Ciao A Tutti!!!
Sono nuovo di questo forum.
ho un problema sulla configurazione del 501.
Ho appena configurato le interfacce inside e outside, pingo dal 501 al router e anche sulla rete, e dal client pingo il firewall.
in più ho dato:
access-list outside_access_in permit tcp any any
access-list inside_access_in permit tcp any any
ho dato al gateway dei client l'ip del Firewall, ma nn riesco ad andare su internet.
Vi prego il mio capo è incazzato con me perchè ancora non ci sono riuscito.
configurazione Pix 501
Moderatore: Federico.Lagni
-
MaiO
- Messianic Network master
- Messaggi: 1083
- Iscritto il: sab 15 ott , 2005 10:55 am
- Località: Milano
- Contatta:
Allora si vede che ti sei preso una responsabilità in troppo. Non puoi promettere le cose che non conosci.
Se ci dai le indicaioni sulla topologia e gli indirizzi sicuramente ti daremo qualche dritta.
Ciao
Se ci dai le indicaioni sulla topologia e gli indirizzi sicuramente ti daremo qualche dritta.
Ciao
-=] MaiO [=-
-
andrewp
- Messianic Network master
- Messaggi: 2199
- Iscritto il: lun 13 giu , 2005 7:32 pm
- Località: Roma
Spiega al tuo capo che un apparato Cisco non è giocattolo che bisogna avere per essere al passo con la moda, se vuole uno strumento PROFESSIONALE deve impegnarsi a far seguire dei corsi ai dipendenti, oppure pagare qualcuno già skillato.
Ti daremo comunque l'aiuto che possiamo...
Ti daremo comunque l'aiuto che possiamo...
Manipolatore di bit.
-
elewen
- n00b
- Messaggi: 8
- Iscritto il: ven 30 giu , 2006 11:46 am
Questa è la mia configurazione
il Router ha indirizzo 192.168.2.100, il firewall 192.168.2.101, la rete è 192.168.3.xx
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit udp any any
access-list acl_in permit tcp host 192.168.3.11 any eq www
access-list acl_in permit tcp host 192.168.3.11 any eq 8080
access-list acl_in permit tcp any any eq www
access-list acl_out permit tcp host 192.168.3.11 any eq www
access-list acl_out permit tcp host 192.168.2.101 any eq www
access-list acl_out permit tcp host 192.168.2.100 any eq www
access-list acl_out permit tcp any any eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.101 255.255.255.0
ip address inside 192.168.3.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.3.0 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.11 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 120
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07e0e697e6f645cbb93b5c8e8dacbf8e.
Grazie
il Router ha indirizzo 192.168.2.100, il firewall 192.168.2.101, la rete è 192.168.3.xx
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit udp any any
access-list acl_in permit tcp host 192.168.3.11 any eq www
access-list acl_in permit tcp host 192.168.3.11 any eq 8080
access-list acl_in permit tcp any any eq www
access-list acl_out permit tcp host 192.168.3.11 any eq www
access-list acl_out permit tcp host 192.168.2.101 any eq www
access-list acl_out permit tcp host 192.168.2.100 any eq www
access-list acl_out permit tcp any any eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.101 255.255.255.0
ip address inside 192.168.3.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.3.0 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.11 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 120
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:07e0e697e6f645cbb93b5c8e8dacbf8e.
Grazie
-
Renato.Efrati
- Holy network Shaman
- Messaggi: 637
- Iscritto il: gio 07 apr , 2005 9:30 pm
- Località: Cisco Systems Inc. West Tasman Drive 170, San Jose CA
- Contatta:
ma sto firewall a che e' collegato? chi deve far nat?
CCIE Routing & Switching # 20567
CCNP R&S - CCNP Sec - CCNP Collaboration - CCNP Datacenter - CCDP - VCP6-DCV
-
elewen
- n00b
- Messaggi: 8
- Iscritto il: ven 30 giu , 2006 11:46 am
è collegato ad internet. il problema sta nel fatto che: dal firewall, all'interno all'interno di esso riesco a pingare verso l'esterno es: (DNS del provider un router di una altra mia azienda Eccc.) ma nei client (Gateway= ip inside del firewall) non si riesce ad uscire su internet.
La Nat l'ho calcellata ho sbagliato a metterla.
Penso sia un problema di autorizzazioni e di permessi.
Vero?
Sono disperato
La Nat l'ho calcellata ho sbagliato a metterla.
Penso sia un problema di autorizzazioni e di permessi.
Vero?
Sono disperato
-
Renato.Efrati
- Holy network Shaman
- Messaggi: 637
- Iscritto il: gio 07 apr , 2005 9:30 pm
- Località: Cisco Systems Inc. West Tasman Drive 170, San Jose CA
- Contatta:
il pix e' collegato ad internet??? ma come??? grazia divina??
CCIE Routing & Switching # 20567
CCNP R&S - CCNP Sec - CCNP Collaboration - CCNP Datacenter - CCDP - VCP6-DCV
-
MaiO
- Messianic Network master
- Messaggi: 1083
- Iscritto il: sab 15 ott , 2005 10:55 am
- Località: Milano
- Contatta:
Prova cosi
route outside 0.0.0.0 0.0.0.0 192.168.2.100 1
anche se i tuoi discorsi non mi quadrano...
Ciao
route outside 0.0.0.0 0.0.0.0 192.168.2.100 1
anche se i tuoi discorsi non mi quadrano...
Ciao
-=] MaiO [=-
-
elewen
- n00b
- Messaggi: 8
- Iscritto il: ven 30 giu , 2006 11:46 am
mi dispiace che si stiano creando degli equivoci tra di noi.
Avevi ragione quando mi ha detto che il firewall si collega per "grazia divina". non era "Route outside 0.0.0.0 0.0.0.0 192.168.3.254 1.
Avevo già messo quella giusta: route outside 0.0.0.0 0.0.0.0 192.168.2.100 1, ho provato ma i client non vanno su internet.
Pensi he sia un problema di permessi?
ti volevo ringraziare per la gentile cortesia.
!!!Grazie!!!
Saluti da elewen
Avevi ragione quando mi ha detto che il firewall si collega per "grazia divina". non era "Route outside 0.0.0.0 0.0.0.0 192.168.3.254 1.
Avevo già messo quella giusta: route outside 0.0.0.0 0.0.0.0 192.168.2.100 1, ho provato ma i client non vanno su internet.
Pensi he sia un problema di permessi?
ti volevo ringraziare per la gentile cortesia.
!!!Grazie!!!
Saluti da elewen
-
Renato.Efrati
- Holy network Shaman
- Messaggi: 637
- Iscritto il: gio 07 apr , 2005 9:30 pm
- Località: Cisco Systems Inc. West Tasman Drive 170, San Jose CA
- Contatta:
ma postarci un disegno?!
CCIE Routing & Switching # 20567
CCNP R&S - CCNP Sec - CCNP Collaboration - CCNP Datacenter - CCDP - VCP6-DCV
-
elewen
- n00b
- Messaggi: 8
- Iscritto il: ven 30 giu , 2006 11:46 am
Ciao!!!
questo è la config
cosa ne pensi?
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_in permit icmp any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.99 255.255.255.0
ip address inside 192.168.3.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.3.0 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 120
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.100 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a8ea205108fb9485e74addea014c6720
questo è la config
cosa ne pensi?
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_in permit icmp any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.99 255.255.255.0
ip address inside 192.168.3.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.3.0 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 120
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.100 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a8ea205108fb9485e74addea014c6720
-
MaiO
- Messianic Network master
- Messaggi: 1083
- Iscritto il: sab 15 ott , 2005 10:55 am
- Località: Milano
- Contatta:
di qui mancano le cose (ti posto solo un esempio che ho sotto mano, poi adattalo al caso tuo):
!--- Specify the global address to be used.
global (outside) 1 209.165.200.227-209.165.200.254 netmask 255.255.255.224
!--- Specify a pool of addresses on the outside interface
!--- to which the hosts defined in the NAT statement are translated.
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Ciao
!--- Specify the global address to be used.
global (outside) 1 209.165.200.227-209.165.200.254 netmask 255.255.255.224
!--- Specify a pool of addresses on the outside interface
!--- to which the hosts defined in the NAT statement are translated.
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Ciao
-=] MaiO [=-
