichi?

assegna un indirizzo della tua classe ad una interfaccia (che sara' il gw) e poi al resto dei client in lan..

ciao!

intel ha scritto:in che senso come applichi?

assegna un indirizzo della tua classe ad una interfaccia (che sara' il gw) e poi al resto dei client in lan..

ciao!

ciao intel,

nel senso che nella mia profonda ignoranza pensavo di fare una cosa del genere

alla regola del nat gli vorrei assegnare un loopback0

e poi creare un' altra loopback1 con l'indirizzo pubblico

solo che ovviamente mi va in overlapping

grazie

didigno ha scritto:Ciao, scusa se mi intrometto, ma se leggi qualche post recente il nat non va mai fatto con la loopback.



Ciao

no anzi fai proprio bene ad intrometterti ora posto la configurazione attuale
e funziona cioè dall'esterno pingo IP pubblico del router, dal router pingo tutto ....a parte non mi funziona la VPN LOOOL...secondo voi questa configurazione va bene ?

Grazie ragazzi per i consigli

Current configuration : 4629 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname prova
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable password 7 154658590779297029616C233306
!
no aaa new-model
memory-size iomem 15
no ip source-route
ip cef table event-log
ip cef
!
!
!
!
ip name-server 151.99.125.1
ip name-server 151.99.0.100
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
class-map match-any ADULT-URL
match protocol http url "*porn"
match protocol http url "porn*"
match protocol http url ".*xxx*."
match protocol http url ".xxx*."
match protocol http url ".*xxx."
match protocol http url "*facebook*"
match protocol http url "*youtube*"
match protocol http host "*youtube.com*|*video.google.com*"
match protocol http mime "video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4"
match protocol http mime "video/3gpp|video/quicktime"
match protocol http url "*.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov"
match protocol http host "*facebook*"
match protocol http host "*porn*"
match protocol http host "*youtube*"
match protocol http host "*megavideo*"
!
!
policy-map FILTER-ADULT
class ADULT-URL
drop
!
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key 1234 address 89.97.186.xxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 89.97.186.xxx
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set transform-set myset
match address 101
!
!
!
interface Loopback0
ip address 85.47.x.x 255.255.255.248 ---indirizzo pubblico---
ip nat outside
ip virtual-reassembly
crypto map mymap
!
!
!
interface FastEthernet0/0
description *** LAN Inside ***
ip address 192.168.11.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
ip policy route-map DENY-ADULT
duplex auto
speed auto
no keepalive
service-policy input FILTER-ADULT
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description *** Point-to-Point Telecom ***
ip unnumbered FastEthernet0/0
ip broadcast-address 85.47.x.x <--gateway
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface Dialer0
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0/0/0.1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface Loopback0 overload
!
logging history notifications
access-list 101 remark ***********************************************
access-list 101 remark ** NAT Traveseral **
access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.3.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 224.0.0.0 31.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 deny ip 192.0.0.0 0.0.0.255 any
access-list 150 permit ip any any dscp 5
access-list 150 deny ip any any
no cdp run
!
route-map DENY-ADULT permit 10
match ip address 150
set interface Null0
!
!
!
control-plane
!
!
banner motd ^C
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************^C
!
line con 0
login
line aux 0
line vty 0 5
!
scheduler allocate 20000 1000
end