Pix da telecom a fastweb

mulasso · gio 01 nov , 2007 12:50 pm

Ciao ragazzi ho questo problema che mi blocca da diversi giorni.
Ho un pix 501 versione 6.3 questo pix prima era collegato sulla rete adsl telecom /riuscivo a navigare, a ricevere e mandare posta dall'esterno e funzionava anche il client vpn della cisco=, ora in azienda abbiamo fatto il passaggio ad una SHDSL 4 MB di Fastweb acquistando 4 ip pubblici.

E non mi funziona più nulla
Questa la classe per esempio degli ip pubblici che mi ha dato FAstweb 88.30.199.236 255.255.255.252
Ora ho provato a riconfigurare il tutto con questa configurazione

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192 255.255.255.224
access-list inside_access_in deny tcp any any eq 4661
access-list inside_access_in deny tcp any any eq 4672
access-list inside_access_in deny udp any any eq 4672
access-list inside_access_in deny tcp any any eq 4662
access-list inside_access_in deny tcp any any eq 4673
access-list inside_access_in deny udp any any eq 4665
access-list inside_access_in deny tcp any any eq 4711
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.1.70
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 88.30.199.237 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool esterni 192.168.1.201-192.168.1.220
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.83 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 88.30.199.238 192.168.1.3 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 88.30.199.236 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.5 255.255.255.255 inside
http 192.168.1.83 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn-sede address-pool esterni
vpngroup vpn-sede idle-time 1800
vpngroup vpn-sede password ********
telnet 192.168.1.5 255.255.255.255 inside
telnet 192.168.1.83 255.255.255.255 inside
telnet 192.168.1.150 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username cuginetti password bbb encrypted privilege 2
username pingo password ccc encrypted privilege 2
username ziopaperone password ccc encrypted privilege 15
username topolino password ddd encrypted privilege 2
username gastone password eee encrypted privilege 2
username pluto password fff encrypted privilege 2
username paperino password zzzz encrypted privilege 2
terminal width 80
Cryptochecksum:aaaa
: end

Primo problema non riesco a navigare
Secondo problema quando inserisco
access-list outside_access_in permit tcp any host 88.30.199.238 eq smtp
access-list outside_access_in permit tcp any host 88.30.199.238 eq https
access-list outside_access_in permit tcp any host 88.30.199.238 eq pop3
Mi restituisce un errore come non avessi i permissi, ma io sono utente di enable e riesco a fare tutte le config terminal.

Mi date qualche consiglio.
Grazie

mulasso · ven 02 nov , 2007 7:04 pm

Vi dico come ho risolto, ma ho un altro problema

Primo problema non riesco a navigare
era la route erratta
route outside 0.0.0.0 0.0.0.0 88.30.199.236 1
invece è route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
In poche parole il gateway del router fastweb è 192.168.1.254

Secondo problema quando inserisco
access-list outside_access_in permit tcp any host 88.30.199.238 eq smtp, qui commettevo un grave errore forse la stanchezza quando scrivevo questo comando outside_access_in mettevo in senza il simbolo dell'underscore.

Ora però navigo il vpn client funziona, ma non riesco a mandare e ricevere posta, in quanto mi dice fastweb che i quattro indirizzi ip pubblici sono nattati sul mio indirizzo privato che io sto usando come inside del PIX 192.168.1.1.

Che siginifica, come posso risolvere?
Grazie ragazzi

Wizard · mar 06 nov , 2007 10:49 am

Devi comprare da fastweb almeno 2 ip pubblici usabili

mulasso · mar 06 nov , 2007 12:03 pm

Ne ho comprati 4 da 89.90.199.236 a 89.90.199.239 ma non riesco ad usare quello per la porta 443 e la 25 ecco la mia conf.

Navigo va anche la VPN Client ma non riesco ad usare la porta 443 e 25
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password zzz encrypted
passwd zzz encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 89.90.199.238 eq smtp
access-list outside_access_in permit tcp any host 89.90.199.238 eq https
access-list outside_access_in permit tcp any host 89.90.199.238 eq pop3
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192 255.255.255.224
access-list inside_access_in deny tcp any any eq 4661
access-list inside_access_in deny tcp any any eq 4672
access-list inside_access_in deny udp any any eq 4672
access-list inside_access_in deny tcp any any eq 4662
access-list inside_access_in deny tcp any any eq 4673
access-list inside_access_in deny udp any any eq 4665
access-list inside_access_in deny tcp any any eq 4711
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.1.70
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 89.90.199.237 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool esterni 192.168.1.201-192.168.20.220
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.83 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 89.90.199.238 192.168.1.3 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.5 255.255.255.255 inside
http 192.168.1.83 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn-groop address-pool esterni
vpngroup vpn-group idle-time 1800
vpngroup vpn-group password ********
telnet 192.168.1.5 255.255.255.255 inside
telnet 192.168.1.83 255.255.255.255 inside
telnet 192.168.1.150 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username xxxx password zzz encrypted privilege 2
username xxx password zzz encrypted privilege 2
username xxx password zzz encrypted privilege 15
username xxx password zzz encrypted privilege 2
username xxx password zzz encrypted privilege 2
username xxxx password zzz encrypted privilege 2
usernamexxx password zzz encrypted privilege 2
terminal width 80
Cryptochecksum:ccf4a5d482597d8a050f1ba7a3071757
: end
pixfirewall#

Wizard · mar 06 nov , 2007 12:10 pm

Intanto:

Codice: Seleziona tutto

no nat (inside) 1 0.0.0.0 0.0.0.0 0 0 
nat (inside) 1 192.168.1.0 255.255.255.0

Non è che il nat lo deve gestire il router di fastweb?! Chiedi bene ai tecnici fastweb

mulasso · mar 06 nov , 2007 1:33 pm

mi hanno detto che i quattro ip pubblici sono stati girati sull'indirizzo privato 192.168.1.1

Wizard · mar 06 nov , 2007 2:27 pm

Allora devi configurare regole di nat per porta sul ip della interfaccia outside

mulasso · mar 06 nov , 2007 2:28 pm

Gentilmente io ho configurato questo pix501 seguendo i vostri consigli, mi puoi dire gentilmente come posso fare in base alla mia configurazione che ho postato prima.

Grazie, sempre di grande aiuto

Wizard · mar 06 nov , 2007 2:43 pm

Codice: Seleziona tutto

static (inside,outside) tcp interface porta IP_INTERNO porta netmask 255.255.255.255

mulasso · mar 06 nov , 2007 3:14 pm

Questo comando
static (inside,outside) 89.90.199.238 192.168.1.3 netmask 255.255.255.255 0 0
lo devo eliminare e mettere come dici tu.

static (inside,outside) tcp interface porta 192.168.1.3 255.255.255.255
come fa lui ad intepretare qual'è l'indirizzo esterno.

Scusa se non ho capito, bene

Wizard · mar 06 nov , 2007 3:57 pm

Si la tua statica eliminala!
Il comando che ti ho dato io usa l'ip della interfaccia outside del pix come ip nattato.

mulasso · mar 06 nov , 2007 4:10 pm

Ricapitolando tolgo la mia statica questo il comando che dovrò dare al pix
static (inside,outside) tcp outside 25 192.168.1.3 25 netmask 255.255.255.255

Grazie per la pazienza

Wizard · mar 06 nov , 2007 4:22 pm

Devi:

1) Elimina le statiche che hai ora
2) Dai il comando "clear xlate"
3) Inserisci questa regola:
static (inside,outside) tcp interface 25 192.168.1.3 25 netmask 255.255.255.255
4) Controlla la relativa acl sulla outside

mulasso · mar 06 nov , 2007 4:32 pm

Con questa configurazione ora riesco a mandare dalla mia rete email verso l'esterno, ma dall'esterno non riesco a ricevere e non vedo la porta 443

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password zzz encrypted
passwd zzz encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 89.90.199.238 eq smtp
access-list outside_access_in permit tcp any host 89.90.199.238 eq https
access-list outside_access_in permit tcp any host 89.90.199.238 eq pop3
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192 255.255.255.224
access-list inside_access_in deny tcp any any eq 4661
access-list inside_access_in deny tcp any any eq 4672
access-list inside_access_in deny udp any any eq 4672
access-list inside_access_in deny tcp any any eq 4662
access-list inside_access_in deny tcp any any eq 4673
access-list inside_access_in deny udp any any eq 4665
access-list inside_access_in deny tcp any any eq 4711
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.1.70
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 89.90.199.237 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool esterni 192.168.1.201-192.168.20.220
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.83 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 25 192.168.1.3 25 netmask 255.255.255.255
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.5 255.255.255.255 inside
http 192.168.1.83 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn-groop address-pool esterni
vpngroup vpn-group idle-time 1800
vpngroup vpn-group password ********
telnet 192.168.1.5 255.255.255.255 inside
telnet 192.168.1.83 255.255.255.255 inside
telnet 192.168.1.150 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username xxxx password zzz encrypted privilege 2
username xxx password zzz encrypted privilege 2
username xxx password zzz encrypted privilege 15
username xxx password zzz encrypted privilege 2
username xxx password zzz encrypted privilege 2
username xxxx password zzz encrypted privilege 2
usernamexxx password zzz encrypted privilege 2
terminal width 80
Cryptochecksum:ccf4a5d482597d8a050f1ba7a3071757
: end
pixfirewall#

Grazie mille, sto assimilando moltissimo.
_________________

Wizard · mar 06 nov , 2007 5:13 pm

Hai un gran casino, se l'ip del router è 192.168.x.x come fai avere un ip 80.x.x.x sulla outside?!

Pix da telecom a fastweb

Login • Iscriviti