Ciao a tutti
con una linea adsl alice (senza ip statico) vorrei poter rendere pubblico, sull'ip che mi assegna la telecom il mio web server e il mio server ftp.
Preciso che il server ftp e http dalla intranet sono raggiungibbili quindi ce'e qualche problema sulla configurazione del router.
Secondo voi cosa c'e di sbagliato?
Eccovi la configurazione:
using 4106 out of 131072 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
!
hostname SpookeRouter
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret 5 $1$zII6$.PHhCJ22F2bPHfYUS8Fwe0
!
username service password 7 0518031D37454D0C
ip subnet-zero
no ip source-route
no ip finger
ip domain-name interbusiness.it
ip name-server 151.99.125.2
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
interface ATM0
no ip address
ip access-group 102 out
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp pap sent-username aliceadsl password 7 1218091E110E0D003927
!
interface Dialer1
no ip address
no cdp enable
!
router rip
version 2
network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.0.100 21 interface Dialer0 21
ip nat inside source static tcp 192.168.0.100 21 interface Dialer0 21
ip nat inside source static tcp 192.168.0.100 20 interface Dialer0 20
ip nat inside source static udp 192.168.0.100 20 interface Dialer0 20
ip nat inside source static udp 192.168.0.100 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.100 4711 interface Dialer0 4711
ip nat inside source static tcp 192.168.0.100 4899 interface Dialer0 4899
ip nat inside source static tcp 192.168.0.100 4662 interface Dialer0 4662
ip nat inside souatic tcp 192.168.0.100 80 interface Dialer0 80
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 18 permit 151.99.126.0 0.0.0.255
access-list 19 permit 151.99.126.0 0.0.0.255
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 443
access-list 102 permit udp any any eq 443
access-list 102 permit udp any any eq 23
access-list 102 permit udp any any eq 21
access-list 102 permit udp any any eq domain
access-list 102 permit udp any any eq 110
access-list 102 permit udp any any eq 25
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq 4672
access-list 102 permit tcp any any eq 4672
access-list 102 permit tcp any any eq 4662
access-list 102 permit udp any any eq 4662
access-list 102 permit tcp any any eq 4899
access-list 102 permit udp any any eq 4899
access-list 102 permit tcp any any eq 4711
access-list 102 permit udp any any eq 4711
access-list 102 deny ip any any
banner motd ^CC
*************************************************************
********************** **********************
********************** Spooke Router **********************
********************** **********************
*************************************************************
********* ********
********* E' proibito ogni accesso non autorizzato ********
********* ********
********* Every Unauthorized access is prohibited ********
********* ********
*************************************************************
^C
!
line con 0
login local
transport input none
stopbits 1
line vty 0 4
access-class 30 in
login tacacs
!
scheduler max-task-time 5000
end
Soho 77 + nat + web server
Moderatore: Federico.Lagni
-
spooke
- Cisco enlightened user
- Messaggi: 136
- Iscritto il: sab 05 mar , 2005 10:18 pm
- Località: Milano
- Contatta:
-
TheIrish
- Site Admin
- Messaggi: 1840
- Iscritto il: dom 14 mar , 2004 11:26 pm
- Località: Udine
- Contatta:
Scusa la risposta sommaria ma sono di frettona. Una cosa, prova a levare tutti gli access-group che quelle access-list non mi sanno di buono.
Detto questo, ti ricordo che nell'FTP attivo si utilizza anche la porta 20 e nell'FTP passivo si utilizzano porte casuali superiori alla 1023 e in questo caso devi usare ip inspect ecc. Ma ne riparliamo.
Detto questo, ti ricordo che nell'FTP attivo si utilizza anche la porta 20 e nell'FTP passivo si utilizzano porte casuali superiori alla 1023 e in questo caso devi usare ip inspect ecc. Ma ne riparliamo.
-
spooke
- Cisco enlightened user
- Messaggi: 136
- Iscritto il: sab 05 mar , 2005 10:18 pm
- Località: Milano
- Contatta:
ok, ho aggiornato l'ios e la configurazione. Questa è la nuova configurazione ma non riesco ad entrare nemmeno sul server web. come si spiega?
Forse sono io che non ho l'accesso per entrare sul mio ip pubblico sulla porta 80??
Using 3150 out of 131072 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
!
hostname SpookeRouter
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret 5 $1$zII6$.PHhCJ22F2bPHfYUS8Fwe0
!
username service password 7 0518031D37454D0C
ip subnet-zero
no ip source-route
no ip finger
ip domain-name interbusiness.it
ip name-server 151.99.125.2
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface ATM0
no ip address
ip access-group 102 out
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp pap sent-username aliceadsl password 7 1218091E110E0D003927
!
interface Dialer1
no ip address
no cdp enable
!
router rip
version 2
network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.0.100 21 interface Dialer0 21
ip nat inside source static tcp 192.168.0.100 21 interface Dialer0 21
ip nat inside source static tcp 192.168.0.100 20 interface Dialer0 20
ip nat inside source static udp 192.168.0.100 20 interface Dialer0 20
ip nat inside source static udp 192.168.0.100 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.100 80 interface Dialer0 80
ip nat inside source static udp 192.168.0.100 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.0.100 4672 interface Dialer0 4672
ip nat inside source static udp 192.168.0.100 4662 interface Dialer0 4662
ip nat inside source static tcp 192.168.0.100 4662 interface Dialer0 4662
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 18 permit 151.99.126.0 0.0.0.255
access-list 19 permit 151.99.126.0 0.0.0.255
banner motd ^CC
*************************************************************
********************** **********************
********************** Spooke Router **********************
********************** Spooke Router **********************
*************************************************************
********* ********
********* E' proibito ogni accesso non autorizzato ********
********* ********
********* Every Unauthorized access is prohibited ********
********* ********
*************************************************************
^C
!
line con 0
login local
transport input none
stopbits 1
line vty 0 4
access-class 30 in
login tacacs
!
scheduler max-task-time 5000
end
Forse sono io che non ho l'accesso per entrare sul mio ip pubblico sulla porta 80??
Using 3150 out of 131072 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
!
hostname SpookeRouter
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret 5 $1$zII6$.PHhCJ22F2bPHfYUS8Fwe0
!
username service password 7 0518031D37454D0C
ip subnet-zero
no ip source-route
no ip finger
ip domain-name interbusiness.it
ip name-server 151.99.125.2
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface ATM0
no ip address
ip access-group 102 out
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp pap sent-username aliceadsl password 7 1218091E110E0D003927
!
interface Dialer1
no ip address
no cdp enable
!
router rip
version 2
network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 4096
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.0.100 21 interface Dialer0 21
ip nat inside source static tcp 192.168.0.100 21 interface Dialer0 21
ip nat inside source static tcp 192.168.0.100 20 interface Dialer0 20
ip nat inside source static udp 192.168.0.100 20 interface Dialer0 20
ip nat inside source static udp 192.168.0.100 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.100 80 interface Dialer0 80
ip nat inside source static udp 192.168.0.100 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.0.100 4672 interface Dialer0 4672
ip nat inside source static udp 192.168.0.100 4662 interface Dialer0 4662
ip nat inside source static tcp 192.168.0.100 4662 interface Dialer0 4662
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 18 permit 151.99.126.0 0.0.0.255
access-list 19 permit 151.99.126.0 0.0.0.255
banner motd ^CC
*************************************************************
********************** **********************
********************** Spooke Router **********************
********************** Spooke Router **********************
*************************************************************
********* ********
********* E' proibito ogni accesso non autorizzato ********
********* ********
********* Every Unauthorized access is prohibited ********
********* ********
*************************************************************
^C
!
line con 0
login local
transport input none
stopbits 1
line vty 0 4
access-class 30 in
login tacacs
!
scheduler max-task-time 5000
end
-
TheIrish
- Site Admin
- Messaggi: 1840
- Iscritto il: dom 14 mar , 2004 11:26 pm
- Località: Udine
- Contatta:
Innanzi tutto, sull'ATM0 c'è un:
Poi, con dettaglio, in che modo e da dove provi a connetterti al server web?
che va sicuramente rimosso, indipendentemente che tu voglia fare un firewall o meno, visto che, per l'interfaccia WAN, l'access-group va messo sul dialer.ip access-group 102 out
Poi, con dettaglio, in che modo e da dove provi a connetterti al server web?
