Ok...non arrivo al firewall...
Ho tolto tutte le ACL comprese le NONAT, le statiche e ho rifatto tutto daccapo.....
prima acl nonat della rete interna
poi ho creato un vpn-ipsec
poi ho controllato il NONAT per il pool della vpn
poi ho messo le 2 statiche per i 2 server...1 as400 per ftp e l'altro per vnc
poi ho messo l'acl su outside per raggiungerli
e udite udite...
FUNZIONA !!!!
ps:
dal prompt, scrivendo ftp <ip_pubblico_as400> mi ha dato errore..
l'ho rifatto di nuovo e ha funzionato e funziona tutt'ora...mmah così come funziona il vnc
grazie...
Pix 501 e IP Pubblico
Moderatore: Federico.Lagni
-
chatts73
- Cisco fan
- Messaggi: 30
- Iscritto il: lun 19 giu , 2006 11:06 am
si è tutto ok...e ti assicuro che d'ora in avanti userò per le statiche e acl sempre e solo telnet...ti giuro che ho scritto le stesse cose che facevo col pdm (è chiaro che mi è sfuggito qualcosa)..
ho anche ricreato daccapo le acl exempt NAT (sempre col telnet)
è tutto ok...
ho anche ricreato daccapo le acl exempt NAT (sempre col telnet)
è tutto ok...
-
chatts73
- Cisco fan
- Messaggi: 30
- Iscritto il: lun 19 giu , 2006 11:06 am
Per chiudere il topic:
ecco la conf funzionante
names
name 81.115.170.xxx router
access-list SAS_splitTunnelAcl permit ip 10.144.145.0 255.255.255.0 any
access-list NONAT permit ip any 10.144.145.0 255.255.255.0
access-list NONAT permit ip 10.144.145.0 255.255.255.0 192.168.10.0 255.255.255.240
access-list inside_access_in permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.240
access-list outside_access_in permit tcp any host 81.115.170.xxy eq ftp
access-list outside_access_in permit tcp any host 81.115.170.xxz eq 5900
access-list outside_access_in deny ip any any
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 81.115.170.x 255.255.255.x
ip address inside 10.144.145.y 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool SAS 10.144.145.220-10.144.145.225 mask 255.255.255.0
ip local pool SASInfo 192.168.10.0-192.168.10.15
pdm location router 255.255.255.255 outside
pdm location router 255.255.255.255 inside
pdm location 10.144.145.0 255.255.255.0 outside
pdm location 81.115.170.yyy 255.255.255.255 inside
pdm location 10.144.145.o 255.255.255.255 inside
pdm location 10.144.145.p 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 10.144.145.0 255.255.255.0 0 0
static (inside,outside) 81.115.170.xxz 10.144.145.o netmask 255.255.255.255 0 0
static (inside,outside) 81.115.170.xxy 10.144.145.p netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 router 1
ecc..
un saluto a Cisketto e MaiO per gli aiuti
ecco la conf funzionante
names
name 81.115.170.xxx router
access-list SAS_splitTunnelAcl permit ip 10.144.145.0 255.255.255.0 any
access-list NONAT permit ip any 10.144.145.0 255.255.255.0
access-list NONAT permit ip 10.144.145.0 255.255.255.0 192.168.10.0 255.255.255.240
access-list inside_access_in permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.240
access-list outside_access_in permit tcp any host 81.115.170.xxy eq ftp
access-list outside_access_in permit tcp any host 81.115.170.xxz eq 5900
access-list outside_access_in deny ip any any
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 81.115.170.x 255.255.255.x
ip address inside 10.144.145.y 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool SAS 10.144.145.220-10.144.145.225 mask 255.255.255.0
ip local pool SASInfo 192.168.10.0-192.168.10.15
pdm location router 255.255.255.255 outside
pdm location router 255.255.255.255 inside
pdm location 10.144.145.0 255.255.255.0 outside
pdm location 81.115.170.yyy 255.255.255.255 inside
pdm location 10.144.145.o 255.255.255.255 inside
pdm location 10.144.145.p 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 10.144.145.0 255.255.255.0 0 0
static (inside,outside) 81.115.170.xxz 10.144.145.o netmask 255.255.255.255 0 0
static (inside,outside) 81.115.170.xxy 10.144.145.p netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 router 1
ecc..
un saluto a Cisketto e MaiO per gli aiuti
