Cisco 1841 FTP e Dyns.cx

[fireblade]

Ciao Ragazzi,

sono alle prime armi e sto cercando di configurare un server ftp sul pc della lan con ip 192.168.2.2 porta 21 usufruendo del servizio di dns dinamico di dyns.cx, qualcuno di buon cuore mi potrebbe indicare l'errore o la mancanza nella configurazione? Grazie in anticipo Paolo.


Building configuration...

Current configuration : 6008 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$IXDf$xR8xUnUBUsNj7Va8eqJSB1
enable password miapassword
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Casa
import all
network 192.168.2.0 255.255.255.0
dns-server 85.37.17.4 85.38.28.70
default-router 192.168.2.1
!
!
ip name-server 85.37.17.4
ip name-server 85.38.28.70
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method sdm_ddns1
HTTP
add http://usernamemio:[email protected] ... =<h>&ip=<a>
remove http://usernamemio:[email protected] ... =<h>&ip=<a>
!
!
!
crypto pki trustpoint TP-self-signed-564730499
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-564730499
revocation-check none
rsakeypair TP-self-signed-564730499
!
!
crypto pki certificate chain TP-self-signed-564730499
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363437 33303439 39301E17 0D303830 39313230 36353935
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 34373330
34393930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E0E734EA F69B5928 40C11DCA D7DC72DC B76B1D5E DBEC4D2D 3CC7F939 3BF50F1F
1A22FFE4 AC21AFF3 861165A4 870E61B2 690E97F8 6FD3DC83 269DDAA8 7013A73B
76955849 FB2CD761 E63244E7 DCA726FF 08A7799E 9D0B9257 8AABE315 85DB2F8E
2D3F2BF0 B84BEB83 1FADDC6B 996C1474 814532BF 045124C9 AD7F9BAE 1FDD2495
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 801456F8 84AD8B32
C9331E56 AA926E4C 8FE4637D CCC4301D 0603551D 0E041604 1456F884 AD8B32C9
331E56AA 926E4C8F E4637DCC C4300D06 092A8648 86F70D01 01040500 03818100
9674FF39 DAF86101 2885F81F 1D5BA13C CB9D2868 22C4A689 F9DA8E17 E7BB21F2
0CA9DC4B 12A8F5A3 6ED400E5 32FACD99 81591630 327473EC FE101295 ECC54AF5
053C132B 1A96BEA4 8D2735E8 DD9A3116 735D97C0 054E4384 6BA485E8 9C10C931
E7C0222A 999E4642 48B16B5C 9D9D0688 DBBBE757 911223D3 ABADB0E4 B693013A
quit
username miauser privilege 15 secret 5 $1$ULcH$/JO.iGfbwKz0F2HfSxj.a0
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname aliceadsl
ppp chap password 0 aliceadsl
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.2 21 interface Dialer0 21
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 remark FTP
access-list 100 permit tcp any eq ftp host 192.168.2.2 eq ftp
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 85.38.28.70 eq domain any
access-list 101 permit udp host 85.37.17.4 eq domain any
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password miapassword
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

[xanio]

Cosa non funziona? che problemi hai?

[Wizard]

Mi sa che manca la acl in ingresso!

P.s. Appena puoi pulisci la conf da quelle schifezze create dal sdm!

[fireblade]

Grazie Wizard per avermi indicato la strada, stavo cercando sul forum una qualche indicazione attinente, e ho trovato vari post, molti anche tuoi ... ma sono veramente all' inizio ...

mi daresti, per favore la dritta su cosa scrivere nella regola?

P.s. in effetti per un principiante come me l'uso dell' sdm in alcuni casi è obbligatorio ... vedo di studiarmi un' po di interessanti post sul forum e di pulire la configurazione dalle tracce dell' Sdm ...

Grazie ancora Paolo

[Wizard]

Voilà:

Codice: Seleziona tutto

no access-list 101
access-list 101 remark *** ACL IN INGRESSO DA INTERNET ***
access-list 101 permit tcp any any eq 21
access-list 101 permit icmp any any echo-reply 
access-list 101 permit icmp any any time-exceeded 
access-list 101 permit icmp any any unreachable 
access-list 101 permit udp host 85.38.28.70 eq domain any 
access-list 101 permit udp host 85.37.17.4 eq domain any 
access-list 101 deny ip 192.168.2.0 0.0.0.255 any 
access-list 101 deny ip 10.0.0.0 0.255.255.255 any 
access-list 101 deny ip 172.16.0.0 0.15.255.255 any 
access-list 101 deny ip 192.168.0.0 0.0.255.255 any 
access-list 101 deny ip 127.0.0.0 0.255.255.255 any 
access-list 101 deny ip host 255.255.255.255 any 
access-list 101 deny ip host 0.0.0.0 any 
access-list 101 deny ip any any log 

[fireblade]

Grazie Wizard ho inserito le righe che mi hai dato, ma purtroppo non sono riuscito ancora a connettermi da fuori all ftp server .. ne in modalità attiva ne passiva.

Dal sito http://www.dyns.cx/member/dynforwarder_ ... ?hostname=

risulto avere miosito.ma.cx un ip corrispondente 82.54.xxx.xxx e la porta settata ovvero la 21.

Cosa significa la scritta fatta dell' SDM

HTTP
add http://miauser:[email protected]/ ... =<h>&ip=<a>

e poi subito dopo remove?

remove http://miauser:[email protected]/ ... =<h>&ip=<a>

Questa la configurazione attuale

Building configuration...

Current configuration : 6008 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$IXDf$xR8xUnUBUsNj7Va8eqJSB1
enable password miapassword
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Casa
import all
network 192.168.2.0 255.255.255.0
dns-server 85.37.17.4 85.38.28.70
default-router 192.168.2.1
!
!
ip name-server 85.37.17.4
ip name-server 85.38.28.70
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method sdm_ddns1
HTTP
add http://usernamemio:[email protected] ... =<h>&ip=<a>
remove http://usernamemio:[email protected] ... =<h>&ip=<a>
!
!
!
crypto pki trustpoint TP-self-signed-564730499
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-564730499
revocation-check none
rsakeypair TP-self-signed-564730499
!
!
crypto pki certificate chain TP-self-signed-564730499
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363437 33303439 39301E17 0D303830 39313230 36353935
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 34373330
34393930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E0E734EA F69B5928 40C11DCA D7DC72DC B76B1D5E DBEC4D2D 3CC7F939 3BF50F1F
1A22FFE4 AC21AFF3 861165A4 870E61B2 690E97F8 6FD3DC83 269DDAA8 7013A73B
76955849 FB2CD761 E63244E7 DCA726FF 08A7799E 9D0B9257 8AABE315 85DB2F8E
2D3F2BF0 B84BEB83 1FADDC6B 996C1474 814532BF 045124C9 AD7F9BAE 1FDD2495
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 801456F8 84AD8B32
C9331E56 AA926E4C 8FE4637D CCC4301D 0603551D 0E041604 1456F884 AD8B32C9
331E56AA 926E4C8F E4637DCC C4300D06 092A8648 86F70D01 01040500 03818100
9674FF39 DAF86101 2885F81F 1D5BA13C CB9D2868 22C4A689 F9DA8E17 E7BB21F2
0CA9DC4B 12A8F5A3 6ED400E5 32FACD99 81591630 327473EC FE101295 ECC54AF5
053C132B 1A96BEA4 8D2735E8 DD9A3116 735D97C0 054E4384 6BA485E8 9C10C931
E7C0222A 999E4642 48B16B5C 9D9D0688 DBBBE757 911223D3 ABADB0E4 B693013A
quit
username miauser privilege 15 secret 5 $1$ULcH$/JO.iGfbwKz0F2HfSxj.a0
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname aliceadsl
ppp chap password 0 aliceadsl
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.2 21 interface Dialer0 21
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark *** ACL IN INGRESSO DA INTERNET ***
access-list 101 permit tcp any any eq ftp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp host 85.38.28.70 eq domain any
access-list 101 permit udp host 85.37.17.4 eq domain any
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password miapassword
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Grazie infinite per la pazienza...

[Wizard]

Verifica con un "sh access-list 101" se la acl x l'ftp abbia dei match

[fireblade]

Vedi sotto

[fireblade]

Ecco cosa stampa 2

Router#sh access-list 101
Extended IP access list 101
10 permit tcp any any eq ftp
20 permit icmp any any echo-reply
30 permit icmp any any time-exceeded
40 permit icmp any any unreachable (78 matches)
50 permit udp host 85.38.28.70 eq domain any
60 permit udp host 85.37.17.4 eq domain any
70 deny ip 192.168.2.0 0.0.0.255 any
80 deny ip 10.0.0.0 0.255.255.255 any
90 deny ip 172.16.0.0 0.15.255.255 any
100 deny ip 192.168.0.0 0.0.255.255 any (1 match)
110 deny ip 127.0.0.0 0.255.255.255 any
120 deny ip host 255.255.255.255 any
130 deny ip host 0.0.0.0 any
140 deny ip any any log (157 matches)

[fireblade]

Ciao Ragazzi,

ci siamo quasi ...

ovvero ho provato ad impostare manualmente sul pannello di controllo del sito www.dyns.cx l'ip che attualmente Alice mi assegna e sono riuscito ad entrare da fuori lan nell'ftp.

Sembra che il problema stia nella comunicazione del nuovo ip a dyns.cx da parte del 1841, infatti spegnendolo e poi riaccendendolo dopo un 15 min, alice mi assegna un nuovo ip diverso dal precedente ma se vado nel pannello di controllo nel sito dyns.cx l'ip è ancora quello vecchio.

[fireblade]

Ulteriore prova:

installando sul pc 192.168.2.2 il programma dynsite l'aggiornamento dell' ip su dyns.cx avviane istantaneamente.

Da ciò deduco che ho qualcosa che impedisce l'aggiornamento dns sulla configurazione del router ... ma cosa?

[carini]

Da ciò deduco che ho qualcosa che impedisce l'aggiornamento dns sulla configurazione del router ... ma cosa?

Non lo so ... ma se il sistema è analogo a quello di dyndns puoi provare l'url configurato nel tuo router direttamente da firefox

Es:
http://<username>:<password>@members.dy ... uad-dot-ip>

E vedere cosa risponde il provider ....

[fireblade]

Ciao Carini,

ho provato a seguire il tuo consiglio e a copiare la stringa su Firefox:

Dyns.cx risponde:

400 Bad request (bad ip)-[]-

notavo che poi nel mio sh run appaiono due linee di codice ovvero

HTTP
add http://usernamemio:[email protected] ... =<h>&ip=<a>
remove http://usernamemio:[email protected] ... =<h>&ip=<a>

mentre nelle configurazioni che ho trovato qui nel forum manca la seconda ovvero

remove http://usernamemio:[email protected] ... =<h>&ip=<a>

e c'è invece indicato il tempo minimo di aggiornamento del ip.

[carini]

Dyns.cx risponde: 400 Bad request (bad ip)-[]-

E già questo piace poco ...

HTTP
add http://usernamemio:[email protected] ... =<h>&ip=<a>

Prova a cercare di capire come dyns vuole l'IP e se come host devi mettere il fqdn ... il formato dell'url dovresti trovarlo nei manuali di dyns, ma se quell'url non funziona da firefox non funzionerà mai nemmeno dal router

[fireblade]

Buon Giorno Forum,

Carini mi hai suggerito la strada giusta....

Nella documentazione di Dyns.cx è presente un documento che illustra il nuovo protocollo 1.1 di autenticazione al server che si differenzia anche se di poco dal 1.0 che compila l'SDM Cisco. Sarebbe da comunicare a Cisco la variazione in modo che possano variare la nuova release del SDM con i parametri giusti...

Ovvero

1.0 ha questa forma:

http://www.dyns.cx/postscript.php?usern ... worldofjoe

che rispondeva con 400 Bad request

Meaning: The URL was malformed, one of the required parameters was not supplied or the IP address you supplied in your request is invalid.

1.1 ha invece questa:

http://www.dyns.net/postscript011.php?u ... crusoe.com
e finalmente su firefox risponde bene

200 host miosito.xx.cx updated (xx.xx.xxx.xx)

Meaning: update was successful.

Questi i riferimenti se qualcuno fosse interessato ad usare questo servizio:

http://www.dyns.cx/documentation/techni ... l/v1.0.php

http://www.dyns.cx/documentation/techni ... l/v1.1.php

Ultima domanda:

Premessa la stringa per dyns.cx è stata fatta dall' SDM...

Mi dareste la dritta su come sostituire la stringa vecchia con quella nuova e se devo togliere anche quella con prefisso remove?

Grazie infinite Paolo