Il NAT fà le bizze

[[Dj][DMX]]

Ciao a tutti, vi scrivo perché mi sta sfuggendo qualcosa di banale e non ne salto fuori da solo...

Questa la mia configurazione:

Codice: Seleziona tutto

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname Bagigio
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-4268052272
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4268052272
 revocation-check none
 rsakeypair TP-self-signed-4268052272
!
!
crypto pki certificate chain TP-self-signed-4268052272
 certificate self-signed 01 nvram:IOS-Self-Sig#B.cer
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool CASA
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1 
   domain-name CASA
   dns-server 88.149.128.12 88.149.128.22 
!
!
ip domain name xxxxxx.dyndns.org
ip name-server 88.149.128.12
ip name-server 88.149.128.22
ip inspect max-incomplete low 297
ip inspect max-incomplete high 372
ip inspect one-minute high 1721
ip inspect one-minute low 1377
ip inspect name IDS ftp
ip inspect name IDS dns
ip inspect name IDS h323
ip inspect name IDS https
ip inspect name IDS icmp
ip inspect name IDS realaudio
ip inspect name IDS tftp
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS http
ip inspect name IDS ssh
ip ddns update method dyndns
 HTTP
  add http://xxxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 28 0 0 0
!
login block-for 300 attempts 3 within 30
!
multilink bundle-name authenticated
!
!
username xxxxx password 7 xxxxxxxxx
! 
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 15
ip ssh version 2
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
 no dsl bitswap
!
interface ATM0.1 point-to-point
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 199 out
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface Dialer0
 ip ddns update hostname xxx.dyndns.org
 ip ddns update dyndns
 ip address negotiated
 ip access-group 100 in
 ip nat outside
 ip inspect IDS out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username xxxxxx password 7 xxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat translation timeout 300
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 10
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source static udp 192.168.0.10 88 interface Dialer0 88
ip nat inside source static udp 192.168.0.10 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.0.10 3074 interface Dialer0 3074
ip nat inside source static udp 192.168.0.8 22 interface Dialer0 2222
ip nat inside source static tcp 192.168.0.3 5000 interface Dialer0 5000
ip nat inside source static udp 192.168.0.3 5001 interface Dialer0 5001
ip nat inside source static udp 192.168.0.2 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.0.2 4662 interface Dialer0 4662
ip nat inside source static tcp 192.168.0.8 8000 interface Dialer0 8000
ip nat inside source static tcp 192.168.0.8 8001 interface Dialer0 8001
ip nat inside source list 1 interface Dialer0 overload
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark *** ACL PER INTERFACCIA ESTERNA ***
access-list 100 remark *** REGOLE PER VIRUS & co ***
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 192.0.2.0 0.0.0.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any net-unreachable
access-list 100 deny   icmp any any
access-list 100 deny   udp any any eq netbios-ss
access-list 100 deny   udp any any eq netbios-ns
access-list 100 deny   udp any any eq netbios-dgm
access-list 100 remark *****************************
access-list 100 remark *** REGOLE PER XBOX LIVE ***
access-list 100 permit udp any any eq 88
access-list 100 remark ****************************
access-list 100 remark *** REGOLE PER SSH ***
access-list 100 permit tcp any any eq 22
access-list 100 remark ****************************
access-list 100 deny   tcp any any lt 1024
access-list 100 deny   udp any any lt 1024
access-list 100 permit ip any any
access-list 199 remark *** ACL PER INTERFACCIA ETHERNET ***
access-list 199 remark *** REGOLE PER XBOX LIVE ***
access-list 199 permit udp any host 192.168.0.10 eq 88
access-list 199 permit tcp any host 192.168.0.10 gt 1024
access-list 199 permit udp any host 192.168.0.10 gt 1024
access-list 199 remark ****************************
access-list 199 remark *** REGOLE PER SSH ***
access-list 199 permit tcp any host 192.168.0.1 eq 22
access-list 199 permit tcp any host 192.168.0.8 eq 22
access-list 199 remark ****************************
access-list 199 remark *** REGOLE PER STARCRAFT 2 ***
access-list 199 permit tcp any host 192.168.0.3 eq 1119
access-list 199 permit udp any host 192.168.0.3 eq 1119
access-list 199 permit tcp any host 192.168.0.3 eq 1120
access-list 199 remark ******************************
access-list 199 remark *** REGOLE PER EMULE ***
access-list 199 permit tcp any host 192.168.0.2 eq 4662
access-list 199 permit udp any host 192.168.0.2 eq 4672
access-list 199 permit udp any host 192.168.0.3 eq 5001
access-list 199 permit tcp any host 192.168.0.3 eq 5000
access-list 199 remark ************************
access-list 199 remark *** REGOLE PER IL SERVER BITTORRENT***
access-list 199 permit tcp any host 192.168.0.8 eq 8000
access-list 199 permit tcp any host 192.168.0.8 eq 8001
access-list 199 remark ************************
access-list 199 permit tcp any any established
access-list 199 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
 no modem enable
 stopbits 1
 speed 115200
line aux 0
line vty 0 1
 access-class 1 in
 exec-timeout 120 0
 privilege level 15
 password 7 xxxxxxxx
 logging synchronous
 length 0
 transport input telnet ssh
line vty 2 4
 exec-timeout 120 0
 privilege level 15
 logging synchronous
 length 0
 transport input ssh
!
scheduler max-task-time 5000
sntp server 207.46.197.32
sntp server 192.43.244.18
end

Il problema è il seguente: il dyndns funziona egregiamente, ma l'unico dei servizi tra quelli nattati che riesco a raggiungere dall'esterno è quello sulla porta 8000 del pc 192.168.0.8, tutto il resto risulta inesistente! Mi sono accorto di ciò perché ho cercato di configurare l'accesso SSH al router dall'esterno ma senza successo, la connessione viene rifiutata. Stessa cosa accade se provo ad effettuare la connessione SSH sulla porta 2222 che viene poi nattata sulla 22 di un server interno. Dalla LAN entrambi gli SSH funzionano egregiamente. (Se ve lo state chiedendo: no, non sto provando a fare ssh dalla lan verso il mio ip pubblico, sto provando da un altra rete )

Il router è un 877 con la IOS c870-advipservicesk9-mz.124-15.T8.bin

Attendo fiducioso un'illuminazione =)

Grazie.

[Rizio]

Ciao,
intanto complimenti per la conf del router, veramente da prendere ad esempio per pulizia, ordine e completezza!
Detto questo per l'ssh credo che il problema sia questo:

ip nat inside source static udp 192.168.0.8 22 interface Dialer0 2222

Ti è scappato il protocollo udp....

Per il resto mi viene da chiedermi se possa essere un problema di timeout o di settaggi particolarmente rigidi.

Rizio

[[Dj][DMX]]

Grazie per la risposta, e per i complimenti: in effetti sono un maniaco .

In effetti quella è proprio una svista, ma non giustifica il fatto che l'ssh verso il router non funzioni dall'esterno: quella riga di nat serv(irebb)e infatti per un server interno.

Comunque ho tolto quella riga e aggiunte queste due

Codice: Seleziona tutto

ip nat inside source static tcp 192.168.0.8 22 interface Dialer0 2222
ip nat inside source static tcp 192.168.0.1 22 interface Dialer0 22

Adesso l'ssh verso il server ( 192.168.0.8 ) va, ma non verso il router stesso =(

[Rizio]

Codice: Seleziona tutto

ip nat inside source static tcp 192.168.0.1 22 interface Dialer0 22

Adesso l'ssh verso il server ( 192.168.0.8 ) va, ma non verso il router stesso =(

Di questa secondo me non ne hai bisogno e magari è proprio per quello che non và. Prova a togliere il nat e a fare ssh "normalmente" sull'ip dell'interfaccia dialer (previa acl ovviamente ma quella mi sembrava ci fosse).

Rizio

[[Dj][DMX]]

Siiii, ce l'ho fatta

Con l'ultimo post mi hai fatto venire in mente una cosa: che l'unica prova che non avevo fatto era di disabilitare l'access-class sulla vty 0 1.

Ebbene, togliendo quella ha subito funzionato!

Allora ho capito il motivo: io avevo 2 linee di cli disponibili solo su LAN sia telnet che ssh, e 3 linee disponibili indistintamente anche da fuori solo ssh; solo che le prime due erano effettivamente le prime due! Mi spiego: finché le vty 0 1 non erano occupate il router non accettava ssh se non dalla LAN, infatti provando ad aprire due sessioni di cli dalla LAN ho verificato che ssh diventava immediatamente disponibile alla terza cli anche da WAN.

È quindi bastato invertire l'ordine delle linee vty e ora tutto funziona =)

VI allego di seguito la configurazione, so che il mio è stato un errore dovuto ad ignoranza e distrazione, ma chissà che non capiti a qualcun altro... =P

Come vedrete ne ho anche approfittato per modificare un altro paio di regole di sicurezza riguardo all'SSH (l'utente ssh che si logga da fuori non sarà più direttamente in enable mode ho ridotto le vty a 2); inoltre ho eliminato sia la regola di NAT che la linea di acl riguardanti l'ssh sul router perché ho verificato che non servono.

Codice: Seleziona tutto

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname Bagigio
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$7Bwx$RZTVaSOKuw9Q9KZtre0Im0
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-4268052272
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4268052272
 revocation-check none
 rsakeypair TP-self-signed-4268052272
!
!
crypto pki certificate chain TP-self-signed-4268052272
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34323638 30353232 3732301E 170D3032 30333031 30363231 
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32363830 
  35323237 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100DABE 495E79E8 BA167AB8 E2619CEA 7DAD6317 A41EF53B 9389DFD8 49805249 
  A27AE98A 253CE424 760391DB 8C17F9E0 F47C0FD8 ABF33DAB 7E887006 7DC876E5 
  E6A5295E 16C6EE67 C8CB0981 01326FA7 B13E51F8 CCB45276 E6E11E62 ADEA5C35 
  7B3F77B5 BC60FBBC E466DAE3 3B92F52A E77542E3 0E2691E2 9BC96544 233C4A5D 
  4A310203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
  551D1104 0B300982 07426167 6967696F 301F0603 551D2304 18301680 143A8ECC 
  FF1FFB82 9C219A03 BBACEBD6 DF4205FE D0301D06 03551D0E 04160414 3A8ECCFF 
  1FFB829C 219A03BB ACEBD6DF 4205FED0 300D0609 2A864886 F70D0101 04050003 
  818100B3 E4F11CFB 6F6A904B 123A7F8D A65DAF39 538D2B2E 50C71CF4 837DD8A7 
  59FB3517 EEF5D380 8F891A7F A5218FBB 364BC1BA 16E68B5A 6BC4415B 05445EAD 
  97C3F927 4F4F17FA 604AAF33 F64A7083 8B0AEFAB 4167F67D 1AC4E679 305CAC73 
  06FE1122 698A2C06 83579CA9 079AADAE 6C9B0D77 3CDE406A 4E17AB60 885C96A3 9E8712
  	quit
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool CASA
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1 
   domain-name CASA
   dns-server 88.149.128.12 88.149.128.22 
!
!
ip cef
ip domain name xxxxxxxxxx.dyndns.org
ip name-server 88.149.128.12
ip name-server 88.149.128.22
ip inspect max-incomplete low 297
ip inspect max-incomplete high 372
ip inspect one-minute high 1721
ip inspect one-minute low 1377
ip inspect name IDS ftp
ip inspect name IDS dns
ip inspect name IDS h323
ip inspect name IDS https
ip inspect name IDS icmp
ip inspect name IDS realaudio
ip inspect name IDS tftp
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS http
ip inspect name IDS ssh
ip ddns update method dyndns
 HTTP
  add http://xxxxxxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 28 0 0 0
!
login block-for 300 attempts 3 within 30
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxxxxxxx password 7 xxxxxxxxxx
! 
!
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 30
ip ssh source-interface Dialer0
ip ssh version 2
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 no dsl bitswap
!
interface ATM0.1 point-to-point
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 199 out
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface Dialer0
 ip ddns update hostname xxxxxxxxxx.dyndns.org
 ip ddns update dyndns
 ip address negotiated
 ip access-group 100 in
 ip nat outside
 ip inspect IDS out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username xxxxxxxxxx password 7 xxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat translation timeout 300
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 10
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source static udp 192.168.0.10 88 interface Dialer0 88
ip nat inside source static udp 192.168.0.10 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.0.10 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.0.3 5000 interface Dialer0 5000
ip nat inside source static udp 192.168.0.3 5001 interface Dialer0 5001
ip nat inside source static udp 192.168.0.2 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.0.2 4662 interface Dialer0 4662
ip nat inside source static tcp 192.168.0.8 8000 interface Dialer0 8000
ip nat inside source static tcp 192.168.0.8 8001 interface Dialer0 8001
ip nat inside source static tcp 192.168.0.8 22 interface Dialer0 2222
ip nat inside source list 1 interface Dialer0 overload
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark *** ACL PER INTERFACCIA ESTERNA ***
access-list 100 remark *** REGOLE PER VIRUS & co ***
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 192.0.2.0 0.0.0.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any net-unreachable
access-list 100 deny   icmp any any
access-list 100 deny   udp any any eq netbios-ss
access-list 100 deny   udp any any eq netbios-ns
access-list 100 deny   udp any any eq netbios-dgm
access-list 100 remark *****************************
access-list 100 remark *** REGOLE PER XBOX LIVE ***
access-list 100 permit udp any any eq 88
access-list 100 remark ****************************
access-list 100 remark *** REGOLE PER SSH ***
access-list 100 permit tcp any any eq 22
access-list 100 remark ****************************
access-list 100 deny   tcp any any lt 1024
access-list 100 deny   udp any any lt 1024
access-list 100 permit ip any any
access-list 199 remark *** ACL PER INTERFACCIA ETHERNET ***
access-list 199 remark *** REGOLE PER XBOX LIVE ***
access-list 199 permit udp any host 192.168.0.10 eq 88
access-list 199 permit tcp any host 192.168.0.10 gt 1024
access-list 199 permit udp any host 192.168.0.10 gt 1024
access-list 199 remark ****************************
access-list 199 remark *** REGOLE PER SSH ***
access-list 199 permit tcp any host 192.168.0.8 eq 22
access-list 199 remark ****************************
access-list 199 remark *** REGOLE PER STARCRAFT 2 ***
access-list 199 permit tcp any host 192.168.0.3 eq 1119
access-list 199 permit udp any host 192.168.0.3 eq 1119
access-list 199 permit tcp any host 192.168.0.3 eq 1120
access-list 199 remark ******************************
access-list 199 remark *** REGOLE PER EMULE ***
access-list 199 permit tcp any host 192.168.0.2 eq 4662
access-list 199 permit udp any host 192.168.0.2 eq 4672
access-list 199 permit udp any host 192.168.0.3 eq 5001
access-list 199 permit tcp any host 192.168.0.3 eq 5000
access-list 199 remark ************************
access-list 199 remark *** REGOLE PER IL SERVER BITTORRENT***
access-list 199 permit tcp any host 192.168.0.8 eq 8000
access-list 199 permit tcp any host 192.168.0.8 eq 8001
access-list 199 remark ************************
access-list 199 permit tcp any any established
access-list 199 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
 no modem enable
 stopbits 1
 speed 115200
line aux 0
line vty 0 1
 exec-timeout 120 0
 logging synchronous
 length 0
 transport input ssh
line vty 2 3
 access-class 1 in
 exec-timeout 120 0
 privilege level 15
 password 7 xxxxxxxxxx
 logging synchronous
 length 0
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 207.46.197.32
sntp server 192.43.244.18
end

Grazie mille per l'aiuto!

[Rizio]

Grazie a te per la condivisione della conf che sicuramente sarà un'ottima base per tanti (me per primo )

Ad majora
Rizio