Pagina 1 di 1
877 e NAT disabilitato
Inviato: lun 19 nov , 2007 11:16 am
da jpdefault
Salve a tutti!
E' possibile disabilitare le funzioni di NAT sul Cisco 877? Lo scopo è dare al firewall che sta dietro all'877 un IP del pool statico sull'interfaccia WAN e lasciar fare a lui il NAT.
Mi scuso per la domanda un po' da neofita.
Inviato: gio 29 nov , 2007 9:39 pm
da jpdefault
Ok, allora qualche dettaglio in più.
Ecco la situazione attuale:
Codice: Seleziona tutto
(Internet)<-----82.191.X.Y/29---[Router]---192.168.0.2/24----->(LAN)
Ecco l'obiettivo:
Codice: Seleziona tutto
(Internet)<-----82.191.X.Y/29---[Router]<-----82.191.X.Z---[Firewall]---192.168.0.2/24----->(LAN)
Router Cisco 877 attualmente così configurato:
Codice: Seleziona tutto
(.......)
interface Null0
no ip unreachables
!
interface Loopback0
description $FW_INSIDE$
ip address 82.191.X.Y 255.255.255.248
ip access-group 104 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 82.191.X.Z 255.255.255.252
ip access-group sdm_atm0.1_in in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect sdm_ins_in_100 in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.2 255.255.255.0
ip access-group no-www in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.20.0 192.168.20.255
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 82.191.X.J 255.255.255.255 Vlan1 permanent
ip route 82.191.X.K 255.255.255.255 Vlan1 permanent
ip route 192.168.0.251 255.255.255.255 Vlan1 permanent
ip route 192.168.0.252 255.255.255.255 Vlan1 permanent
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static 192.168.0.0 82.191.X.Y route-map SDM_RMAP_3
ip nat inside source static 192.168.0.251 82.191.X.J route-map SDM_RMAP_1
ip nat inside source static 192.168.0.252 82.191.X.K route-map SDM_RMAP_2
!
(......)
Se disabilito le regole di NAT e lascio la Vlan senza IP, il router e il firewall non si pingano.
Preciso anche che ho sostituito le ACL in modo da consentire tutte le connessioni in ingresso e uscita.
Inviato: ven 30 nov , 2007 5:10 pm
da jpdefault
Più o meno, ci sono riuscito da me, in questo modo:
Codice: Seleziona tutto
!This is the running config of the router: 82.191.X.Z
!----------------------------------------------------------------------------
!version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 *****************************
!
username ******** privilege 15 secret 5 *********************************
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip domain name peenservice.it
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
ip address 82.191.X.Y 255.255.255.255
ip access-group sdm_atm0.1_in in
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 82.191.X.Z 255.255.255.255
ip access-group sdm_vlan1_in in
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip access-list extended sdm_atm0.1_in
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
permit ip any any
!
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
line vty 5 15
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
C'è forse qualcosa che non va?
P.S.: Forse devo aggiungere:
Codice: Seleziona tutto
ip route 82.191.X.J 255.255.255.255 interface Vlan1 permanent
ip route 82.191.X.K 255.255.255.255 interface Vlan1 permanent
per i due IP pubblici che devono essere nattati dal firewall?
Inviato: lun 03 dic , 2007 4:27 pm
da jpdefault
Mi rispondo da solo, ma aggiungendo:
Codice: Seleziona tutto
ip route 82.191.X.J 255.255.255.255 Vlan1 permanent
ip route 82.191.X.K 255.255.255.255 Vlan1 permanent
tutto funziona come dovrebbe.