CiscoForums.it

Ciao a tutti,
avrei un problema con un comando non supportato sulla versione 6.3.3 di un cisco pix 515.

70.17.44.11----FW-----DMZ(10.17.44.11)
|
|
|
10.10.10.1

Ho necessità di poter accedere dalla rete interna 10.10.10.1 al web server in dmz(10.17.44.11) puntanto al ip della mia rete esterna (70.17.44.11)

Il vecchio comando era
alias (inside) 70.17.44.11 10.17.44.11 255.255.255.255
Putroppo non riesco a trovare il nuovo comando per la release 6.3.
Qualcuno può aiutarmi?

Grazie in aticipo

Il comando che cerchi è

STATIC (inside, outside) GLOBAL_IP LOCAL_IP

Ciao,cisketto!

Grazie per la risposta.
Ho provato ma non funziona.
Ho trovato una riposta di cisco che onestamente non mi è molto chiara.

http://www.cisco.com/en/US/products/hw/ ... ml#wp32146

Ciao!
In ke senso non funziona?
Non riesci ad accedere?
Hai impostato l'acl per l'accesso dall'outside?
Magari posta la conf così è tutto più chiaro a tutti....
Cisketto!

Si ok avere ragione anche voi.
Questa è la configurazione. Come dicevo il server in dmz deve essere contattato sia da internet sia dalle macchine della rete locale.
Il 152.8.97.183 è nattato in 10.10.10.2(dmz)

Grazie ancora



interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
hostname pix
domain-name rational
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name 152.8.97.183 ext-web
name 10.10.10.2 web-dmz
object-group network Lan_Interna
network-object 192.168.108.0 255.255.255.0
object-group service Servizi_WEB tcp
description Servizi abilitati per tutta la lan interna
port-object eq smtp
port-object eq pop3
port-object eq domain
port-object eq nntp
object-group service Servizi_WEB_udp udp
port-object eq domain
object-group service dc tcp-udp
description c++
port-object range www www
object-group service messenger tcp
port-object eq 1863
port-object eq www
port-object range 28800 28899
object-group network YahooMessanger
network-object 216.155.193.151 255.255.255.255
object-group service ssl-group tcp
description porte per email poste.it
port-object eq 465
port-object eq 995
aaccess-list inside_outbound_nat0_acl permit ip any 192.168.108.80 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 192.168.108.80 255.255.255.248
access-list outside_inside_in permit tcp any host ext-web eq www
access-list dmz permit tcp host web-dmz eq www any
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging history notifications
logging host inside Nas_LogServer
icmp deny any echo-reply outside
icmp permit any inside
icmp deny any echo-reply inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 152.8.97.182 255.255.255.240
ip address inside 192.168.108.4 255.255.255.0
ip address DMZ 10.10.10.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit info action drop
ip audit attack action drop
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location ext-web 255.255.255.255 DMZ
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.108.0 255.255.255.0 0 0
static (DMZ,outside) ext-web web-dmz netmask 255.255.255.255 0 0
static (outside,DMZ) ext-web web-dmz netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.108.0 192.168.108.0 netmask 255.255.255.0 0 0
access-group outside_inside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 152.8.97.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
ntp server 193.204.114.233 source outside prefer
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup accessovpn address-pool poolvpn
vpngroup accessovpn dns-server rs-dmc02time rs-dmc01
vpngroup accessovpn wins-server rs-dmc01
vpngroup accessovpn default-domain sviluppo.rs
vpngroup accessovpn idle-time 1800
vpngroup accessovpn password romaroma2000
telnet timeout 5
ssh 192.168.108.100 255.255.255.255 inside
ssh 192.168.108.99 255.255.255.255 inside
ssh email_Posteit 255.255.255.255 inside
ssh timeout 5
console timeout 10
terminal width 80
: end