Lentezza trasferimento ftp da Inside a dmz

Mettete al sicuro la vostra rete!

Moderatore: Federico.Lagni

Rispondi
nerviano
n00b
Messaggi: 20
Iscritto il: mer 15 apr , 2009 9:07 am

Ciao
Mi hanno fatto dare un'occhiata ad un Pix 515
dove dalla rete privata 10.1.1.x
se si prova a fare download o upload dal server FTP presente sulla DMZ risulta essere di un lento esagerato
Mentre dall'esterno il problema non sussiste(da internet)
Non riesco a capire come mai .
Vi posto la configurazione
Ciao



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 dmz2 security80
enable password xxxx/xxxx/xxxx encrypted
passwd xxxx/xxxx/xxxx encrypted
hostname pix-plutone
domain-name plutone2.it
clock timezone CEST 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.1.100.0 sottorete_ale
name 10.1.1.103 TecAssistenza03
name 10.1.254.31 SERVERLEAD01
name 10.1.254.21 SERVERBOTT01
name 10.1.254.22 SERVERBOTT02
name 222.222.222.96 RETE_EXPLAN
name 222.222.222.144 RETE_Assistenza
name 10.1.254.32 SERVER02
name 10.1.254.30 SERVER00
name 10.1.0.40 SERVER03
name 10.1.1.88 FERCRI
name 10.1.1.101 ADAAND
name 222.222.222.34 FTPPub
name 10.1.0.15 Branca
name 192.168.3.23 Manco
name 10.1.1.60 collegiale
name 10.1.1.104 Tec04
name 222.222.222.254 RETE_Wind
name 192.168.245.218 DEBIANDB
name 10.1.0.25 Caramelle
name 10.1.1.25 AMM
name 192.168.100.0 NETWORKA
name 192.168.246.114 FTP
name 192.168.100.16 AS
name 10.1.0.29 Brandi
name 192.168.100.13 QS29IWAS
name 10.1.1.100 quinto
name 10.1.0.16 Losteria
name 10.1.1.130 TecAssistenza05
name 10.1.1.131 TecAssistenza06
name 10.10.200.0 Porte
name 172.30.103.0 Porte2
name 172.30.125.0 porte3
name 10.10.202.0 porte4
name 10.1.0.2 DON
name 10.1.1.64 CAS
name 192.168.245.116 eX
name 192.168.246.101 SRVwind
name 10.1.3.16 test
object-group service srvTCPOUT tcp
description Servizi TCP default consentiti dalla LAN verso internet
port-object eq ftp
port-object eq nntp
port-object eq ftp-data
port-object eq telnet
port-object eq https
port-object eq domain
port-object eq ssh
port-object eq pop3
port-object eq smtp
object-group service srvUDPOUT udp
description Servizi UDP default consentiti dalla LAN verso internet
port-object eq ntp
port-object range 1352 1352
port-object eq domain
access-list acl-in remark Posta certificata
access-list acl-in permit tcp any any eq 995
access-list acl-in remark Posta Certificata
access-list acl-in permit tcp any any eq 465
access-list acl-in remark Regola default TCP LAN to OUT
access-list acl-in permit tcp any any object-group srvTCPOUT
access-list acl-in remark Regola default UDP LAN to OUT
access-list acl-in permit udp any any object-group srvUDPOUT
access-list acl-in permit tcp host 10.1.1.50 any eq www
access-list acl-in permit tcp host 10.1.1.51 any eq www
access-list acl-in permit tcp host 10.1.1.52 any eq www
access-list acl-in remark PER ASSISTENZA VPN
access-list acl-in permit tcp host 10.1.1.53 any
access-list acl-in permit tcp host 10.1.1.54 any eq www
access-list acl-in permit tcp host 10.1.1.55 any eq www
access-list acl-in permit tcp host 10.1.1.56 any eq www
access-list acl-in permit tcp host 10.1.1.57 any eq www
access-list acl-in permit tcp host 10.1.1.58 any eq www
access-list acl-in permit tcp host 10.1.1.58 any eq 4050
access-list acl-in permit tcp host 10.1.1.62 any eq www
access-list acl-in permit tcp host 10.1.1.64 any eq www
access-list acl-in permit tcp host 10.1.1.65 any eq www
access-list acl-in permit tcp host 10.1.1.87 any eq www
access-list acl-in permit tcp host 10.1.1.88 any eq www
access-list acl-in permit tcp host 10.1.1.89 any eq www
access-list acl-in permit tcp host 10.1.1.91 any eq www
access-list acl-in permit tcp host 10.1.1.92 any eq www
access-list acl-in permit tcp host 10.1.1.94 any eq www
access-list acl-in permit tcp host 10.1.1.95 any eq www
access-list acl-in permit tcp host 10.1.1.96 any eq www
access-list acl-in permit tcp host 10.1.1.97 any eq www
access-list acl-in permit ip host 10.1.1.100 any
access-list acl-in permit ip host 10.1.1.101 any
access-list acl-in permit tcp host 10.1.1.102 any eq www
access-list acl-in permit tcp host 10.1.1.103 any eq www
access-list acl-in remark TecAssistenza04
access-list acl-in permit ip host 10.1.1.104 any
access-list acl-in remark TecAssistenza05
access-list acl-in permit ip host 10.1.1.130 any
access-list acl-in remark TecAssistenza06
access-list acl-in permit ip host 10.1.1.131 any
access-list acl-in permit tcp host 10.1.1.112 any eq www
access-list acl-in permit tcp host 10.1.0.10 any eq www
access-list acl-in permit tcp host 10.1.0.16 any eq www
access-list acl-in permit tcp host 10.1.0.244 any eq www
access-list acl-in permit tcp host 192.168.3.23 any eq www
access-list acl-in permit tcp host 192.168.3.24 any eq www
access-list acl-in permit tcp host 192.168.3.25 any eq www
access-list acl-in permit tcp host 192.168.3.27 any eq www
access-list acl-in permit tcp host 192.168.4.23 any eq www
access-list acl-in permit icmp any any
access-list acl-in permit tcp host 10.1.1.115 any
access-list acl-in permit tcp host 10.1.246.115 any
access-list acl-in permit tcp host 10.1.1.90 any eq www
access-list acl-in permit tcp host 10.1.0.40 any eq www
access-list acl-in permit tcp host 10.1.0.40 any eq https
access-list acl-in permit tcp host 10.1.0.52 any
access-list acl-in permit tcp host 10.1.2.50 any eq www
access-list acl-in permit tcp host 10.1.2.51 any eq www
access-list acl-in permit tcp host 10.1.2.52 any eq www
access-list acl-in permit tcp host 10.1.2.53 any eq www
access-list acl-in permit tcp host 10.1.1.61 any eq www
access-list acl-in permit tcp any any eq 3389
access-list acl-in permit tcp host 10.1.1.118 any eq www
access-list acl-in permit tcp host 10.1.1.118 any eq 4050
access-list acl-in permit ip host 10.1.0.40 any
access-list acl-in permit tcp host 10.1.1.69 any eq www
access-list acl-in permit tcp host 10.1.1.69 any eq https
access-list acl-in permit ip host 10.1.2.53 any
access-list acl-in permit ip host 10.1.1.119 any
access-list acl-in permit tcp host 10.1.1.105 any eq www
access-list acl-in permit tcp host 192.168.4.22 any eq www
access-list acl-in permit tcp host 10.1.1.109 any eq www
access-list acl-in permit ip host 10.1.1.116 any
access-list acl-in permit tcp host 192.168.3.28 any eq www
access-list acl-in permit tcp host 192.168.3.35 any eq www
access-list acl-in permit tcp host 192.168.3.36 any eq www
access-list acl-in permit tcp host 10.1.2.54 any eq www
access-list acl-in permit ip host 10.1.2.56 any
access-list acl-in permit ip host 10.1.15.1 any
access-list acl-in permit ip host 10.1.15.2 any
access-list acl-in permit ip host 10.1.15.3 any
access-list acl-in permit ip host 10.1.15.4 any
access-list acl-in permit ip host 10.1.15.5 any
access-list acl-in permit ip host 10.1.15.6 any
access-list acl-in permit ip host 10.1.15.7 any
access-list acl-in permit ip host 10.1.15.8 any
access-list acl-in permit ip host 10.1.15.9 any
access-list acl-in permit ip host 10.1.15.10 any
access-list acl-in permit ip host 10.1.15.11 any
access-list acl-in permit ip host 10.1.15.12 any
access-list acl-in permit ip host 10.1.15.13 any
access-list acl-in permit ip host 10.1.15.14 any
access-list acl-in permit ip host 10.1.15.15 any
access-list acl-in permit ip host 10.1.15.16 any
access-list acl-in remark accesso esterno garantito alla sottorete
access-list acl-in permit tcp 10.1.100.0 255.255.255.0 any
access-list acl-in remark
access-list acl-in permit tcp host 10.1.254.30 any
access-list acl-in remark Accesso ad internet da SERVER00
access-list acl-in permit ip host 10.1.254.32 any
access-list acl-in remark Accesso ad internet da SERVER01
access-list acl-in permit tcp host 10.1.254.31 any
access-list acl-in permit ip host 10.1.254.21 any
access-list acl-in remark SERVERBOTT02
access-list acl-in permit ip host 10.1.254.22 any
access-list acl-in permit tcp host 10.1.1.93 any eq www
access-list acl-in permit tcp host 192.168.3.22 any
access-list acl-in remark Permit Internet
access-list acl-in permit tcp host 10.1.0.2 any eq www
access-list acl-in permit tcp host 10.1.0.15 any eq www
access-list acl-in remark Permit Internet
access-list acl-in permit tcp host 10.1.0.29 any eq www
access-list acl-in remark Accesso ASAssistenza
access-list acl-in permit ip 10.1.0.0 255.255.0.0 host 192.168.100.16
access-list acl-in remark Permit to WAS Assistenza
access-list acl-in permit ip 10.1.0.0 255.255.0.0 host 192.168.100.13
access-list acl-in permit tcp host 10.1.0.8 any eq www
access-list acl-in remark PERMIT VNC TO Porte
access-list acl-in permit tcp any host 192.168.246.101 range 5900 5904
access-list acl-in remark PERMIT SFTP TO DEBIAN_DB
access-list acl-in permit tcp any host 192.168.245.218 eq ssh
access-list acl-out permit tcp any host 222.222.222.34 eq ftp-data
access-list acl-out permit tcp any host 222.222.222.34 eq ftp
access-list acl-out permit udp any host 222.222.222.35 eq isakmp
access-list acl-out permit esp any host 222.222.222.35
access-list acl-out permit tcp any host 222.222.222.41 eq www
access-list acl-out permit tcp any host 222.222.222.41 eq https
access-list acl-out remark Allow SMTP server di Posta
access-list acl-out permit tcp any host 222.222.222.41 eq smtp "
access-list acl-out remark Allow POP3 server di Posta
access-list acl-out permit tcp any host 222.222.222.41 eq pop3
access-list acl-out permit tcp any host 222.222.222.41 eq imap4
access-list acl-out permit gre any any
access-list acl-dmz permit esp any any
access-list acl-dmz remark Allow DNS
access-list acl-dmz permit tcp 192.168.246.0 255.255.255.0 any eq domain
access-list acl-dmz remark Allow DNS
access-list acl-dmz permit udp 192.168.246.0 255.255.255.0 any eq domain
access-list acl-dmz remark Allow NTP
access-list acl-dmz permit udp 192.168.246.0 255.255.255.0 any eq ntp
access-list acl-dmz remark Allow WWW
access-list acl-dmz permit tcp 192.168.246.0 255.255.255.0 any eq www
access-list vpnplutone permit ip 10.1.0.0 255.255.0.0 any
access-list vpnplutone permit ip 192.168.246.0 255.255.255.0 any
access-list vpnplutone permit ip 192.168.245.0 255.255.255.0 any
access-list vpnAssistenza_dmz permit ip 10.1.0.0 255.255.0.0 172.20.100.0 255.255.255.0
access-list nonat_inside permit ip 10.1.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list nonat_inside permit ip 10.1.0.0 255.255.0.0 host 192.168.100.16
access-list nonat_inside permit ip 10.1.0.0 255.255.0.0 host 172.20.100.206
access-list nonat_inside permit ip 10.1.0.0 255.255.0.0 host 192.168.100.13
access-list nonat_dmz permit ip 192.168.246.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat_dmz permit ip 192.168.246.0 255.255.255.0 172.30.125.0 255.255.255.0
access-list nonat_dmz permit ip 192.168.246.0 255.255.255.0 172.30.103.0 255.255.255.0
access-list nonat_dmz permit ip 192.168.246.0 255.255.255.0 10.10.200.0 255.255.255.252
access-list nonat_dmz permit ip 192.168.246.0 255.255.255.0 10.10.202.0 255.255.255.0
access-list nonat_dmz2 permit ip 192.168.245.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpnAssistenza_lan permit ip 10.1.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list vpnPorte_lan permit ip 192.168.246.0 255.255.255.0 172.30.103.0 255.255.255.0
access-list vpnPorte_lan permit ip 192.168.246.0 255.255.255.0 172.30.125.0 255.255.255.0
access-list vpnPorte_lan permit ip 192.168.246.0 255.255.255.0 10.10.200.0 255.255.255.252
access-list vpnPorte_lan permit ip 192.168.246.0 255.255.255.0 10.10.202.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console debugging
logging monitor debugging
logging buffered errors
logging trap debugging
logging history debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dmz2 1500
ip address outside 222.222.222.35 255.255.255.240
ip address inside 10.1.1.40 255.255.0.0
ip address dmz 192.168.246.113 255.255.255.0
ip address dmz2 192.168.245.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.10.100-192.168.10.150
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address dmz2


pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 222.222.222.44-222.222.222.45
global (outside) 1 222.222.222.43
global (dmz) 1 192.168.246.118-192.168.246.120
global (dmz) 1 192.168.246.117
global (dmz2) 1 192.168.245.118-192.168.245.120
global (dmz2) 1 192.168.245.117
nat (inside) 0 access-list nonat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list nonat_dmz
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 0 access-list nonat_dmz2
static (inside,dmz2) 192.168.245.106 10.1.0.106 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.245.18 10.1.1.18 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.246.40 10.1.0.40 netmask 255.255.255.255 0 0
static (dmz,outside) 222.222.222.34 192.168.246.114 netmask 255.255.255.255 0 0
static (inside,outside) 222.222.222.41 10.1.0.40 netmask 255.255.255.255 0 0
static (inside,outside) 222.222.222.42 10.1.2.53 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.245.245 10.1.2.53 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.245.246 10.1.1.88 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
access-group acl-in in interface inside
access-group acl-dmz in interface dmz
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 222.222.222.33 1
route inside 192.168.2.0 255.255.255.0 10.1.1.3 1
route inside 192.168.3.0 255.255.255.0 10.1.1.3 1
route inside 192.168.4.0 255.255.255.0 10.1.1.3 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 150.145.55.6 source outside prefer
ntp server 193.204.114.105 source outside
http server enable
http 222.222.222.96 255.255.255.224 outside
http 222.222.222.144 255.255.255.255 outside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set lan2lan esp-des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set vpnclient
crypto map vpn 15 ipsec-isakmp
crypto map vpn 15 match address vpnAssistenza_lan
crypto map vpn 15 set peer 222.222.222.144
crypto map vpn 15 set transform-set lan2lan
crypto map vpn 25 ipsec-isakmp
crypto map vpn 25 match address vpnPorte_lan
crypto map vpn 25 set peer 222.222.222.254
crypto map vpn 25 set transform-set lan2lan
crypto map vpn 100 ipsec-isakmp dynamic cisco
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 222.222.222.144 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 222.222.222.254 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 60
isakmp policy 13 authentication pre-share
isakmp policy 13 encryption des
isakmp policy 13 hash md5
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800
vpngroup vpnplutone address-pool vpnpool
vpngroup vpnplutone dns-server 10.1.254.30
vpngroup vpnplutone default-domain plutone2.it
vpngroup vpnplutone split-tunnel vpnplutone
vpngroup vpnplutone idle-time 1800
vpngroup vpnplutone password ********
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 30
ssh 222.222.222.96 255.255.255.224 outside
ssh 222.222.222.144 255.255.255.255 outside
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
username Fasato password xxxx/xxxx encrypted privilege 1
username DiBianco password xxxxxxxxx.i.e encrypted privilege 1
username QS29I password xxxxxxxx.xxxxxx encrypted privilege 1
username Giove password x/xx/xxxxxxx encrypted privilege 1
username Saturno password xxxxxxxxx encrypted privilege 1
username Maddalena password Xxxxxxxxxx encrypted privilege 1
terminal width 80
Cryptochecksum:xxxxxxxxxxxxx
: end
Ultima modifica di nerviano il mer 06 mag , 2009 6:14 pm, modificato 1 volta in totale.
ketVet
Cisco power user
Messaggi: 90
Iscritto il: gio 14 lug , 2005 6:59 pm

puoi mandare l'output del comando sh int?
Grazie!
nerviano
n00b
Messaggi: 20
Iscritto il: mer 15 apr , 2009 9:07 am

ma non sono sul pix..non ho accesso a VPN
ketVet
Cisco power user
Messaggi: 90
Iscritto il: gio 14 lug , 2005 6:59 pm

Fatti fare questo comando ...
nerviano
n00b
Messaggi: 20
Iscritto il: mer 15 apr , 2009 9:07 am

pix-plutone# sh int
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.6bf7.2caa
IP address xxx.yyy.zzz.kkkk, subnet mask 255.255.255.240
MTU 1500 bytes, BW 100000 Kbit full duplex
121761178 packets input, 1503718160 bytes, 0 no buffer
Received 135966 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
100710933 packets output, 1223330901 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/16)
output queue (curr/max blocks): hardware (0/32) software(0/1)

interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.6bf7.2cab
IP address xxx.yyy.zzz.kkkk, subnet mask 255.255.0.0
MTU 1500 bytes, BW 100000 Kbit full duplex
79177712 packets input, 3485079988 bytes, 0 no buffer
Received 11748998 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
83917080 packets output, 2280909815 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
14 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/33)
output queue (curr/max blocks): hardware (1/24) software (0/1)

interface ethernet2 "dmz" is up, line protocol is up
Hardware is i82559 ethernet, address is 0002.b3ca.9ea2
IP address 192.168.246.113, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
48086905 packets input, 2898756377 bytes, 0 no buffer
Received 172216 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
50029228 packets output, 2437596808 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/32)
output queue (curr/max blocks): hardware (0/31) software (0/1)

interface ethernet3 "dmz2" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.47ac.5c7b
IP address xxx.yyy.zzz.kkkk, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
473417 packets input, 68501139 bytes, 0 no buffer
Received 172232 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
583671 packets output, 840790561 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/21)
output queue (curr/max blocks): hardware (0/16) software (0/1)
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:

L'FTP lo fai sulle porte standart 20 e 21?
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
nerviano
n00b
Messaggi: 20
Iscritto il: mer 15 apr , 2009 9:07 am

si ftp e ftp-data
tu dici di dare anche la apertura alle porte > know port ,visto che il protocollo per trasferire i dati inizia da quelle porte?

Grazie
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:

C'è il fixup quindi altre acl non servono...
Il resto del traffico gira bene?
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
nerviano
n00b
Messaggi: 20
Iscritto il: mer 15 apr , 2009 9:07 am

Si il resto del traffico gira bene.
ne approfitto per farti un'altra domanda,secondo te dalla DMZ2 se non riesco ad andare su internet(a parte che non esiste una ACL che me lo permette,nella conf postata non c'e' ma ho fatto delle prove creando una ACL che non vedi)è perchè non esiste un NAT che glielo permette?
è stato fatto un nat (dmz2) 0 access-list nonat_dmz2
ma di NAT 1 non ce ne sono(vedi NAT per DMZ2)

Grazie
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:

Eh si, devi fare un pat sul ip della int outside (esempio) per fare uscire su internet la dmz in questione
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:

Per il resto quanta ram hai?
E' un pix515 o un 515e?
Puoi schedulare un upgrade alla ios v 8?
Sicuro che nn sia un problema server x l ftp?
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
nerviano
n00b
Messaggi: 20
Iscritto il: mer 15 apr , 2009 9:07 am

tipo
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0 ,giusto???

PIX-515-UR...se non sbaglio la ram è 128...adesso non sò dirtelo con esattezza

Non sembra del server il problema in quanto dall'esterno funziona bene...

l'upgrade alla v 8,non l'ho mai fatto ,ma è preferibile fare un backup della configurazione????
ciao e grazie
Rispondi