Problemi con NAT su 827...
Inviato: ven 03 feb , 2006 10:11 am
Buongiorno bella gente da poco ho un Cisco 827 e questa è la mia configurazione...
Wizard-GW#sh run
Building configuration...
Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***
!
enable secret ***
!
username admin password ****
!
!
!
!
ip subnet-zero
ip name-server 151.99.125.2
ip dhcp excluded-address 10.0.0.254
!
ip dhcp pool Wizard
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 151.99.125.2 151.99.125.1
!
ip inspect name IDS-IN tcp
ip inspect name IDS-IN udp
ip inspect name IDS-IN realaudio
ip inspect name IDS-IN fragment maximum 256 timeout 1
ip inspect name IDS-OUT tcp
ip inspect name IDS-OUT udp
ip inspect name IDS-OUT realaudio
ip inspect name IDS-OUT fragment maximum 256 timeout 1
ip dhcp-server 10.0.0.254
!
!
!
!
!
interface Ethernet0
description INTERFACCIA ETH0 PER LAN 10.0.0.0/24
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip inspect IDS-OUT in
hold-queue 100 out
!
interface ATM0
description INTERFACCIA FISICA ATM0 ALICE FLAT 4Mbps
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer0
description INTERFACCIA DIALER PER CONNESSIONE AD INTERNET
ip address negotiated
ip access-group 131 in
ip nat outside
ip inspect IDS-IN in
encapsulation ppp
dialer pool 1
ppp pap sent-username *** password ***
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.0.8 4642 interface Dialer0 4642
ip nat inside source static tcp 10.0.0.8 4652 interface Dialer0 4652
ip nat inside source static tcp 10.0.0.8 3389 interface Dialer0 3389
ip nat inside source static tcp 10.0.0.8 85 interface Dialer0 85
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
access-list 1 remark *** ACL PER PAT VERSO INTERNET ***
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 131 remark *** ACL PER PERMETTERE ACCESSO VIA TELNET AL ROUTER ***
access-list 131 permit tcp any any eq telnet
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 permit tcp any any gt 1023 established
access-list 131 permit udp any any gt 1023
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any log
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A POTENZIALI VIRUS ***
access-list 131 deny tcp any any eq 135 log
access-list 131 deny udp any any eq 135 log
access-list 131 deny udp any any eq netbios-ns log
access-list 131 deny udp any any eq netbios-dgm log
access-list 131 deny tcp any any eq 139 log
access-list 131 deny udp any any eq netbios-ss log
access-list 131 deny tcp any any eq 445 log
access-list 131 deny tcp any any eq 593 log
access-list 131 deny udp any any eq 1433 log
access-list 131 deny udp any any eq 1434 log
access-list 131 deny ip any any dscp 1 log
access-list 131 deny udp any any eq 5554 log
access-list 131 deny udp any any eq 9996 log
access-list 131 deny udp any any eq 113 log
access-list 131 deny udp any any eq 3067 log
access-list 131 remark *** ACL PER FILTRARE TRAFFICO DNS ***
access-list 131 permit udp any host 151.99.125.2 eq domain
access-list 131 permit udp any host 151.99.125.1 eq domain
access-list 131 deny udp any any eq domain log
access-list 131 remark *** ACL PER CONTROLLARE EMULE ***
access-list 131 permit tcp any any eq 4652
access-list 131 permit udp any any eq 4642
access-list 131 remark *** ACL PER CONTROLLARE RDP ***
access-list 131 permit tcp any any eq 3389
access-list 131 remark *** ACL PER CONTROLLARE EMULE WEBSERVER ***
access-list 131 permit tcp any any eq 85
access-list 131 deny ip any any log
!
line con 0
transport input none
stopbits 1
line vty 0 4
timeout login response 300
login local
!
scheduler max-task-time 5000
end
e questo è il mio sh ver...
Wizard-GW#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C820 Software (C820-OSY656I-M), Version 12.1(3)XG4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Mon 26-Feb-01 11:04 by detang
Image text-base: 0x80013170, data-base: 0x807250A4
ROM: System Bootstrap, Version 12.1(1r)XB1, RELEASE SOFTWARE (fc1)
ROM: C820 Software (C820-OSY656I-M), Version 12.1(3)XG4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Wizard-GW uptime is 8 hours, 36 minutes
System returned to ROM by reload at 10:40:55 UTC Tue Mar 6 2001
System image file is "flash:c820-osy656i-mz.121-3.XG4.bin"
CISCO C827 (MPC855T) processor (revision 0x501) with 15360K/1024K bytes of memory.
Processor board ID JAD04400AZR (2519560419), with hardware revision 0000
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
------------------------------------
Il mio problema è che non funzionano i NAT
...
Infatti ho fatto una prova con emule e e mi da sempre ID Basso...
Help me... THANKS!!!
Wizard-GW#sh run
Building configuration...
Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***
!
enable secret ***
!
username admin password ****
!
!
!
!
ip subnet-zero
ip name-server 151.99.125.2
ip dhcp excluded-address 10.0.0.254
!
ip dhcp pool Wizard
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 151.99.125.2 151.99.125.1
!
ip inspect name IDS-IN tcp
ip inspect name IDS-IN udp
ip inspect name IDS-IN realaudio
ip inspect name IDS-IN fragment maximum 256 timeout 1
ip inspect name IDS-OUT tcp
ip inspect name IDS-OUT udp
ip inspect name IDS-OUT realaudio
ip inspect name IDS-OUT fragment maximum 256 timeout 1
ip dhcp-server 10.0.0.254
!
!
!
!
!
interface Ethernet0
description INTERFACCIA ETH0 PER LAN 10.0.0.0/24
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip inspect IDS-OUT in
hold-queue 100 out
!
interface ATM0
description INTERFACCIA FISICA ATM0 ALICE FLAT 4Mbps
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer0
description INTERFACCIA DIALER PER CONNESSIONE AD INTERNET
ip address negotiated
ip access-group 131 in
ip nat outside
ip inspect IDS-IN in
encapsulation ppp
dialer pool 1
ppp pap sent-username *** password ***
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.0.8 4642 interface Dialer0 4642
ip nat inside source static tcp 10.0.0.8 4652 interface Dialer0 4652
ip nat inside source static tcp 10.0.0.8 3389 interface Dialer0 3389
ip nat inside source static tcp 10.0.0.8 85 interface Dialer0 85
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
access-list 1 remark *** ACL PER PAT VERSO INTERNET ***
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 131 remark *** ACL PER PERMETTERE ACCESSO VIA TELNET AL ROUTER ***
access-list 131 permit tcp any any eq telnet
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 permit tcp any any gt 1023 established
access-list 131 permit udp any any gt 1023
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any log
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A POTENZIALI VIRUS ***
access-list 131 deny tcp any any eq 135 log
access-list 131 deny udp any any eq 135 log
access-list 131 deny udp any any eq netbios-ns log
access-list 131 deny udp any any eq netbios-dgm log
access-list 131 deny tcp any any eq 139 log
access-list 131 deny udp any any eq netbios-ss log
access-list 131 deny tcp any any eq 445 log
access-list 131 deny tcp any any eq 593 log
access-list 131 deny udp any any eq 1433 log
access-list 131 deny udp any any eq 1434 log
access-list 131 deny ip any any dscp 1 log
access-list 131 deny udp any any eq 5554 log
access-list 131 deny udp any any eq 9996 log
access-list 131 deny udp any any eq 113 log
access-list 131 deny udp any any eq 3067 log
access-list 131 remark *** ACL PER FILTRARE TRAFFICO DNS ***
access-list 131 permit udp any host 151.99.125.2 eq domain
access-list 131 permit udp any host 151.99.125.1 eq domain
access-list 131 deny udp any any eq domain log
access-list 131 remark *** ACL PER CONTROLLARE EMULE ***
access-list 131 permit tcp any any eq 4652
access-list 131 permit udp any any eq 4642
access-list 131 remark *** ACL PER CONTROLLARE RDP ***
access-list 131 permit tcp any any eq 3389
access-list 131 remark *** ACL PER CONTROLLARE EMULE WEBSERVER ***
access-list 131 permit tcp any any eq 85
access-list 131 deny ip any any log
!
line con 0
transport input none
stopbits 1
line vty 0 4
timeout login response 300
login local
!
scheduler max-task-time 5000
end
e questo è il mio sh ver...
Wizard-GW#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C820 Software (C820-OSY656I-M), Version 12.1(3)XG4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Mon 26-Feb-01 11:04 by detang
Image text-base: 0x80013170, data-base: 0x807250A4
ROM: System Bootstrap, Version 12.1(1r)XB1, RELEASE SOFTWARE (fc1)
ROM: C820 Software (C820-OSY656I-M), Version 12.1(3)XG4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Wizard-GW uptime is 8 hours, 36 minutes
System returned to ROM by reload at 10:40:55 UTC Tue Mar 6 2001
System image file is "flash:c820-osy656i-mz.121-3.XG4.bin"
CISCO C827 (MPC855T) processor (revision 0x501) with 15360K/1024K bytes of memory.
Processor board ID JAD04400AZR (2519560419), with hardware revision 0000
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
------------------------------------
Il mio problema è che non funzionano i NAT
...Infatti ho fatto una prova con emule e e mi da sempre ID Basso...
Help me... THANKS!!!
, questa proposta anche secondo me e la strada giusta non solo, caricherei una configurazione base e man mano aggiungerrei le ACL e così via.