Perché fino a quando non ho aggiunto all'interfaccia Dialer1 della seguente configurazione la riga
Codice: Seleziona tutto
ip inspect ids in
Io pensavo che la regola già presente
Codice: Seleziona tutto
ip inspect ids out
Infatti con la regola già presente le risoluzioni dei nomi sui server dns funzionavano alla perfezione, perché per l'ftp passivo non è così?
In ogni caso, dopo che mi avrete chiarito cosa mi era sfuggito, mi dite se secondo voi è meglio creare un secondo ip inspect con la sola ispezione dei pacchetti ftp e applicare solo quello in direzione in sulla Dialer1, per migliorare il livello di sicurezza del tutto?
Grazie
Codice: Seleziona tutto
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxx
!
aaa new-model
!
!
!
aaa session-id common
no ip subnet-zero
no ip source-route
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.99
!
ip dhcp pool CASA
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.216.112.112 212.216.172.62
!
!
ip cef
ip domain name xxxxxxxxxxxx
ip name-server 212.216.112.112
ip name-server 212.216.172.62
ip inspect name ids udp
ip inspect name ids ftp
ip inspect name ids ssh
ip inspect name ids realaudio
ip inspect name ids icmp
ip ddns update method dyndns
HTTP
add http://xxxxxxxxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 30 0 0 0
!
login block-for 300 attempts 3 within 30
!
!
!
username xxxxxxxxxxxx password 7 xxxxxxxxxxxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip access-group 199 out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip ddns update hostname xxxxxxxxxxxx
ip ddns update dyndns
ip address negotiated
ip access-group 100 in
ip nat outside
ip inspect ids in
ip inspect ids out
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
dialer-group 1
ppp chap hostname xxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxx password 7 xxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat translation timeout 300
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 10
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 192.168.1.4 88 interface Dialer1 88
ip nat inside source static tcp 192.168.1.10 5001 interface Dialer1 5001
ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.99 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.99 22 interface Dialer1 5000
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark *** ACL PER INTERFACCIA ESTERNA ***
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any net-unreachable
access-list 100 deny icmp any any
access-list 100 deny udp any any eq netbios-ss
access-list 100 deny udp any any eq netbios-ns
access-list 100 deny udp any any eq netbios-dgm
access-list 100 remark *****************************
access-list 100 remark *** REGOLE PER XBOX LIVE ***
access-list 100 permit udp any any eq 88
access-list 100 remark ****************************
access-list 100 remark *** REGOLE PER SERVER LINUX ***
access-list 100 permit tcp any any eq 5000
access-list 100 permit tcp any any eq ftp
access-list 100 remark ****************************
access-list 100 remark *** REGOLE PER SSH ***
access-list 100 permit tcp any any eq 22
access-list 100 remark ****************************
access-list 100 deny tcp any any lt 1024
access-list 100 deny udp any any lt 1024
access-list 100 permit ip any any
access-list 199 remark *** ACL PER INTERFACCIA ETHERNET ***
access-list 199 remark *** REGOLE PER XBOX LIVE ***
access-list 199 permit udp any host 192.168.1.4 eq 88
access-list 199 permit tcp any host 192.168.1.4 gt 1024
access-list 199 permit udp any host 192.168.1.4 gt 1024
access-list 199 remark ****************************
access-list 199 remark *** REGOLE PER BITTORRENT ***
access-list 199 permit tcp any host 192.168.1.10 eq 5001
access-list 199 remark ************************
access-list 199 remark *** REGOLE PER ACCESSO REMOTO PC FISSO ***
access-list 199 permit tcp any host 192.168.1.10 eq 3389
access-list 199 remark ************************
access-list 199 remark *** REGOLE PER ACCESSO SERVER ***
access-list 199 permit tcp any host 192.168.1.99 eq 22
access-list 199 permit tcp any host 192.168.1.99 eq ftp
access-list 199 remark ************************
access-list 199 permit tcp any any established
access-list 199 deny ip any any
no cdp run
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
stopbits 1
speed 115200
line aux 0
line vty 0 2
logging synchronous
transport input ssh
line vty 3 4
access-class 1 in
exec-timeout 120 0
privilege level 15
password 7 xxxxxxxxxxxx
logging synchronous
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
end
