Telecomitalia Business & cisco 837
Inviato: gio 12 mag , 2011 4:22 pm
Salve a tutti ho un piccolissimo problema con la configurazione del router cisco 837 con ADSL di telecomitalia business.
I parametri che mi han fornito gli operatori telecom sono i seguenti:
pila protocollare / incapsulazione: RFC1483, IpOA, IP STATICO / LLC ROUTED
Indirizzi IP pubblici Assegnati (LAN): 2.116.Y.32-39 Network Mask: 255.255.255.48
IP Punto Punto (WAN) non abilitati alla navigazione: 85.46.X.2 Network Mask: 255.255.255.252
Default Gatweay (WAN): 85.46.X.1
VpVc: 8-35
DNS Primario: 151.99.125.1
DNS Secondario: 151.99.0.100
Ora io ho compilato questa configurazione:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CIAO
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
logging console critical
enable secret 5 CIAO
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-882807585
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-882807585
revocation-check none
rsakeypair TP-self-signed-882807585
!
!
crypto pki certificate chain TP-self-signed-882807585
certificate self-signed 01 nvram:IOS-Self-Sig#8.cer
dot11 association mac-list 700
dot11 syslog
dot11 vlan-name WiFi vlan 1
!
dot11 ssid CIAOWIFI
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 CIAO
!
dot11 ssid CIAOWIFIZONE
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.221 192.168.0.254
!
ip dhcp pool Pool1
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.221
dns-server 151.99.125.1 151.99.0.100
lease infinite
!
!
ip cef
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip name-server 151.99.125.1
ip name-server 151.99.0.100
!
!
!
username root privilege 15 secret 5 CIAO
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip address 85.46.x.2 255.255.255.252
ip nat outside
pvc 8/35
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
!
interface FastEthernet0
ip address 2.116.Y.33 255.255.255.248 secondary
ip address 192.168.0.3 255.255.255.0
ip nat inside
no keepalive
hold-queue 100 out
!
interface FastEthernet1
no shut
!
interface FastEthernet2
no shut
!
interface FastEthernet3
no shut
!
interface Dot11Radio0
ip address 192.168.0.240
no shutdown
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid CIAOWIFIZONE
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country IT both
l2-filter bridge-group-acl
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
!
interface BVI1
ip address 192.168.0.221 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.3 6780 interface Dialer0 6780
ip nat inside source static tcp 192.168.0.3 6781 interface Dialer0 6781
ip nat inside source static tcp 192.168.0.3 6782 interface Dialer0 6782
ip nat inside source static tcp 192.168.0.3 6783 interface Dialer0 6783
ip nat inside source static tcp 192.168.0.3 6784 interface Dialer0 6784
ip nat inside source static tcp 192.168.0.3 6785 interface Dialer0 6785
ip nat inside source static tcp 192.168.0.3 6786 interface Dialer0 6786
ip nat inside source static tcp 192.168.0.3 6787 interface Dialer0 6787
ip nat inside source static tcp 192.168.0.3 6788 interface Dialer0 6788
ip nat inside source static tcp 192.168.0.3 6789 interface Dialer0 6789
ip nat inside source static tcp 192.168.0.3 6790 interface Dialer0 6790
ip nat inside source static tcp 192.168.0.100 3389 interface Dialer0 3389
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit tcp any any range 6780 6790
access-list 101 remark Traffico abilitato ad entrare nel router da internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any range 6780 6790
access-list 101 permit udp host 151.99.125.1 eq domain any
access-list 101 permit udp host 151.99.0.100 eq domain any
access-list 101 permit tcp host 63.208.196.96 eq www any log
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffico abilitato ad entrare nel router dalla ethernet
access-list 102 permit ip any host 192.168.0.221
access-list 102 permit tcp any any range 6780 6790
access-list 102 permit tcp any any eq 3389
access-list 102 deny ip any host 192.168.0.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 700 permit 0015.1181.a949 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 207.46.197.32
sntp server 192.43.244.18
end
Ma di navigare non se ne parla nemmeno.... Consigli su cosa posso aver errato?
La configurazione non è altro che una funzionante su cheapnet con però ovviamente i parametri cambiati per telecom, e con l'aggiunta
della configurazione Fastethernet 0 (sono solo CCNA, o ero perchè ormai anni ne son passati) che sinceramente mi lascia stranito.
Suggerimenti?
EDIT: *CANNATO SEZIONE* posso chiedere ai mod di spostare nella sezione corretta? Grazie in anticipo
I parametri che mi han fornito gli operatori telecom sono i seguenti:
pila protocollare / incapsulazione: RFC1483, IpOA, IP STATICO / LLC ROUTED
Indirizzi IP pubblici Assegnati (LAN): 2.116.Y.32-39 Network Mask: 255.255.255.48
IP Punto Punto (WAN) non abilitati alla navigazione: 85.46.X.2 Network Mask: 255.255.255.252
Default Gatweay (WAN): 85.46.X.1
VpVc: 8-35
DNS Primario: 151.99.125.1
DNS Secondario: 151.99.0.100
Ora io ho compilato questa configurazione:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CIAO
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
logging console critical
enable secret 5 CIAO
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-882807585
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-882807585
revocation-check none
rsakeypair TP-self-signed-882807585
!
!
crypto pki certificate chain TP-self-signed-882807585
certificate self-signed 01 nvram:IOS-Self-Sig#8.cer
dot11 association mac-list 700
dot11 syslog
dot11 vlan-name WiFi vlan 1
!
dot11 ssid CIAOWIFI
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 CIAO
!
dot11 ssid CIAOWIFIZONE
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.221 192.168.0.254
!
ip dhcp pool Pool1
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.221
dns-server 151.99.125.1 151.99.0.100
lease infinite
!
!
ip cef
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip name-server 151.99.125.1
ip name-server 151.99.0.100
!
!
!
username root privilege 15 secret 5 CIAO
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip address 85.46.x.2 255.255.255.252
ip nat outside
pvc 8/35
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
!
interface FastEthernet0
ip address 2.116.Y.33 255.255.255.248 secondary
ip address 192.168.0.3 255.255.255.0
ip nat inside
no keepalive
hold-queue 100 out
!
interface FastEthernet1
no shut
!
interface FastEthernet2
no shut
!
interface FastEthernet3
no shut
!
interface Dot11Radio0
ip address 192.168.0.240
no shutdown
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid CIAOWIFIZONE
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country IT both
l2-filter bridge-group-acl
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
!
interface BVI1
ip address 192.168.0.221 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.3 6780 interface Dialer0 6780
ip nat inside source static tcp 192.168.0.3 6781 interface Dialer0 6781
ip nat inside source static tcp 192.168.0.3 6782 interface Dialer0 6782
ip nat inside source static tcp 192.168.0.3 6783 interface Dialer0 6783
ip nat inside source static tcp 192.168.0.3 6784 interface Dialer0 6784
ip nat inside source static tcp 192.168.0.3 6785 interface Dialer0 6785
ip nat inside source static tcp 192.168.0.3 6786 interface Dialer0 6786
ip nat inside source static tcp 192.168.0.3 6787 interface Dialer0 6787
ip nat inside source static tcp 192.168.0.3 6788 interface Dialer0 6788
ip nat inside source static tcp 192.168.0.3 6789 interface Dialer0 6789
ip nat inside source static tcp 192.168.0.3 6790 interface Dialer0 6790
ip nat inside source static tcp 192.168.0.100 3389 interface Dialer0 3389
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit tcp any any range 6780 6790
access-list 101 remark Traffico abilitato ad entrare nel router da internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any range 6780 6790
access-list 101 permit udp host 151.99.125.1 eq domain any
access-list 101 permit udp host 151.99.0.100 eq domain any
access-list 101 permit tcp host 63.208.196.96 eq www any log
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffico abilitato ad entrare nel router dalla ethernet
access-list 102 permit ip any host 192.168.0.221
access-list 102 permit tcp any any range 6780 6790
access-list 102 permit tcp any any eq 3389
access-list 102 deny ip any host 192.168.0.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 700 permit 0015.1181.a949 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 207.46.197.32
sntp server 192.43.244.18
end
Ma di navigare non se ne parla nemmeno.... Consigli su cosa posso aver errato?
La configurazione non è altro che una funzionante su cheapnet con però ovviamente i parametri cambiati per telecom, e con l'aggiunta
della configurazione Fastethernet 0 (sono solo CCNA, o ero perchè ormai anni ne son passati) che sinceramente mi lascia stranito.
Suggerimenti?
EDIT: *CANNATO SEZIONE* posso chiedere ai mod di spostare nella sezione corretta? Grazie in anticipo
