Pagina 1 di 1
Cisco 837, VPN e...NAT e access-list
Inviato: mer 03 ott , 2007 8:57 am
da mmjc23
Buon giorno a tutti.
Sono nuovo di questo forum e soprattutto un novizio dei router Cisco.
Il mio problema è il seguente, ho creato una VPN tra la nostra rete aziendale e la rete ADSL del cliente.
Avendo però già attiva una VPN con la stessa classe di indirizzi IP del cliente, dovrei Nattare gli indirizzi Ip della rete interna del cliente con altri indirizzi IP ed ad essi applicare delle access-list. Volevo quindi chiedere se la configurazione del cliente postata sotto è corretta ed in particolare se l'istruzione in grassetto, consentirà di fare un NAT uno-ad-uno degli indirizzi IP cioè trasformarmi:
l'IP 192.168.3.51---> in 10.118.58.51
l'IP 192.168.3.52---> in 10.118.58.52
e così via....
Grazie
Codice: Seleziona tutto
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Prova_Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
ip cef
no ip domain lookup
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
username xxx privilege 15 secret 5 $1$h7an$m7nbR/pQTTQdf1IB1hMgZ0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key PROVA address 61.120.26.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 local-address Loopback0
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to61.120.26.70
set peer 61.120.26.70
set transform-set ESP-3DES-SHA
match address VPN-TO-GEG
!
!
!
interface Loopback0
ip address XXX.XXX.XXX.137 255.255.255.248
crypto map SDM_CMAP_1
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.3.70 255.255.255.0
ip access-group 100 in
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$
ip address XXX.XXX.XXX.138 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
no snmp trap link-status
crypto map SDM_CMAP_1
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.137
ip http server
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
[b]ip nat inside source static network 192.168.3.0 10.118.58.0 /24[/b]
!
!
ip access-list extended VPN-TO-GEG
remark SDM_ACL Category=4
[b]permit ip 10.118.58.0 0.0.0.255 10.0.1.0 0.0.0.255[/b]
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip XXX.XXX.XXX.136 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp host 61.120.26.70 host XXX.XXX.XXX.137
access-list 101 permit esp host 61.120.26.70 host XXX.XXX.XXX.137
access-list 101 permit udp host 61.120.26.70 host XXX.XXX.XXX.137 eq isakmp
access-list 101 permit udp host 61.120.26.70 host XXX.XXX.XXX.137 eq non500-isakmp
[b]access-list 101 permit ip 10.0.1.0 0.0.0.255 10.118.58.0 0.0.0.255[/b]
access-list 101 deny ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any host XXX.XXX.XXX.138 echo-reply
access-list 101 permit icmp any host XXX.XXX.XXX.138 time-exceeded
access-list 101 permit icmp any host XXX.XXX.XXX.138 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router Web Setup (CRWS) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
Please change these publicly known initial credentials using CRWS or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about CRWS please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps2076/prod_troubleshooting_guide09186a0080132c3c.html
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 120 0
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
login local
!
scheduler max-task-time 5000
end
Inviato: ven 05 ott , 2007 4:10 pm
da mmjc23
Documentandomi in rete mi sono accorto che non è possibile configurare il router in modo che effettui il NAT automatico dell'intera classe di indirizzi IP ma è necessario Nattare gli Indirizzi IP; quindi la nuova configurazione è la seguente.
Siccome il luogo dove devo andare ad installare il router è molto lontano, volevo chiedere conferma della corretta configurazione prima dell'installazione (in particolar modo dei NAT e delle access-list).
GRAZIE
Codice: Seleziona tutto
!version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Prova
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
ip cef
no ip domain lookup
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
username xyxyx privilege 15 secret 5 $1$pqbI$cGULvH5iVprXzMG9Mpckz0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key VPNxxxYYYYYY address xxx.xxx.xxx.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 local-address Loopback0
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxxx.xxx.xxx.70
set peer xxx.xxx.xxx.70
set transform-set ESP-3DES-SHA
match address VPN-TO-YYY
!
!
!
interface Loopback0
ip address yyy.yyy.yyy.137 255.255.255.248
crypto map SDM_CMAP_1
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.3.70 255.255.255.0
ip access-group 100 in
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$
ip address yyy.yyy.yyy.138 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
no snmp trap link-status
crypto map SDM_CMAP_1
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.137
ip http server
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
[color=red]ip nat inside source static 192.168.3.50 10.118.58.50
ip nat inside source static 192.168.3.51 10.118.58.51
ip nat inside source static 192.168.3.52 10.118.58.52
ip nat inside source static 192.168.3.53 10.118.58.53
ip nat inside source static 192.168.3.54 10.118.58.54
ip nat inside source static 192.168.3.55 10.118.58.55
ip nat inside source static 192.168.3.56 10.118.58.56
ip nat inside source static 192.168.3.57 10.118.58.57
ip nat inside source static 192.168.3.58 10.118.58.58
ip nat inside source static 192.168.3.59 10.118.58.59
ip nat inside source static 192.168.3.60 10.118.58.60
ip nat inside source static 192.168.3.61 10.118.58.61
ip nat inside source static 192.168.3.62 10.118.58.62
ip nat inside source static 192.168.3.63 10.118.58.63
ip nat inside source static 192.168.3.64 10.118.58.64
ip nat inside source static 192.168.3.65 10.118.58.65
ip nat inside source static 192.168.3.66 10.118.58.66
ip nat inside source static 192.168.3.67 10.118.58.67
ip nat inside source static 192.168.3.68 10.118.58.68
ip nat inside source static 192.168.3.69 10.118.58.69
ip nat inside source static 192.168.3.70 10.118.58.70
ip nat inside source static 192.168.3.71 10.118.58.71
ip nat inside source static 192.168.3.72 10.118.58.72
ip nat inside source static 192.168.3.73 10.118.58.73
ip nat inside source static 192.168.3.74 10.118.58.74
ip nat inside source static 192.168.3.75 10.118.58.75
ip nat inside source static 192.168.3.76 10.118.58.76
ip nat inside source static 192.168.3.77 10.118.58.77
ip nat inside source static 192.168.3.78 10.118.58.78
ip nat inside source static 192.168.3.79 10.118.58.79
ip nat inside source static 192.168.3.80 10.118.58.80[/color]!
!
ip access-list extended VPN-TO-YYY
remark SDM_ACL Category=4
[color=red]permit ip 10.118.58.0 0.0.0.255 10.0.1.0 0.0.0.255[/color]
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip yyy.yyy.yyy.136 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp host xxx.xxx.xxx.70 host yyy.yyy.yyy.137
access-list 101 permit esp host xxx.xxx.xxx.70 host yyy.yyy.yyy.137
access-list 101 permit udp host xxx.xxx.xxx.70 host yyy.yyy.yyy.137 eq isakmp
access-list 101 permit udp host xxx.xxx.xxx.70 host yyy.yyy.yyy.137 eq non500-isakmp
[color=red]access-list 101 permit ip 10.0.1.0 0.0.0.255 10.118.58.0 0.0.0.255[/color]
access-list 101 deny ip 192.168.3.0 0.0.0.255 any
access-list 101 permit icmp any host yyy.yyy.yyy.138 echo-reply
access-list 101 permit icmp any host yyy.yyy.yyy.138 time-exceeded
access-list 101 permit icmp any host yyy.yyy.yyy.138 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Cisco Router Web Setup (CRWS) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".
Please change these publicly known initial credentials using CRWS or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about CRWS please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps2076/prod_troubleshooting_guide09186a0080132c3c.html
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 120 0
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
login local
!
scheduler max-task-time 5000
end
In sostanza, vorrei nattare gli indirizzi 192.168.3.x in 10.118.58.x mantendo invariato però il 4 byte dell'IP invariato.
es.
-192.168.3.51--->10.118.58.51
-192.168.3.60--->10.118.58.60
Grazie
mah...
Inviato: mar 16 ott , 2007 10:08 am
da mmjc23
mah...non risco neppure a pingare l'indirizzo IP pubblico assegnato con questa configurazione da Internet.
Qualcuno sa se esiste un comando per resettare l'interfaccia ATM o LoopBack?
Thanks
Inviato: mar 16 ott , 2007 10:47 am
da liscio
ehm... io credo di avere un problema simile...
http://www.ciscoforums.it/viewtopic.php?t=6486