Aiuto per acl
Inviato: sab 28 apr , 2007 10:50 am
Ciao a tutti,
ho un problema nel configurare un'acl su un router 877 della cisco, collegato con adsl alice impresa.
Il mio router ha 1 ip su atm0.1, l'ip della punto punto 85.x.x.x, e gli ip 172.16.1.254 e l'ip pubblico 82.x.x.x sulla vlan1.
Nutro dubbi sulla sicurezza di questa config, ma ho agito secondo le istruzioni della telecom.
Ora io devo permettere al primo host della lan 172.16.1.1 di accedere ad internet su porta 80 e 443, permettere l'utilizzo di gtalk, porta tcp 5222 e 5223, le query dns, quindi udp e tcp 53, e l'utilizzo del telnet per la gestione remota. Per gli altri è negato tutto. Inoltre devo fare una acl per permettere trattico vpn site to site verso una rete 10.0.0.0. Questa è la config che però con queste acl non funzia. Qualcuno può aiutarmi?
Grazie in anticipo
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 877
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip source-route
ip cef
!
!
!
!
ip domain name interbusiness.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
!
multilink bundle-name authenticated
!
!
!
!
interface ATM0
no ip address
ip access-group 100 in
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 4096
ip address 85.XX.YY.ZZ 255.255.255.0
ip access-group 100 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.16.1.254 255.255.255.0 secondary
ip address 82.YY.ZZ.KK 255.255.255.248
ip nat inside
ip virtual-reassembly
ip access-group 101 in
hold-queue 100 out
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
!
ip http server
ip http secure-server
ip nat pool <NOME DEL POOL> 82.YY.ZZ.K XX.YY.ZZ.K+5 netmask 255.255.255.248
ip nat inside source list 1 pool <POOL> overload
!
access-list 101 permit ip any host <ip pubblico sede per gestione remota>
access-list 101 permit ip any host <ip pubblico sede per gestione remota>
access-list 101 permit ip any host <ip pubblico sede per gestione remota>
access-list 101 permit tcp host 172.16.1.1 any eq 5222
access-list 101 permit tcp host 172.16.1.1 any eq 5223
access-list 101 permit tcp host 172.16.1.1 any eq 53
access-list 101 permit udp host 172.16.1.1 any eq 53
access-list 101 permit tcp host 172.16.1.1 any eq 80
access-list 101 permit tcp host 172.16.1.1 any eq 443
access-list 101 permit tcp host 172.16.1.254 any eq 5222
access-list 101 permit tcp host 172.16.1.254 any eq 5223
access-list 101 permit tcp host 172.16.1.254 any eq 53
access-list 101 permit udp host 172.16.1.254 any eq 53
access-list 101 permit tcp host 172.16.1.254 any eq 80
access-list 101 permit tcp host 172.16.1.254 any eq 443
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any time-exceeded
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any echo
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any echo-reply
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any source-quench
access-list 101 deny ip any any
access-list 100 permit tcp any host 172.16.1.1 eq 5222
access-list 100 permit tcp any host 172.16.1.1 eq 5223
access-list 100 permit tcp any host 172.16.1.1 eq 53
access-list 100 permit udp any host 172.16.1.1 eq 53
access-list 100 permit tcp any host 172.16.1.1 eq 80
access-list 100 permit tcp any host 172.16.1.1 eq 443
access-list 100 permit tcp any host 172.16.1.254 eq 5222
access-list 100 permit tcp any host 172.16.1.254 eq 5223
access-list 100 permit tcp any host 172.16.1.254 eq 53
access-list 100 permit udp any host 172.16.1.254 eq 53
access-list 100 permit tcp any host 172.16.1.254 eq 80
access-list 100 permit tcp any host 172.16.1.254 eq 443
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5222
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5223
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit udp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 80
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 443
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5222
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5223
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit udp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 80
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 443
access-list 100 permit ip host <ip pubblico sede per gestione remota> any
access-list 100 permit ip host <ip pubblico sede per gestione remota> any
access-list 100 permit ip host <ip pubblico sede per gestione remota> any
access-list 100 deny ip any any
!
!
!
!
control-plane
!
!
line con 0
ho un problema nel configurare un'acl su un router 877 della cisco, collegato con adsl alice impresa.
Il mio router ha 1 ip su atm0.1, l'ip della punto punto 85.x.x.x, e gli ip 172.16.1.254 e l'ip pubblico 82.x.x.x sulla vlan1.
Nutro dubbi sulla sicurezza di questa config, ma ho agito secondo le istruzioni della telecom.
Ora io devo permettere al primo host della lan 172.16.1.1 di accedere ad internet su porta 80 e 443, permettere l'utilizzo di gtalk, porta tcp 5222 e 5223, le query dns, quindi udp e tcp 53, e l'utilizzo del telnet per la gestione remota. Per gli altri è negato tutto. Inoltre devo fare una acl per permettere trattico vpn site to site verso una rete 10.0.0.0. Questa è la config che però con queste acl non funzia. Qualcuno può aiutarmi?
Grazie in anticipo
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 877
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip source-route
ip cef
!
!
!
!
ip domain name interbusiness.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
!
multilink bundle-name authenticated
!
!
!
!
interface ATM0
no ip address
ip access-group 100 in
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 4096
ip address 85.XX.YY.ZZ 255.255.255.0
ip access-group 100 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.16.1.254 255.255.255.0 secondary
ip address 82.YY.ZZ.KK 255.255.255.248
ip nat inside
ip virtual-reassembly
ip access-group 101 in
hold-queue 100 out
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
!
ip http server
ip http secure-server
ip nat pool <NOME DEL POOL> 82.YY.ZZ.K XX.YY.ZZ.K+5 netmask 255.255.255.248
ip nat inside source list 1 pool <POOL> overload
!
access-list 101 permit ip any host <ip pubblico sede per gestione remota>
access-list 101 permit ip any host <ip pubblico sede per gestione remota>
access-list 101 permit ip any host <ip pubblico sede per gestione remota>
access-list 101 permit tcp host 172.16.1.1 any eq 5222
access-list 101 permit tcp host 172.16.1.1 any eq 5223
access-list 101 permit tcp host 172.16.1.1 any eq 53
access-list 101 permit udp host 172.16.1.1 any eq 53
access-list 101 permit tcp host 172.16.1.1 any eq 80
access-list 101 permit tcp host 172.16.1.1 any eq 443
access-list 101 permit tcp host 172.16.1.254 any eq 5222
access-list 101 permit tcp host 172.16.1.254 any eq 5223
access-list 101 permit tcp host 172.16.1.254 any eq 53
access-list 101 permit udp host 172.16.1.254 any eq 53
access-list 101 permit tcp host 172.16.1.254 any eq 80
access-list 101 permit tcp host 172.16.1.254 any eq 443
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any time-exceeded
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any echo
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any echo-reply
access-list 101 permit icmp 172.16.1.0 0.0.0.255 any source-quench
access-list 101 deny ip any any
access-list 100 permit tcp any host 172.16.1.1 eq 5222
access-list 100 permit tcp any host 172.16.1.1 eq 5223
access-list 100 permit tcp any host 172.16.1.1 eq 53
access-list 100 permit udp any host 172.16.1.1 eq 53
access-list 100 permit tcp any host 172.16.1.1 eq 80
access-list 100 permit tcp any host 172.16.1.1 eq 443
access-list 100 permit tcp any host 172.16.1.254 eq 5222
access-list 100 permit tcp any host 172.16.1.254 eq 5223
access-list 100 permit tcp any host 172.16.1.254 eq 53
access-list 100 permit udp any host 172.16.1.254 eq 53
access-list 100 permit tcp any host 172.16.1.254 eq 80
access-list 100 permit tcp any host 172.16.1.254 eq 443
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5222
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5223
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit udp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 80
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 443
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5222
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 5223
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit udp any 82.xx.yy.zz 0.0.0.255 eq 53
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 80
access-list 100 permit tcp any 82.xx.yy.zz 0.0.0.255 eq 443
access-list 100 permit ip host <ip pubblico sede per gestione remota> any
access-list 100 permit ip host <ip pubblico sede per gestione remota> any
access-list 100 permit ip host <ip pubblico sede per gestione remota> any
access-list 100 deny ip any any
!
!
!
!
control-plane
!
!
line con 0