Aggiungere FW Netgear come secondo GW per VPN
Inviato: lun 02 ago , 2010 8:44 am
Ciao a tutti,
ho la necessità in ufficio di installare un fw netgear prosafe come secondo GW per gestire delle vpn verso altri apparati netgear (ho provato a fare la vpn direttamente dal mio cisco 1801 ma non ci sono riuscito),
l'idea era quella di assegnare al netgear sulla porta wan un ip pubblico e sulla porta lan un ip locale e impostare il dhcp con la distribuzione dei due gw in modo da far funzionare la vpn internamente...
la config del 1841 è la seguente:
il mio problema è che con la configurazione attuale, non riesco a far navigare il fw impostandogli direttamente l'ip pubblico, allora chiedo aiuto a voi per capire come posso arrivare al risultato, mantenendo "inalterata" la funzionalità del router, ovvero che gli indirizzi che voglio pubblicare non abbiano direttamente un ip pubblico ma che vengano nattati dal router e che tutti gli altri escano con un ip pubblico predeterminato 
grazie mille per gli aiuti
ho la necessità in ufficio di installare un fw netgear prosafe come secondo GW per gestire delle vpn verso altri apparati netgear (ho provato a fare la vpn direttamente dal mio cisco 1801 ma non ci sono riuscito),
l'idea era quella di assegnare al netgear sulla porta wan un ip pubblico e sulla porta lan un ip locale e impostare il dhcp con la distribuzione dei due gw in modo da far funzionare la vpn internamente...
la config del 1841 è la seguente:
Codice: Seleziona tutto
!This is the running config of the router: 192.168.0.254
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HT_CISCO
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 5
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3672678414
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3672678414
revocation-check none
rsakeypair TP-self-signed-3672678414
!
!
crypto pki certificate chain TP-self-signed-3672678414
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363732 36373834 3134301E 170D3130 30363132 31343435
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36373236
37383431 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C7AC FE698EE4 10E08175 1412B82C 30F61DB3 8A43B7AA 4803BBFA 000F7D21
3FA1449E 1AD9AC75 D527AEF2 36A5FE0B D7CD83C3 D5DC3DBB 1CE64AB0 3BF1C061
E395A99B 5D971279 EF9D8581 D2FB971B CFCC074B 547B0401 A7941BE6 58B3D415
35AF3C26 3F235165 8E102CB9 8990B356 86B07C64 9E5A8C65 F6E004F9 18ABBD4F
B6BD0203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 0848545F 43495343 4F301F06 03551D23 04183016 8014E5EC
92088C8F B8EB609E 57DC41F9 1FC7B59B B34A301D 0603551D 0E041604 14E5EC92
088C8FB8 EB609E57 DC41F91F C7B59BB3 4A300D06 092A8648 86F70D01 01040500
03818100 959C4E94 DA9BDB53 5F7F99F1 E18956D0 9E6BC0DB 22462EA9 36FF8A84
CA13BFD0 05372BB7 2A298EEE 5030C20E 8EDA1F08 84450039 65842153 929811BD
C6DA909F FE17A5BE EC390CA2 4225DD49 C2E7C609 112DEAC7 BDDB77BC A8D354B8
ABA059B5 683C5E3A 469D1E0A DAF5BCC1 35D68C45 2CCBC505 73045756 5049CF63 69625A64
quit
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
!
ip cef
!
!
no ip bootp server
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
multilink bundle-name authenticated
!
!
username gmoretti privilege 15 secret
!
!
!
!
crypto map baseline 120 ipsec-isakmp
! Incomplete
set peer 93.40.131.252
set peer 23.255.67.82
set transform-set netgear
set pfs group2
match address 110
!
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address 80.xxx.yyy.17 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface Null0
no ip unreachables
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
switchport access vlan 2
!
interface ATM0
description ALICE BUSINESS 20 Mbps - TGU:
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
mtu 1500
ip address 88.xxx.yyy.178 255.255.255.252
ip access-group sdm_atm0.1_in in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip inspect IDS out
ip virtual-reassembly
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface Vlan1
description CONNESSIONE LAN
ip address 192.168.0.254 255.255.255.0
ip access-group sdm_vlan1_in in
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
crypto map baseline
hold-queue 100 out
!
interface Vlan2
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool INTERNET 80.xxx.yyy.18 80.xxx.yyy.18 netmask 255.255.255.240
ip nat inside source list 100 pool INTERNET overload
ip nat inside source route-map nonat interface Vlan1 overload
ip nat inside source static 192.168.0.100 80.xxx.yyy.20
ip nat inside source static 192.168.0.99 80.xxx.yyy.21
ip nat inside source static 192.168.0.253 80.xxx.yyy.22
ip nat inside source static 192.168.0.95 80.xxx.yyy.23
ip nat inside source static 192.168.0.98 80.xxx.yyy.24
ip nat inside source static 192.168.0.104 80.xxx.yyy.25
ip nat inside source static 192.168.0.105 80.xxx.yyy.26
ip nat inside source static 192.168.0.106 80.xxx.yyy.27
!
ip access-list extended sdm_atm0.1_in
remark SDM_ACL Category=1
permit ip any host 80.xxx.yyy.25
permit ip any host 80.xxx.yyy.30
remark HTTP
permit tcp any host 80.xxx.yyy.24 eq 443
remark HTTP
permit tcp any host 80.xxx.yyy.24 eq www
remark HTTP
permit tcp any host 80.xxx.yyy.23 eq 443
remark HTTP
permit tcp any host 80.xxx.yyy.23 eq www
remark VOIP-3cx
permit udp any host 80.xxx.yyy.22 range 9000 9049
remark SIP
permit tcp any host 80.xxx.yyy.22
remark SIP
permit udp any host 80.xxx.yyy.22 eq 5090
remark SIP
permit udp any host 80.xxx.yyy.22 eq 5060
remark HTTP
permit tcp any host 80.xxx.yyy.22 eq 443
remark HTTP
permit tcp any host 80.xxx.yyy.22 eq www
remark HTTP
permit tcp any host 80.xxx.yyy.21 eq 443
remark HTTP
permit tcp any host 80.xxx.yyy.21 eq www
remark HTTP
permit tcp any host 80.xxx.yyy.20 eq 443
remark VPN
permit tcp any host 80.xxx.yyy.20 eq 1723
permit tcp any host 80.xxx.yyy.20 eq smtp
remark HTTP
permit tcp any host 80.xxx.yyy.20 eq 987
remark HTTP
permit tcp any host 80.xxx.yyy.20 eq www
remark RDP
permit tcp any any eq 3389
permit ip 192.168.0.0 0.0.0.255 any
permit ip 80.xxx.yyy.0 0.0.0.255 any
!
access-list 100 remark *************************************************************
access-list 100 remark *** ACL PER PAT E NAT0 ***
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 80.24.44.0 0.0.0.255 any
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map nonat permit 10
match ip address 111
!
!
!
!
control-plane
!
banner motd ^CCCCC
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE ---- *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************
^C
!
line con 0
exec-timeout 120 0
transport output ssh
stopbits 1
line aux 0
transport output telnet ssh
line vty 0 4
login
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
endgrazie mille per gli aiuti