CONFIG C877 IP SLA DYNDNS ALTERNATIVO
Inviato: gio 08 mag , 2014 10:49 am
Ciao ragazzi non so se può essere utile, a me ha risolto un problemone, da qualche mese Dyndns.com sta chiudendo gli account Free, però ho trovato un'alternativa valida per la questione ip pubblico dinamico. Ovvero mi sono registrato a questo link http://freedns.afraid.org/ e tramite questa procedura http://www.blindhog.net/cisco-routers-and-dynamic-dns/ avrete risolto.
Io intanto vi posto la conf come l'ho realizzata, voi cambiate i parametri in *******.
Da considerare che ho una linea adsl alice ed ho dei servizi quali VPN.
Ciao a tutti spero di essere stato utile.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery
!
hostname ******** (usate quello che volete)
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T8.bin (io ho usata questa IOS)
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network (gruppo vpn) local
!
!
aaa session-id common
memory-size iomem 15
clock timezone Italy 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address **.**.**.** **.**.**.** (range ip da escludere)
!
ip dhcp pool *****
import all
network **.**.**.** 255.255.255.0
default-router **.**.**.**
domain-name DHCP-HOME
dns-server **.**.**.** **.**.**.**
lease infinite
!
!
ip cef
no ip bootp server
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username ******** privilege 15 secret **********
username ******** password ********* (utente 1 vpn)
username ******** password ********* (utente 2 vpn)
!
crypto logging session
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group (gruppo vpn)
key ***************** (usate una chiame di sicurezza lunga)
pool VPN-POOL
acl 158
include-local-lan
max-users 10
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map ****** 10
set security-association idle-time 3600
set transform-set myset
reverse-route
!
!
crypto map clientmap local-address Dialer1
crypto map clientmap client authentication list ****** (gruppo vpn)
crypto map clientmap isakmp authorization list ***** (gruppo vpn)
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic *****(quella della stringa crypto dynamic-map *****)
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan20
!
!
ip domain-lookup
!
interface ATM0
description "ADSL WAN"
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet1
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet2
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet3
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description "VLAN 20 DATI"
ip address **.**.**.** 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
no autostate
crypto map clientmap
!
interface Dialer1
description "WAN ADSL"
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip access-group 101 in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname *****************
ppp chap password *****************
ppp chap refuse
ppp pap sent-username *************** password *****************
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
!
ip local pool VPN-POOL **.**.**.** **.**.**.** (immeter il pool degli indirizzi per la vpn)
ip forward-protocol nd
ip forward-protocol turbo-flood
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route *lan vpn* 255.255.255.240 Dialer1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat translation timeout 420
ip nat translation tcp-timeout 150
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 100 interface Dialer1 overload
!
ip sla 1
http get http://freedns.afraid.org/dynamic/update.php?**seguire la procedura dal link**
ip sla schedule 1 life forever start-time now
logging trap errors
logging facility local5
access-list 100 remark ***************************************************
access-list 100 remark ************ ACL-PORTE-TCP-UDP-DDNS-WAN ***********
access-list 100 deny ip *lan interna* 0.0.0.255 *lan vpn* 0.0.0.15
access-list 100 permit ip *lan interna* 0.0.0.255 any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit ip any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip any any
access-list 101 remark ***************************************************
access-list 101 remark ************ ACL-PORTE-TCP-UDP-DDNS-WAN ***********
access-list 101 permit tcp host 204.140.20.21 eq www any log
access-list 101 permit udp host *DNS DEL GESTORE* eq domain any
access-list 101 permit udp host *DNS DEL GESTORE* eq domain any
access-list 101 permit gre any any
access-list 101 permit tcp any eq www any
access-list 101 deny udp any any eq 135 log
access-list 101 deny tcp any any eq 135 log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 158 remark ***********************************************************
access-list 158 remark ********** ACL PER SPLIT-TUNNEL DA VPN-CLIENT *************
access-list 158 permit ip *lan interna* 0.0.0.255 *lan vpn* 0.0.0.15
!
!
!
!
!
control-plane
banner login ^CC
********************************************************
QUELLO CHE VOLETE
********************************************************
!
line con 0
privilege level 15
logging synchronous
no modem enable
line aux 0
exec-timeout 5 0
modem DTR-active
transport input all
line vty 0 4
access-class 100 in
privilege level 15
logging synchronous
transport preferred none
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
end
Ahh scusate se ci sono degli errori sulla conf, ma non sono certificato Cisco, mi piace solo giocarci un po.
Io intanto vi posto la conf come l'ho realizzata, voi cambiate i parametri in *******.
Da considerare che ho una linea adsl alice ed ho dei servizi quali VPN.
Ciao a tutti spero di essere stato utile.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery
!
hostname ******** (usate quello che volete)
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T8.bin (io ho usata questa IOS)
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network (gruppo vpn) local
!
!
aaa session-id common
memory-size iomem 15
clock timezone Italy 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address **.**.**.** **.**.**.** (range ip da escludere)
!
ip dhcp pool *****
import all
network **.**.**.** 255.255.255.0
default-router **.**.**.**
domain-name DHCP-HOME
dns-server **.**.**.** **.**.**.**
lease infinite
!
!
ip cef
no ip bootp server
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username ******** privilege 15 secret **********
username ******** password ********* (utente 1 vpn)
username ******** password ********* (utente 2 vpn)
!
crypto logging session
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group (gruppo vpn)
key ***************** (usate una chiame di sicurezza lunga)
pool VPN-POOL
acl 158
include-local-lan
max-users 10
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map ****** 10
set security-association idle-time 3600
set transform-set myset
reverse-route
!
!
crypto map clientmap local-address Dialer1
crypto map clientmap client authentication list ****** (gruppo vpn)
crypto map clientmap isakmp authorization list ***** (gruppo vpn)
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic *****(quella della stringa crypto dynamic-map *****)
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan20
!
!
ip domain-lookup
!
interface ATM0
description "ADSL WAN"
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet1
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet2
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet3
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description "VLAN 20 DATI"
ip address **.**.**.** 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
no autostate
crypto map clientmap
!
interface Dialer1
description "WAN ADSL"
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip access-group 101 in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname *****************
ppp chap password *****************
ppp chap refuse
ppp pap sent-username *************** password *****************
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
!
ip local pool VPN-POOL **.**.**.** **.**.**.** (immeter il pool degli indirizzi per la vpn)
ip forward-protocol nd
ip forward-protocol turbo-flood
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route *lan vpn* 255.255.255.240 Dialer1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat translation timeout 420
ip nat translation tcp-timeout 150
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 100 interface Dialer1 overload
!
ip sla 1
http get http://freedns.afraid.org/dynamic/update.php?**seguire la procedura dal link**
ip sla schedule 1 life forever start-time now
logging trap errors
logging facility local5
access-list 100 remark ***************************************************
access-list 100 remark ************ ACL-PORTE-TCP-UDP-DDNS-WAN ***********
access-list 100 deny ip *lan interna* 0.0.0.255 *lan vpn* 0.0.0.15
access-list 100 permit ip *lan interna* 0.0.0.255 any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit ip any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip any any
access-list 101 remark ***************************************************
access-list 101 remark ************ ACL-PORTE-TCP-UDP-DDNS-WAN ***********
access-list 101 permit tcp host 204.140.20.21 eq www any log
access-list 101 permit udp host *DNS DEL GESTORE* eq domain any
access-list 101 permit udp host *DNS DEL GESTORE* eq domain any
access-list 101 permit gre any any
access-list 101 permit tcp any eq www any
access-list 101 deny udp any any eq 135 log
access-list 101 deny tcp any any eq 135 log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 158 remark ***********************************************************
access-list 158 remark ********** ACL PER SPLIT-TUNNEL DA VPN-CLIENT *************
access-list 158 permit ip *lan interna* 0.0.0.255 *lan vpn* 0.0.0.15
!
!
!
!
!
control-plane
banner login ^CC
********************************************************
QUELLO CHE VOLETE
********************************************************
!
line con 0
privilege level 15
logging synchronous
no modem enable
line aux 0
exec-timeout 5 0
modem DTR-active
transport input all
line vty 0 4
access-class 100 in
privilege level 15
logging synchronous
transport preferred none
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
end
Ahh scusate se ci sono degli errori sulla conf, ma non sono certificato Cisco, mi piace solo giocarci un po.