cisco 877 con/senza nat

[kubrik]

Salve a tutti e complimenti per il forum.

Comincio subito ponendovi un quesito...
Ho un cisco 877 configurato con nat su una 20mega alice che funziona.
Ho a disposizione 8 ip pubblici.
Oggi volevo assegnare gli ip pubblici sulla ethernet per mettere un firewall che si sarebbe occupato di nat/firewalling etc.
Probabilmente era tardi..e la testa non c'era..ma le ho provate tutte.

Questa la configurazione funzionante col nat:

Codice: Seleziona tutto

version 12.4
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname pippo
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 uella
enable password 7 asdasdasd
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips notify SDEE
!
!
crypto pki trustpoint TP-self-signed-3593800335
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3593800335
 revocation-check none
 rsakeypair TP-self-signed-3593800335
!
!
crypto pki certificate chain TP-self-signed-3593800335
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 
  quit
username pippo privilege 15 secret 5 kjh
!
! 
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 atm vc-per-vp 256
 no atm ilmi-keepalive
 dsl operating-mode adsl2+ 
!
interface ATM0.1 point-to-point
 description INTERFACCIA PER ACCESSO AD INTERNET
 ip address 88.53.x.x 255.255.255.240
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache same-interface
 no snmp trap link-status
 pvc 8/35 
  protocol ip 88.49.y.y broadcast
  encapsulation aal5snap
 !
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!
interface FastEthernet2
 no cdp enable
!
interface FastEthernet3
 no cdp enable
!
interface Vlan1
 description CONNESSIONE LAN
 ip address 10.1.99.30 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!         
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.1.1.0 255.255.255.0 10.1.99.1
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list natsource interface ATM0.1 overload
ip nat inside source static tcp 10.1.1.40 1723 interface ATM0.1 1723
ip nat inside source static udp 10.1.99.1 500 interface ATM0.1 500
ip nat inside source static udp 10.1.99.1 1701 interface ATM0.1 1701
ip nat inside source static tcp 10.1.1.218 5570 interface ATM0.1 5570
ip nat inside source static tcp 10.1.1.217 5560 interface ATM0.1 5560
ip nat inside source static tcp 10.1.1.216 5550 interface ATM0.1 5550
ip nat inside source static tcp 10.1.1.215 5540 interface ATM0.1 5540
ip nat inside source static tcp 10.1.1.211 5500 interface ATM0.1 5500
ip nat inside source static tcp 10.1.1.212 5510 interface ATM0.1 5510
ip nat inside source static tcp 10.1.1.213 5520 interface ATM0.1 5520
ip nat inside source static tcp 10.1.1.214 5530 interface ATM0.1 5530
ip nat inside source static tcp 10.1.1.15 5060 interface ATM0.1 5060
!
ip access-list extended natsource
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.99.0 0.0.0.255 any
!
access-list 11 permit 10.1.1.25
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip any any
access-list 101 permit tcp any host 88.53.x.x eq 5500
access-list 101 permit tcp any host 88.53.x.x eq 5510
access-list 101 permit tcp any host 88.53.x.x eq 5520
access-list 101 permit tcp any host 88.53.x.x eq 5530
access-list 101 permit tcp any host 88.53.x.x eq 5540
access-list 101 permit tcp any host 88.53.x.x eq 5550
access-list 101 permit tcp any host 88.53.x.x eq 5560
access-list 101 permit tcp any host 88.53.x.x eq 5570
access-list 101 permit tcp any host 88.53.x.x eq 1723
access-list 101 permit gre any host 88.53.x.x
access-list 101 permit esp any host 88.53.x.x
access-list 101 permit ahp any host 88.53.x.x
access-list 101 permit icmp any host 88.53.x.x echo-reply
access-list 101 permit icmp any host 88.53.x.x time-exceeded
access-list 101 permit icmp any host 88.53.x.x unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any

no cdp run
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Every attempt will be logged
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
no scheduler allocate
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Questa quella che penso debba essere la configurazione senza nat:

Codice: Seleziona tutto

version 12.4
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname pippo
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 uella!
enable password 7 pereppeppeppe
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips notify SDEE
!
!
crypto pki trustpoint TP-self-signed-3593800335
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3593800335
 revocation-check none
 rsakeypair TP-self-signed-3593800335
!
!
crypto pki certificate chain TP-self-signed-3593800335
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  quit
username pippo privilege 15 secret 5 ads
!
! 
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 atm vc-per-vp 256
 no atm ilmi-keepalive
 dsl operating-mode adsl2+ 
!
interface ATM0.1 point-to-point
 description INTERFACCIA PER ACCESSO AD INTERNET
 ip address 88.49.y.y 255.255.255.252
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache same-interface
 no snmp trap link-status
 pvc 8/35 
    encapsulation aal5snap
 !
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!
interface FastEthernet2
 no cdp enable
!
interface FastEthernet3
 no cdp enable
!
interface Vlan1
 description CONNESSIONE LAN
 ip address 88.55.x.x 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!         
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!

!
access-list 11 permit 10.1.1.25
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip any any

no cdp run
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Every attempt will be logged
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
no scheduler allocate
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

88.53.x.x 255.255.255.240: ip pubblici
88.49.y.y 255.255.255.252: p-t-p

In sostanza i cambiamenti fatti sono stati:
- assegnare l'ip punto punto all'atm0.1
- assegnare gli ip pubblici alla vlan
- eliminare i nat
- ho eliminato le acl per fugare ogni dubbio

Ho collegato il mio bel portatile sulla ethernet assegnandomi uno degli ip pubblici e come gateway il router.
Riesco a fare ping solo sull'altro ip della punto-punto sia dal pc che dal router...per il resto nulla.

E' possibile che siano delle acl settate da telecom dall'altra parte?
Ma se cosi' fosse...perchè col nat l'ip pubblico navigava?

Ho anche fatto un tentativo mettendo ip unnumbered vlan1 sull'atm0.1..ma niente.

Suggerimenti prima di chiamare mamma telecom?

Grazie in anticipo.

[kubrik]

Nessun parere??
grazie.

[Wizard]

Dal PC prova a fare un ping a 151.1.1.1 (ip pubblico pingabile) e sul router abilitare il debug del icmp...

[berni_n1]

in quella che funziona hai configurato la rete 88.53.x.x 255.255.255.240
mentre nell'altra 88.55.x.x 255.255.255.240

Dai sarà stato tardi!!!!

Ciao!

[kubrik]

in quella che funziona hai configurato la rete 88.53.x.x 255.255.255.240
mentre nell'altra 88.55.x.x 255.255.255.240

Dai sarà stato tardi!!!!

Ciao!

hahahah
Non è la prima volta...le configurazioni le devo fare la mattina!

Ovviamente funziona tutto.
Grazie berni

[giocomail]

Saluti a tutti,
perdonatemi ma sono andato un pò nel pallone a configurare il mio router. Dopo vari tentativi pare che funziona. Dico pare perchè i servizi attivati (WWW, mail) dall'esterno sembrano rispondere anche se a intermittenza. Dalla rete LAN posso navigare però solo mettendo IP pubblici. A me servirebbe esattamente il contrario: navigare con ip privati e dare i servizi facendo NAT appunto su ip privati. Posto la attuale configurazione funzionamente con la speranza che qualcuno possa dargli un'occhiata e dirmi dove ci sono eventuali errori. Inoltre facendo l'accesso al router con SDM mi esce un avvertimento che mi dice di fare l'undebug perchè altrimenti le prestazioni del router degradano. Che sia questa la causa del funzionamento a intermittenza? Grazie.
---------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTR-DIREG
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 *********
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name **********.it
ip name-server 85.17.37.9
ip name-server 151.99.100.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1987534786
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1987534786
revocation-check none
rsakeypair TP-self-signed-1987534786
!
!
crypto pki certificate chain TP-self-signed-1987534786
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393837 35333437 3836301E 170D3038 30363033 31343137
35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39383735
33343738 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C72D B367C68D 046E8E71 4F346A51 23255A72 55581BC3 7470B602 39E4E7D9
265292DF B2DD1462 6A0AD09F 03E2DE3B 3F6DFED0 6173EB09 B20D42A2 E792163E
7AE4A7AA 032C400C D7C8B32E 60BDF19E E2A9E6C3 9EED8EB4 93BC0FD6 9969A263
F9EC7C4F D40DB3B1 1FF280DD 402D6BB6 F9C533F1 849136B1 2B94B113 1A7A7785
3E3B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14634D9D 65C86B40 F87AE47F 11A8CC7B 127DE444
CB301D06 03551D0E 04160414 634D9D65 C86B40F8 7AE47F11 A8CC7B12 7DE444CB
300D0609 2A864886 F70D0101 04050003 81810059 7E6F4050 AA7E5057 ECED6B12
0E9229D6 EA4B6DF5 47ECBFD9 DFB73A62 B29855F4 E922F62B 64005CD2 4EE2D2A7
BB5AC2C3 1804ED66 13447010 28E24D99 312D6DAA 3E9EBDC2 D4769004 41ADA79B
BE4C796C AB0CD2B5 938F6644 19A08572 BAEC03FE 6E6CDBA3 1AC5636B FEFCA421
D1385440 28C409BA 74C72A37 A78A4C7A 96D63B
quit
username ******** privilege 15 secret 5 ********************************
!
!
!
!
!
interface ATM0
description ALICE BUSINESS 20 Mbps - TGU:
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET$FW_OUTSIDE$$ES_WAN$
ip address 88.57.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 8/35
oam-pvc manage
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description CONNESSIONE LAN$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 88.63.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 102 interface ATM0.1 overload
ip nat inside source static tcp 88.63.x.x 25 88.63.x.x 25 extendable
ip nat inside source static tcp 88.63.x.x 80 88.63.x.x 80 extendable
ip nat inside source static tcp 88.63.x.x 110 88.63.x.x 110 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 88.63.x.x 0.0.0.7
access-list 102 remark internet
access-list 102 remark SDM_ACL Category=2
access-list 102 permit ip 0.0.0.1 255.255.255.248 any
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end