Access List & NAT

[alfnetx]

Ciao a tutti, mi spiegate da cosa derivano questi log e se possono influire sul corretto funzionamento del NAT configurato per il P2p?
Premetto che così, sul client, ho il pallino verde (OK) riferito al NAT, quindi presumibilmente non dovrei essere limitato.

Codice: Seleziona tutto

Dec 16 11:01:15.643: %SEC-6-IPACCESSLOGP: list 101 denied udp 88.116.102.182(59192) -> 151.23.130.18
2(1755), 1 packet
Dec 16 11:01:16.787: %SEC-6-IPACCESSLOGP: list 101 denied udp 58.152.239.120(21000) -> 151.23.130.18
2(1755), 1 packet
Dec 16 11:01:18.955: %SEC-6-IPACCESSLOGP: list 101 denied udp 88.4.51.110(24406) -> 151.23.130.182(1
755), 1 packet
Dec 16 11:01:20.267: %SEC-6-IPACCESSLOGP: list 101 denied udp 84.212.227.223(16583) -> 151.23.130.18
2(1755), 1 packet
Dec 16 11:01:21.443: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.107.71.161(1970) -> 151.23.130.182(
1755), 1 packet
Dec 16 11:01:22.923: %SEC-6-IPACCESSLOGP: list 101 denied udp 83.25.63.177(48203) -> 151.23.130.182(
1755), 1 packet

La porta TCP/UDP utilizzata dal mio client p2p è la 1755 e l'unico pc che fa p2p è il 192.168.1.3

Questa è la configurazione...magari se qualcuno può darci un occhio e dirmi se manca qualcosa di importante glie ne sarei grato.

ps: per ora non ho messo la protezione sul wifi...lo farò poi.

Codice: Seleziona tutto

!
hostname CiscoNet
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-22.T.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable password xxxx
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
dot11 vlan-name WiFi vlan 1
!
dot11 ssid WIFI
 vlan 1
 authentication open 
 guest-mode
!
dot11 ssid WIFI_DMZ
 vlan 2
 authentication open 
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 10.2.88.1
ip dhcp excluded-address 10.2.88.254
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 10.1.88.1
ip dhcp excluded-address 10.1.88.254
!
ip dhcp pool Pool1
   import all
   network 10.1.88.0 255.255.255.0
   default-router 10.1.88.1 
   dns-server 208.67.222.222 208.67.220.220 
   lease infinite
!
ip dhcp pool Pool2
   import all
   network 10.2.88.0 255.255.255.0
   default-router 10.2.88.1 
   dns-server 208.67.222.222 208.67.220.220 
   lease infinite
!
ip dhcp pool client
   network 192.168.1.0 255.255.255.0
   dns-server 208.67.222.222 208.67.220.220 
   default-router 192.168.1.1 
   lease infinite
!
ip dhcp pool mio
   host 192.168.1.3 255.255.255.0
   client-identifier 0100.1921.c922.ed
   lease infinite

!
ip cef
ip domain name libero.it
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip ddns update method DynDNS
 HTTP
  add http://xxx:[email protected]/nic/updatesystem=dyndns&hostname=nomedelmiohost&myip=<a>
 interval maximum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
username xxx privilege 15 secret 5 yyyyy
! 
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
 bundle-enable
 dsl operating-mode adsl2+ 
!
interface FastEthernet0
 switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 ssid WIFI
 !
 ssid WIFI_DMZ
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 world-mode dot11d country IT both
 l2-filter bridge-group-acl
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 no autostate
 bridge-group 1
!
interface Vlan2
 no ip address
 ip tcp adjust-mss 1452
 no autostate
 bridge-group 2
!
interface Vlan100
 no ip address
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no autostate
 bridge-group 3
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 ip mtu 1492
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxx
 ppp chap password 0 xxxxx 
 ppp pap sent-username xxxx password 0 xxxxx 
!
interface Dialer1
 no ip address
!
interface BVI1
 ip address 10.1.88.1 255.255.255.0
 ip access-group 102 in       ------------------> per ora non è ancora definita
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI2
 ip address 10.2.88.1 255.255.255.0
 ip access-group DMZ in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI3
 ip address 192.168.1.1 255.255.255.0
 ip access-group 102 in          ------------------> per ora non è ancora definita
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
ip nat translation timeout 600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 2500
ip nat inside source static udp 192.168.1.3 1755 interface Dialer0 1755
ip nat inside source static tcp 192.168.1.3 1755 interface Dialer0 1755
ip nat inside source static udp 192.168.1.3 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.1.3 4662 interface Dialer0 4662
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 103 interface Dialer0 overload
!
ip access-list extended DMZ
 deny   ip 10.2.88.0 0.0.0.255 10.1.88.0 0.0.0.255 log
 deny   ip 10.2.88.0 0.0.0.255 192.168.1.0 0.0.0.255 log
 permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark *** ACL PER PAT E NAT ***
access-list 1 permit 10.1.88.0 0.0.0.255
access-list 1 permit 10.2.88.0 0.0.0.255
access-list 101 remark Traffico abilitato ad entrare nel router da internet
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit tcp host 63.208.196.96 eq www any log
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit gre any any
access-list 101 deny   icmp any any echo
access-list 101 deny   ip any any log
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 207.46.197.32 eq ntp any
access-list 101 permit tcp any host 192.168.1.3 eq 4662
access-list 101 permit udp any host 192.168.1.3 eq 4672
access-list 101 permit tcp any host 192.168.1.3 eq 1755
access-list 101 permit udp any host 192.168.1.3 eq 1755
access-list 103 remark *** ACL PER NAT DMZ ***
access-list 103 permit ip 10.2.88.0 0.0.0.255 any
access-list 700 permit 0014.daaf.cbf4   0000.0000.0000
access-list 700 permit 0016.6f3d.1f93   0000.0000.0000
access-list 700 permit 000c.f607.306f   0000.0000.0000
access-list 700 permit 001d.d939.0ad4   0000.0000.0000
access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip

!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password xxxxx
 login
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 192.43.244.18
end

Grazie a tutti.

[berni_n1]

Ciao,

non ho capito una cosa: ora ti sta funzionando il p2p oppure no?
Ed riesci a navigare su internet con questa configurazione?

Cmq il log è dato dall'acl:

access-list 101 deny ip any any log

quindi le acl che seguono:

access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 207.46.197.32 eq ntp any
access-list 101 permit tcp any host 192.168.1.3 eq 4662
access-list 101 permit udp any host 192.168.1.3 eq 4672
access-list 101 permit tcp any host 192.168.1.3 eq 1755
access-list 101 permit udp any host 192.168.1.3 eq 1755

no dovrebbere avere dei match in quanto la precedente nega ogni tipo di traffico ip, questo però lo puoi verifcare con il comando :

sh access-list 101

Ciao

[Scruffy]

ciao, premetto che smanetto con i cisco da solo 1 giorno; ma da quel poco che ho capito, la access list che devi aprire è la 102 oltre la 101;

Prova a modificare così:

access-list 101 permit any host 192.168.1.3 eq 1755

ed anche

access-list 102 permit any host 192.168.1.3 eq 1755

perchè il range che hai nella lan: 192.168.1.1 fa parte della acl 102

io per fare prima ho aperto tutto

[alfnetx]

Ciao,

non ho capito una cosa: ora ti sta funzionando il p2p oppure no?
Ed riesci a navigare su internet con questa configurazione?

Cmq il log è dato dall'acl:

access-list 101 deny ip any any log

quindi le acl che seguono:

access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 207.46.197.32 eq ntp any
access-list 101 permit tcp any host 192.168.1.3 eq 4662
access-list 101 permit udp any host 192.168.1.3 eq 4672
access-list 101 permit tcp any host 192.168.1.3 eq 1755
access-list 101 permit udp any host 192.168.1.3 eq 1755

no dovrebbere avere dei match in quanto la precedente nega ogni tipo di traffico ip, questo però lo puoi verifcare con il comando :

sh access-list 101

Ciao

Si, funziona tutto; Internet e P2p, solo che non mi spiego come mai vengano bloccati quegli accessi sulla porta 1755 (che e' quella configurata nel client Azureus ed aperta a livello di acl e NAT).

Provero' anche il suggerimento di Scruffy...mi sa che ci ha preso.
Vi faccio sapere

[berni_n1]

L'ACL 101 che ti ha indicato e che è già presente nelle tue :

access-list 101 permit any host 192.168.1.3 eq 1755

la devi mettere prima del deny any any log altrimenti non viene presa in coniderazione...

Le ACL vengono prese in considerazione in ordine sequenziale, se tu metti un deny any any tutti i pacchetti verranno bloccatti e tutte la acl poste al di sotto non verranno prese in considerazione.

[alfnetx]

Con le acl messe in questo modo

Codice: Seleziona tutto

access-list 101 remark Traffico abilitato ad entrare nel router da internet 
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any 
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any 
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any 
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any 
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any 
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any 
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any 
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any 
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any 
access-list 101 deny   ip any host 255.255.255.255 
access-list 101 permit udp host 208.67.222.222 eq domain any 
access-list 101 permit tcp host 63.208.196.96 eq www any
access-list 101 permit udp host 207.46.232.42 eq ntp any 
access-list 101 permit udp host 192.43.244.18 eq ntp any   
access-list 101 permit udp host 208.67.220.220 eq domain any 
access-list 101 permit udp host 207.46.197.32 eq ntp any 
access-list 101 permit gre any any
access-list 101 permit tcp any host 192.168.1.3 eq 4662 
access-list 101 permit udp any host 192.168.1.3 eq 4672 
access-list 101 permit tcp any host 192.168.1.3 eq 1755 
access-list 101 permit udp any host 192.168.1.3 eq 1755 
access-list 101 permit ip any host 192.168.1.3
access-list 101 deny ip any any log
access-list 101 deny   icmp any any echo

continuo a loggare gli stessi blocchi sulla 1755 e, ad essere precisi il client p2p mi segnala che non ho connessioni remote; in patica stabilisco connessioni, ma non ne accetto, ovvero non permetto ai client remoti di contattarmi.

Ora però compaiono anche questi:

Codice: Seleziona tutto

Dec 17 23:29:18.625: %SYS-2-LINKED: Bad enqueue of 84060974 in queue 8385C274 -Process= "<interrupt
level>", ipl= 6,  -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E165B4 0x81414CFC 0x81
415364 0x81415C6C 0x8141750C 0x80C3A2C4 0x80C3AAF8 0x80C3A2C4 0x80C3A4D0 0x80069BD0 0x8006B6FC 0x801
D6A48
Dec 17 23:29:18.625: %SYS-2-LINKED: Bad enqueue of 8405FA44 in queue 8385C274 -Process= "<interrupt
level>", ipl= 6,  -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E170BC 0x80E18A54 0x80
9F33CC 0x80068E40 0x8006B6FC 0x801D6A48 0x80088C1C 0x80369148 0x8008590C 0x8008590C 0x80369208 0x803
6C690
Dec 17 23:29:22.005: %SYS-2-LINKED: Bad enqueue of 850D325C in queue 8385C274 -Process= "<interrupt
level>", ipl= 6,  -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E165B4 0x81414CFC 0x81
415364 0x81415C6C 0x8141750C 0x80C3A2C4 0x80C3AAF8 0x80C3A2C4 0x80C3A4D0 0x80069BD0 0x8006B6FC 0x801
D6A48
Dec 17 23:29:22.009: %SYS-2-LINKED: Bad enqueue of 857E448C in queue 8385C274 -Process= "<interrupt
level>", ipl= 6,  -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E170BC 0x80E18A54 0x80
9F33CC 0x80068E40 0x8006B6FC 0x801D6A48 0x80088C1C 0x80369148 0x8008590C 0x8008590C 0x80369208 0x811
07340
Dec 17 23:29:24.337: %SYS-2-LINKED: Bad enqueue of 838D56D0 in queue 8385C274 -Process= "<interrupt
level>", ipl= 6,  -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E165B4 0x81414CFC 0x81
415364 0x81415C6C 0x8141750C 0x80C3A2C4 0x80C3AAF8 0x80C3A2C4 0x80C3A4D0 0x80069BD0 0x8006B6FC 0x801
D6A48

Sto cominciando a stancarmi....

[Scruffy]

access-list 102 permit any host 192.168.1.3 eq 1755
prova anche aggiungendo questa. poi come dicevano altri, metti prima i permit e poi i deny

[berni_n1]

è vero anche quello che dice Scruffy!

Se applichi l'ACL 102 e non specifichi nessuna acl viene utilizzata quella di default che è deny ip any any....

Quindi ho metti l'acl come ti ha detto lui oppure non applichi l'ACL 102 all'interfaccia e vediamo se ti viene ancora bloccatto.....