Pagina 1 di 1
877w e server dall'esterno
Inviato: mer 14 nov , 2007 8:11 pm
da bluecircle
Salve, sono nuovo e ho appena acquistato un cisco 877W , avevo avuto già un 827 ma sono anni che non smanetto più sui cisco e adesso mi trovo in difficoltà.
Ho cercato sul forum ma non sono comunque riuscito a risolvere ancora il mio problema, vorri che la mia ipcam axis con ip xxx.xxx.xxx.xxx possa essere raggiunta anche dall'esterno, dispongo di una adsl con ip fisso.
Come posso fare? ho provato con
ip nat inside source static tcp LANIP porta DIALER0 porta
ma non riesco ancora a raggiungere la ipcam dall'esterno , help
Inviato: ven 16 nov , 2007 12:26 am
da bluecircle
Potrreste dirmi almeno dove sto sbagliando?
Grazie.
Inviato: ven 16 nov , 2007 10:51 am
da bluecircle
Allego la mia configurazione , ricavata anche da suggerimenti presi su queto forum, sicuramente ci saranno alcune parti da rivedere..
Codice: Seleziona tutto
!
version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
!
no aaa new-model
!
resource policy
!
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
no ip bootp server
ip domain name cisco.com
ip name-server 212.216.112.112
ip name-server 213.205.32.70
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10 !
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool
import all
network 192.168.1.0 255.255.255.248
default-router 192.168.1.1
lease 0 2
!
!
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip domain name XXXXXX
ip name-server 212.216.112.112
!
appfw policy-name SDM_MEDIUM
application http
strict-http action allow alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
!
!
crypto pki trustpoint TP-self-signed-XXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXX
revocation-check none
rsakeypair TP-self-signed-XXX
!
!
crypto pki certificate chain TP-self-signed-XXX
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363736 38383231 3734301E 170D3032 30333031 31303133
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36373638
38323137 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BF75 0B5BFF25 66F97A4E F2172DE4 6A6278F0 82F529EA 92344BDB 553A5CBF
104B7645 31AA0E65 E6D94051 CA81FCDF 8FC7E4FA 589A28D6 E38EB6BF C9FB962C
AA0F9424 87E737E1 6047566E 98A59EE5 EF8D4F84 D985E45F 1AF4531C 2CB55ABE
0BA14D3E C9A84FE4 237C7162 6B863D2D 2867F8E2 498AC9B5 D036F732 4FDCCBD8
5BAF0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17383737 772E696E 7465726E 61766967 616E646F 2E6E6574
301F0603 551D2304 18301680 1402CB9B F9D6F75F E6386D13 DBC92331 1A4560C7
13301D06 03551D0E 04160414 02CB9BF9 D6F75FE6 386D13DB C923311A 4560C713
300D0609 2A864886 F70D0101 04050003 8181004D 321AE1F8 F6043503 B018AD66
32929215 7A360427 61B0E391 5A34A773 1E81C306 5ED3CB2B 0135E3DC A397A7CB
B1806551 F7C38025 02BC83DE C0847CBD 7FDC6AA4 4741E263 E0797B81 EFFC0771
D909F36A 3D0BEC3F C7FAB8A1 19778F12 5CF1C8E4 35D3270D C98B1F88 BEB87945
E1756717 D058A9E0 66B630C7 CB41B221 57FCFF
quit
username XXX privilege 15 secret 5 XXXXXXXXXXXXXX
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip inspect SDM_MEDIUM in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address XXXX 255.255.255.0
ip access-group 101 in
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXX
ppp chap password 0 XXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXX password 0 XXXXXXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.9 8082 interface Dialer0 8082
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit XXXXXXX 255.255.255.0
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip XXXXXXXXX 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) ntp1.ien.it
access-list 101 permit udp host 193.204.114.232 eq ntp host XXXXXXX eq ntp
access-list 101 permit udp host 212.216.112.112 eq domain host XXXXX
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host XXXXXXXXecho-reply
access-list 101 permit icmp any host XXXXXX time-exceeded
access-list 101 permit icmp any host XXXXXXXX unreachable
access-list 101 permit ip host 192.168.1.9 any
access-list 101 permit tcp host 195.168.1.9 eq 8082 host XXXXXXX eq 8082
access-list 101 remark *** ACL ANTI-SPOOFING ***
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 593
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
access-list 101 deny tcp any any eq 2000
access-list 101 deny tcp any any range 6000 6010
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 113
access-list 101 deny udp any any eq 3067
access-list 111 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 111 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
privilege level 15
transport input none
!
scheduler max-task-time 5000
ntp clock-period 17175027
ntp server 193.204.114.232 source Dialer0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
vorrei che l'ndirizzo 192.168.1.9 8082 sia raggiungibile dall'ip wan:8082
Inviato: ven 16 nov , 2007 11:20 am
da Wizard
1) Leva ip inspect o dalla vlan o dalla dialer, lo hai doppio!
2) La acl rifalla così:
Codice: Seleziona tutto
no access-l 101
access-list 101 permit tcp any any eq 8082
access-list 101 permit udp host *** eq ntp host *** eq ntp
access-list 101 permit udp host *** eq domain host ***
access-list 101 permit icmp any host *** echo-reply
access-list 101 permit icmp any host *** time-exceeded
access-list 101 permit icmp any host *** unreachable
access-list 101 permit ip host 192.168.1.9 any
access-list 101 remark *** ACL ANTI-SPOOFING ***
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 593
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
access-list 101 deny tcp any any eq 2000
access-list 101 deny tcp any any range 6000 6010
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 113
access-list 101 deny udp any any eq 3067
access-list 111 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 111 deny ip any any log
Inviato: ven 16 nov , 2007 5:35 pm
da bluecircle
Grazie, provo
Inviato: ven 16 nov , 2007 5:42 pm
da bluecircle
Ho provato e riprovato...ma niente...
, attualmete ho questa configurazione
Codice: Seleziona tutto
!
version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
!
no aaa new-model
!
resource policy
!
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
no ip bootp server
ip domain name cisco.com
ip name-server 212.216.112.112
ip name-server 213.205.32.70
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10 !
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool
import all
network 192.168.1.0 255.255.255.248
default-router 192.168.1.1
lease 0 2
!
!
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip domain name internavigando.net
ip name-server 212.216.112.112
!
appfw policy-name SDM_MEDIUM
application http
strict-http action allow alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
!
!
[...]
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip inspect SDM_MEDIUM in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
[.....]
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.9 8082 interface Dialer0 8082
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit XXXXX 255.255.255.0
access-list 100 deny ip XXXXXXX 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
no access-l 101
access-list 101 permit tcp any any eq 8082
access-list 101 permit udp host 193.204.114.232 eq ntp host xxxxxxxxxx eq ntp
access-list 101 permit udp host 212.216.112.112 eq domain host xxxxxxx
access-list 101 permit icmp any host XXXXXX echo-reply
access-list 101 permit icmp any host XXXXXXX time-exceeded
access-list 101 permit icmp any host XXXXXXX unreachable
access-list 101 permit ip host 192.168.1.9 any
access-list 101 remark *** ACL ANTI-SPOOFING ***
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 593
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
access-list 101 deny tcp any any eq 2000
access-list 101 deny tcp any any range 6000 6010
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 113
access-list 101 deny udp any any eq 3067
access-list 111 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 111 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
privilege level 15
transport input none
!
scheduler max-task-time 5000
ntp clock-period 17175027
ntp server 193.204.114.232 source Dialer0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Inoltre al reload del router ottengo questi errori:
%NAT: Error activating CNBAR on the interface Vlan1
%NAT: Error activating CNBAR on the interface Dialer0
Inviato: mar 20 nov , 2007 12:22 am
da bluecircle
Risolto grazie a Wizard.
Qualcuno sa a cosa si riferiscono quei messaggi di errore che ottengo al caricamento della configurazione? dovrebbe centrarci il nat.
Inviato: mar 20 nov , 2007 10:23 am
da Wizard
Spesso e volentieri sono falsi errori, non ci fare caso