877 e NAT disabilitato

[jpdefault]

Salve a tutti!
E' possibile disabilitare le funzioni di NAT sul Cisco 877? Lo scopo è dare al firewall che sta dietro all'877 un IP del pool statico sull'interfaccia WAN e lasciar fare a lui il NAT.
Mi scuso per la domanda un po' da neofita.

[jpdefault]

Ok, allora qualche dettaglio in più.
Ecco la situazione attuale:

Codice: Seleziona tutto

(Internet)<-----82.191.X.Y/29---[Router]---192.168.0.2/24----->(LAN)

Ecco l'obiettivo:

Codice: Seleziona tutto

(Internet)<-----82.191.X.Y/29---[Router]<-----82.191.X.Z---[Firewall]---192.168.0.2/24----->(LAN)

Router Cisco 877 attualmente così configurato:

Codice: Seleziona tutto

(.......)
interface Null0
 no ip unreachables
!
interface Loopback0
 description $FW_INSIDE$
 ip address 82.191.X.Y 255.255.255.248
 ip access-group 104 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip address 82.191.X.Z 255.255.255.252
 ip access-group sdm_atm0.1_in in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect sdm_ins_in_100 in
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 pvc 8/35 
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 ip access-group no-www in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.20.0 192.168.20.255
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 82.191.X.J 255.255.255.255 Vlan1 permanent
ip route 82.191.X.K 255.255.255.255 Vlan1 permanent
ip route 192.168.0.251 255.255.255.255 Vlan1 permanent
ip route 192.168.0.252 255.255.255.255 Vlan1 permanent
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static 192.168.0.0 82.191.X.Y route-map SDM_RMAP_3
ip nat inside source static 192.168.0.251 82.191.X.J route-map SDM_RMAP_1
ip nat inside source static 192.168.0.252 82.191.X.K route-map SDM_RMAP_2
!
(......)

Se disabilito le regole di NAT e lascio la Vlan senza IP, il router e il firewall non si pingano.
Preciso anche che ho sostituito le ACL in modo da consentire tutte le connessioni in ingresso e uscita.

[jpdefault]

Più o meno, ci sono riuscito da me, in questo modo:

Codice: Seleziona tutto

!This is the running config of the router: 82.191.X.Z
!----------------------------------------------------------------------------

!version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 *****************************

!

username ******** privilege 15 secret 5 *********************************

no aaa new-model

ip subnet-zero

ip cef

!

!

!

!

no ip domain lookup

ip domain name peenservice.it

ip ips po max-events 100

no ftp-server write-enable

!

!

!

! 

!

!

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto 

!

interface ATM0.1 point-to-point

 description $ES_WAN$

 ip address 82.191.X.Y 255.255.255.255

 ip access-group sdm_atm0.1_in in

 pvc 8/35 

  encapsulation aal5snap

 !

!

interface FastEthernet0

 no ip address

 no cdp enable

!

interface FastEthernet1

 no ip address

 no cdp enable

!

interface FastEthernet2

 no ip address

 no cdp enable

!

interface FastEthernet3

 no ip address

 no cdp enable

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$

 ip address 82.191.X.Z 255.255.255.255

 ip access-group sdm_vlan1_in in

 ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip access-list extended sdm_atm0.1_in

 remark SDM_ACL Category=1

 permit ip any any

ip access-list extended sdm_vlan1_in

 remark SDM_ACL Category=1

 permit ip any any

!

no cdp run

!

!

control-plane

!

banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 login local

 no modem enable

 transport preferred all

 transport output all

line aux 0

 transport preferred all

 transport output all

line vty 0 4

 privilege level 15

 login local

 transport preferred all

 transport input telnet ssh

 transport output all

line vty 5 15

 privilege level 15

 login local

 transport preferred all

 transport input telnet ssh

 transport output all

!

scheduler max-task-time 5000

end

C'è forse qualcosa che non va?

P.S.: Forse devo aggiungere:

Codice: Seleziona tutto

ip route 82.191.X.J 255.255.255.255 interface Vlan1 permanent
ip route 82.191.X.K 255.255.255.255 interface Vlan1 permanent

per i due IP pubblici che devono essere nattati dal firewall?

[jpdefault]

Mi rispondo da solo, ma aggiungendo:

Codice: Seleziona tutto

ip route 82.191.X.J 255.255.255.255 Vlan1 permanent
ip route 82.191.X.K 255.255.255.255 Vlan1 permanent

tutto funziona come dovrebbe.