problema nat translation o ACL?
Inviato: mer 21 lug , 2010 8:18 pm
salve a tutti vorrei chiedere un informazione
ho una linea in fibra con fastweb con assegnati 9 static ip in nat sulla rete interna.
nella rete interna ho un server (192.168.1.2)vpn e jabber, riscontro molti problemi, sicuramente per la chiusura di qualcosa!:P
nelle sezione nat translation ci sono dei tempi per port-timeout , potrebbero essere loro che influiscono ?
io uso nel server i protocolli GRE ESP udp porta 500 e udp porta 1701
non ho creato nessuna access list tranne la primaria, se nessuna access list fosse attiva ,oltre alla access list per la rete locale, i pacchetti vengono bloccati o vanno direttamente al ip nattato al interno ? il passaggio e trasparente? oppure devo applicare altre regole?
devo cambiare i timeing ? devo specificare le porta usate da me? ringrazion e saluto
posto mio conf
Saluti
ho una linea in fibra con fastweb con assegnati 9 static ip in nat sulla rete interna.
nella rete interna ho un server (192.168.1.2)vpn e jabber, riscontro molti problemi, sicuramente per la chiusura di qualcosa!:P
nelle sezione nat translation ci sono dei tempi per port-timeout , potrebbero essere loro che influiscono ?
io uso nel server i protocolli GRE ESP udp porta 500 e udp porta 1701
non ho creato nessuna access list tranne la primaria, se nessuna access list fosse attiva ,oltre alla access list per la rete locale, i pacchetti vengono bloccati o vanno direttamente al ip nattato al interno ? il passaggio e trasparente? oppure devo applicare altre regole?
devo cambiare i timeing ? devo specificare le porta usate da me? ringrazion e saluto
posto mio conf
Codice: Seleziona tutto
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SanvilR0
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-15.T5.bin
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$YMkk@sa5Y$fYSARsHZUJcqxddWa6w6T.
enable password 7 1511021F0722256573377038233971
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 30 attempts 3 within 10
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username sanvil password 7 13510702075F4A672922372B83C
archive
log config
logging enable
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description collegamento fastweb
ip address 23.b.cc.56 255.255.255.0
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description Collegamento alla LAN interna
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no cdp enable
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 23.b.cc.1
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 10
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 301
ip nat translation finrst-timeout 61
ip nat translation syn-timeout 50
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 10
ip nat translation port-timeout tcp 6346 5
ip nat translation port-timeout tcp 6347 5
ip nat translation port-timeout tcp 6348 5
ip nat translation port-timeout tcp 6349 5
ip nat translation port-timeout udp 6346 5
ip nat translation port-timeout udp 6347 5
ip nat translation port-timeout udp 6348 5
ip nat translation port-timeout udp 6349 5
ip nat translation port-timeout udp 137 5
ip nat translation port-timeout tcp 1214 5
ip nat translation port-timeout tcp 20 1000
ip nat translation port-timeout tcp 21 1000
ip nat translation port-timeout udp 20 1000
ip nat translation port-timeout udp 21 1000
ip nat translation port-timeout tcp 1001 1000
ip nat translation port-timeout tcp 1002 1000
ip nat translation port-timeout tcp 1724 1000
ip nat translation port-timeout tcp 1726 1000
ip nat pool natpool 23.b.cc.58 23.b.cc.58 netmask 255.255.255.0
ip nat inside source list 1 pool natpool overload
ip nat inside source static 192.168.1.10 93.bb.cc.dd
ip nat inside source static 192.168.1.2 93.bb.cc.dd
ip nat inside source static 192.168.1.3 93.bb.cc.dd
ip nat inside source static 192.168.1.4 93.bb.cc.dd
ip nat inside source static 192.168.1.5 93.bb.cc.dd
ip nat inside source static 192.168.1.6 93.bb.cc.dd
ip nat inside source static 192.168.1.7 93.bb.cc.dd
ip nat inside source static 192.168.1.8 93.bb.cc.dd
ip nat inside source static 192.168.1.9 93.bb.cc.dd
!
!
logging trap debugging
logging facility local2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C^C
!
line con 0
exec-timeout 5 0
password 7 09185E19155656805911021F00725
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 055F16166F2D1777F000A1000016141D
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end