configurare cisco 800 per Emule

[alba63]

ho un rooter cisco 800 funzionante con ip statico con la seguente configurazione

//******************************************
Current configuration : 1664 bytes
!
version 12.3
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname antonio
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$5ItU$Ms5cXG2wej26xZDJuZtCl0
enable password pippo
!
no aaa new-model
ip subnet-zero
ip tcp path-mtu-discovery
ip domain name interbusiness.it
ip name-server 151.99.125.2
ip name-server 82.88.233.67
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0 secondary
ip address 85.x.x.x 255.255.255.248
ip nat inside
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 85.x.x.18 255.255.255.252
ip nat outside
pvc 8/35
vbr-nrt 640 640 1
encapsulation aal5snap
!
!
ip nat pool NUOVO 85.x.x.x 85.x.x.x netmask 255.255.255.248
ip nat inside source list 60 pool NUOVO overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 151.99.0.0 255.255.0.0 ATM0.1
ip route 192.168.0.0 255.255.255.0 ATM0.1
ip route 192.168.0.0 255.255.255.0 Ethernet0
no ip http server
no ip http secure-server
!
!
access-list 60 permit 192.168.0.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password antonio2
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end

//*********************************

con Hyper Terminal o telnet cerco vorrei inserire le seguenti istruzioni:

set nat entry add 192.168.0.155 4662 85.x.x.x 4662 tcp
set nat entry add 192.168.0.155 4672 85.x.x.x 4672 tcp

ma la risposta è:

% Invalid input detected at '^' marker

grazie per la risposta

alba

[Wizard]

set nat entry add 192.168.0.155 4662 85.x.x.x 4662 tcp
set nat entry add 192.168.0.155 4672 85.x.x.x 4672 tcp

Dove la hai trovata questa sintassi...???!! Non si fa così!

Codice: Seleziona tutto

ip nat inside source static tcp 192.168.0.155 4662 85.x.x.x 4662
ip nat inside source static udp 192.168.0.155 4672 85.x.x.x 4672

Sappi che hai una configurazione un po' molto minima ed insicura...

[alba63]

grazie per la risposta

le istruzioni

set nat entry add 192.168.0.155 4662 85.x.x.x 4662 tcp
set nat entry add 192.168.0.155 4672 85.x.x.x 4672 udp

le ho trovate nei consigli di emule quando controllo la connessione delle porte

quindi se ho ben capito le istruzioni giuste sono:

ip nat inside source static tcp 192.168.0.155 4662 85.x.x.x 4662
ip nat inside source static udp 192.168.0.155 4672 85.x.x.x 4672

visto che sei stato gentile a rispondermi, mi puoi dare una configurazione più sicura?

grazie Alba

[Wizard]

Facci vedere che ios hai che in base a quella vediamo (sh ver)

[alba63]

scusami cosa vuol dire ios?
come si cancellano le istruzioni dalla configurazione del rooter?
grazie Alba

[Wizard]

Intanto non è rooter ma router...
Per eliminare una riga di configurazione devi mettere il "no" davanti a quella regola tipo:

Codice: Seleziona tutto

no access-l 131

La IOS è il sistema operativo dei router Cisco.
Dai il comando "sh ver" e postalo qui.

[alba63]

Cisco IOS Software, C837 Software (C837-K9O3Y6-M), Version 12.3(4)T9, RELEASE SO
FTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Fri 22-Oct-04 20:14 by cmong

ROM: System Bootstrap, Version 12.2(11r)YV1, RELEASE SOFTWARE (fc1)

antonio uptime is 2 weeks, 1 day, 37 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.123-4.T9.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco C837 (MPC857DSL) processor (revision 0x501) with 44237K/4915K bytes of mem
ory.
Processor board ID FOC08480HX0 (416017298), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
1 ATM interface
128K bytes of NVRAM.
24576K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

[Wizard]

Andrebbe aggiornato il sistema operativo...
Per ora:

Codice: Seleziona tutto

conf t
ip inspect name FW-OUT tcp
ip inspect name FW-OUT udp

int eth0
ip inspect FW-OUT in

access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny   ip host 0.0.0.0 any log
access-list 131 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny   icmp any any
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   udp any any eq 137
access-list 131 deny   udp any any eq 138
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq 139
access-list 131 deny   tcp any any eq 445
access-list 131 deny   tcp any any eq 8888
access-list 131 deny   tcp any any eq 8594
access-list 131 deny   tcp any any eq 8563
access-list 131 deny   tcp any any eq 7778
access-list 131 deny   tcp any any eq 593
access-list 131 deny   tcp any any eq 2049
access-list 131 deny   udp any any eq 2049
access-list 131 deny   tcp any any eq 2000
access-list 131 deny   tcp any any range 6000 6010
access-list 131 deny   udp any any eq 1433
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 5554
access-list 131 deny   udp any any eq 9996
access-list 131 deny   udp any any eq 113
access-list 131 deny   udp any any eq 3067
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny   ip any any log

int PUBBLICA (atm0.1, dialer1...)
ip access-group 131 in

[alba63]

grazie per la risposta

se hai voglia mi spiegheresti con maggiore dettaglio il significato delle istruzioni che hai scritto?

ciao Alba

[Wizard]

conf t
ip inspect name FW-OUT tcp
ip inspect name FW-OUT udp

int eth0
ip inspect FW-OUT in

L' ip inspect fa parte della ios firewall di Cisco, in breve inspiezionerà i pachetti (in questo caso tcp e udp) in uscita; l' ip inspect è stateful (un pachetto che parte lo fa tornare indietro anche se non c'è la acl di ritorno).

access-list 131

La acl 131 (il numero fa parte di ampio range) regola gli accessi diretti da internet verso il tuo router bloccando accessi non autorizzati