877 vpn site to site + port forwarding...ma dove sbaglio??!!

[franzall]

Ciao,
ho già postato l'argomento precedentemente in questo forum quindi mi scuso per la ripetitività e spero di aver centrato la sezione giusta.
Grazie ai suggerimenti letti nel forum avevo configurato con successo un 877 per lavorare in vpn "site to site" con un asa 5510 nattando alcune porte su ip interni.
Purtroppo causa rottura dell'apparato ho dovuto sostituire l'877 con uno nuovo e impostando la medesima conf ho notato che il port forwarding non funzionava più, cioè tutto il resto era ok (nat su internet, vpn site to site, ecc..) ma non riesco esternamente a nettare la porta.
Ho provato in tutte le maniere a rigirare la conf ma senza successo, è possibile che dipenda dalla versione ios del nuovo 877?
Vi posto la conf che mi sembra corretta:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO877
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9vlm$gqKylyjR1kz1MFLIBQFry.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.119
ip dhcp excluded-address 192.168.0.161 192.168.0.254
!
ip dhcp pool Sp-dhcp
import all
network 192.168.0.0 255.255.255.0
dns-server 194.179.1.100 194.179.1.101
default-router 192.168.0.1
netbios-name-server 10.0.0.9
domain-name last.es
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name roup.es
ip name-server 194.179.1.100
ip name-server 194.179.1.101
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-1671104223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1671104223
revocation-check none
rsakeypair TP-self-signed-1671104223
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-1671104223
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363731 31303432 3233301E 170D3032 30333031 30303035
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373131
30343232 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F6BD BC4AFE37 0FF8DB64 7F56C319 6DAAD221 B1849AB9 1E473216 3C5244CF
60BF7157 BEBC881B 120D39BD 1FE43DAF BC42EE52 AE3F0A72 B9A92EE9 CBE4F604
4D1DFD6D 5E35004D AE5F812C 63FE01DA 14D5E41E 3C8599D8 470798EF 1AEA3C4C
A6AAE8B7 B28173BA 0ECE756C 4690CDA1 B21DE43A 0D8239C9 5A7DAAA5 C22A70B8
F73F0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82214349 53434F38 37372D53 5041474E 412E666F 726D706C
61737467 726F7570 2E657330 1F060355 1D230418 30168014 940238E9 98CF4ED2
5990BF5A 7DB3DE7D 02B68DBC 301D0603 551D0E04 16041494 0238E998 CF4ED259
90BF5A7D B3DE7D02 B68DBC30 0D06092A 864886F7 0D010104 05000381 8100432A
3EF6071F AF743FE2 CED7EC59 062C924E C82AA7A5 EE00E7CD 07A3D7C0 922363D9
F11CE7BF 2BE0F245 D8D8EA55 C456DAFA 808E2680 E52D360D AE5D0B5E 9857362E
2C6D3CA0 F8DA75D9 841BFBE3 31416CE3 5884C348 6348E363 FCE155A3 D221B7EC
617F2F81 AF6648D9 5306440B 115C44F0 232F7879 2BA563D1 1129D526 5A68
quit
username admin privilege 15 view root secret 5 $1$RCrK$sIpS5/oqpiiHiN6VhqH2A.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key limone address 83.xx.xx.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to83.xx.xx.xx
set peer 83.xx.xx.xx
set transform-set ESP-3DES-SHA
match address 102
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 80.xx.xx.xx 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
pvc 8/32
protocol ip 80.59.61.2 broadcast
oam-pvc manage
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 80.59.61.2
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RM-1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.0.230 5900 80.xx.xx.xx 5900 route-map RM-2 extendable
!
logging trap debugging
access-list 2 remark ********************
access-list 2 remark Accesso http router
access-list 2 remark ********************
access-list 2 permit 83.xx.xx.xx
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq telnet
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq telnet
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 22
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 22
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq www
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq www
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 443
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 443
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq cmd
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq cmd
access-list 100 deny tcp any host 192.168.0.1 eq telnet
access-list 100 deny tcp any host 192.168.0.1 eq 22
access-list 100 deny tcp any host 192.168.0.1 eq www
access-list 100 deny tcp any host 192.168.0.1 eq 443
access-list 100 deny tcp any host 192.168.0.1 eq cmd
access-list 100 deny udp any host 192.168.0.1 eq snmp
access-list 100 deny ip 80.59.61.0 0.0.0.63 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq telnet
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq 22
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq www
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq 443
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq cmd
access-list 101 deny udp any host 80.xx.xx.xx eq snmp
access-list 101 permit udp host 83.xx.xx.xx host 80.xx.xx.xx eq non500-isakmp
access-list 101 permit udp host 83.xx.xx.xx host 80.xx.xx.xx eq isakmp
access-list 101 permit esp host 83.xx.xx.xx host 80.xx.xx.xx
access-list 101 permit ahp host 83.xx.xx.xx host 80.xx.xx.xx
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 remark ACL NAT SU INTERNET************************
access-list 103 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 remark *******
access-list 104 remark VTY****
access-list 104 remark *******
access-list 104 permit ip host 83.xx.xx.xx any
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny ip any any log
access-list 105 remark ACL PENELOPE*******************************
access-list 105 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 105 permit ip any any log
no cdp run
route-map RM-2 permit 5
match ip address 105
!
route-map RM-1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 104 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

[Wizard]

Cosa è che nn va di preciso?

ip nat inside source static tcp 192.168.0.230 5900 80.xx.xx.xx 5900 route-map RM-2 extendable

Non va la pubblicazione o la route map applicata?

[franzall]

Grazie per la Risposta...

Direi la route map perchè quando provo a contattare la porta sull'ip pubblico nei log vedo che i pacchetti sono bloccati dalla ACL 101 che è associata al traffico in entrata dell'interfaccia e non vedo nulla relativo all'ACL 105 che è appuno legata alla route-map RM-2.
Non so se può aiutare o se la cosa ha importanza ma ho notato che rimuovendo e re-inserendo la route map RM-2 questa mi finisce nella conf sempre sopra alla RM-1 che già esiste per il nat su internet.

Grazie.
Francesco.

[Wizard]

In effetti nella acl 101 manca la apertura x la porta nattata!
Rifai la acl così e dimenticati del pdm

Codice: Seleziona tutto

no access-list 101
access-list 101 remark *** ACL DA OUTSIDE--->INSIDE ***
access-list 101 permit tcp any host 80.xx.xx.xx eq 5900
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq telnet
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq 22
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq www
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq 443
access-list 101 permit tcp host 83.xx.xx.xx host 80.xx.xx.xx eq cmd
access-list 101 deny udp any host 80.xx.xx.xx eq snmp
access-list 101 permit udp host 83.xx.xx.xx host 80.xx.xx.xx eq non500-isakmp
access-list 101 permit udp host 83.xx.xx.xx host 80.xx.xx.xx eq isakmp
access-list 101 permit esp host 83.xx.xx.xx host 80.xx.xx.xx
access-list 101 permit ahp host 83.xx.xx.xx host 80.xx.xx.xx
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log 

[franzall]

Ciao Wizard,
scusa se ti rispondo solo ora, grazie per la dritta ho solo un dubbio:
perchè hai tolto nell'ACL la regola per l'ipsec:
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
?
Così facendo non blocchi il traffico vpn site to site?

Farò delle prove grazie a presto.

Francesco.

[Wizard]

No, è dalla relaese 12.2.x che nn occore + inserire la acl esplicita

[franzall]

Ciao Wizard,
purtroppo anche apportando la regola all'ACL in ingresso il risultato non cambia: dai log vedo che i pacchetti passano dall'interfaccia esterna ma la pubblicazione non funziona.
Direi quindi che il problema non sia sull'ACL applicata alla route map ma sulla regola ip nat source static ecc...
La cosa strana è che in passato ero riuscito con questa sintassi a far funzionare le cose e non capisco proprio cosa non funzioni questa volta.
C'è la possibilità dai log di vedere se il natting avviene correttamente?

Ti ringrazio in anticipo per il tuo prezioso aiuto.

Francesco

[Wizard]

ip nat inside source static tcp 192.168.0.230 5900 80.xx.xx.xx 5900 route-map RM-2 extendable

La regola mi sembra giusta cmq x vedere se viene corretamente processata devi fare

sh ip nat traslation