Ciao Andrea, grazie della pronta risposta.
Ora ti riassumo in modo ancora piu chiaro quello che vorrei fare:
Ho una connessione con classica subnet .248 (10.10.10.1 .248) e un indirizzo punto punto (1.1.1.1 - subnet .252)
Attualmente sono messo cosi:
C2611 con 16F/64D e 12.3(24) IP/FRW/IDS PLUS
ATM0/0 1.1.1.1 ip punto punto
ETH0/0 192.168.0.254 LAN
ETH0/1 10.10.10.1 primo ip pubblico della subnet .248
Attualmente esco in internet tramite la LAN 192.168.0.x uscendo in internet con l'ip punto punto, e mi sta anche bene.
Sulla subnet .248 devo metterci dei server che voglio abbiano sulla eth gli ip pubblici direttamente.
Vorrei fare cosi:
C2611 a "monte":
ATM0/0 1.1.1.1 ip punto punto
ETH0/0 192.168.0.254 LAN
ETH0/1 nessun IP Address - connesso via cavo CROSS (10mbit full duplex) alla ETH0/1 di un altro C2611, il quale vorrei fosse messo cosi:
C2611 a "valle"
ETH0/1 10.10.10.1 (primo ip pubblico della subnet .248)
ETH0/0 nessun ip assegnato, cavo di rete che va ad uno switch, al quale sono attaccati i servers, che avranno sulle loro eth gli ip pubblici della subnet, esempio 10.10.10.5, gw 10.10.10.1 (il 2611 a valle)
In questo modo il primo C2611 sarebbe un router bovino senza particolari filtri, routing only.
Il secondo lo userei come un packet filter grezzo e un CBAC firewall, volendo potrei montare la 12.4 ADVANCED SECURITY, in pratica vorrei usare il secondo cisco 2600 come un appliance firewall, anche se ho anche volendo un PIX 501...
Come posso configurare le varie interfaccie ETH0 per fare quello che vorrei?
grazie a chi vorrà aiutarmi.
Qui ti allego l'attuale configurazione del C2611: (ovvie parti rimosse)
ho messo già nella config gli IP fittizi per fare da esempio.
Ho messo anche uno Sh ver:
----------------------------------------
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(24), RELEASE SOFTWARE (fc4)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Thu 18-Oct-07 14:26 by stshen
Image text-base: 0x80008098, data-base: 0x81A1E1E8
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
xxxxxxxxx uptime is 2 weeks, 3 days, 3 hours, 2 minutes
System returned to ROM by reload at 12:40:18 CET Fri Jan 4 2008
System restarted at 12:43:41 CET Fri Jan 4 2008
System image file is "flash:c2600-ik9o3s3-mz.123-24.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco 2611 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.
Processor board ID JAD04140AVN (3707191581)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
---------------------------------------------------------------------
Building configuration...
Current configuration : 6386 bytes
!
! Last configuration change at 15:44:29 CET Mon Jan 21 2008 by maggiore
! NVRAM config last updated at 11:56:10 CET Mon Jan 21 2008 by maggiore
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname xxxxxxxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 notifications
no logging console
no logging monitor
enable password 7 xxxxxxxxxxxxxxxxxx
!
clock timezone CET 1
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip domain round-robin
ip domain name kpnqwest.it
ip name-server 217.97.32.2
ip name-server 217.97.32.7
ip dhcp excluded-address 192.168.0.0 192.168.0.10
ip dhcp excluded-address 192.168.0.250 192.168.0.254
!
ip dhcp pool EDILPROGRAM
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 212.97.32.2 212.97.32.7
netbios-node-type h-node
domain-name EDILPROGRAM
!
no ip bootp server
ip inspect audit-trail
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect tcp max-incomplete host 300 block-time 0
ip audit attack action alarm drop reset
ip audit po max-events 100
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit name AUDIT info action alarm
ip audit name AUDIT attack action alarm drop reset
ipv6 unicast-routing
ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
username XXXXXXXXXXXXXXXXXXXX removed
!
!
ip tcp selective-ack
ip tcp synwait-time 10
ip ssh time-out 90
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Tunnel0
no ip address
no ip redirects
ipv6 unnumbered Ethernet0/0
tunnel source ATM0/0
tunnel mode ipv6ip 6to4
!
interface ATM0/0
mtu 1500
bandwidth 1280
ip address 1.1.1.1 255.255.255.252
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip audit AUDIT in
atm ilmi-keepalive
dsl operating-mode itu-dmt
no snmp trap link-status
hold-queue 224 in
pvc 8/35
encapsulation aal5snap
!
!
interface Ethernet0/0
description 10Mbit Full-Duplex Link to LAN
ip address 192.168.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
full-duplex
no cdp enable
hold-queue 100 in
hold-queue 100 out
!
interface Ethernet0/1
description Public Subnet for Internet Services
ip address 10.10.10.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
shutdown
full-duplex
no cdp enable
hold-queue 100 in
hold-queue 100 out
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 102 interface ATM0/0 overload
extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
!
no logging trap
access-list 100 <SNIP REMOVED>
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:C058:6301::1
!
!
!
!
!
banner login ^CC
You are connected to $(hostname).$(domain) on line $(line).
If you are not authorized to access this system, disconnect now.
THIS IS FOR AUTHORIZED USE ONLY
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.
Network Administrator: xxxxxxx
^C
!
line con 0
login local
transport output telnet
stopbits 1
line aux 0
login local
transport preferred none
transport output telnet
stopbits 1
line vty 0 4
login local
transport preferred ssh
transport input ssh
transport output telnet
flowcontrol software
!
scheduler max-task-time 5000
ntp clock-period 17208617
ntp server 192.43.244.18
ntp server 193.204.114.105
!
end
