cisco 877 configurazione

[antonio1971]

Ciao,

chiedo ancora aiuto, sono riuscito ad utilizzare il cisco 877 configurandolo con alice business 20M, ora i pc della lan riesco a navigare. Come faccio a nattare alcune porte tipo la 25 verso un ip interno ( Mail server in Lan ) ed ad attivare il firewall.
posto la mia configurazione ( sono alle prime armi con i cisco )

Grazie



!This is the running config of the router: 192.168.0.252
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname firewall2
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 $1$TPem$q3AxQZfhowifOqTBoJ4ii1
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1578641142
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1578641142
revocation-check none
rsakeypair TP-self-signed-1578641142
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
crypto pki certificate chain TP-self-signed-1578641142
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353738 36343131 3432301E 170D3032 30333031 30313531
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35373836
34313134 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A3F2 D3681E36 1DDB9FC5 7947C695 4AD711DE 24BC63D2 F36CD4A9 3DB6095E
41E127E2 6A9A5274 527054CE C45A0FC2 8DE87569 596EA8D1 6F5DEC1D FE13A58B
FE3EFB86 9DE57550 ED8880FE 67E320D7 EFF5C3B1 FC229E1C 7BBE5C8F C95A8FB1
42F54A1D B1996DAD B4A11B4A DA1BC583 8CA92691 A6ECE8FF E87B9AA1 6DE7B636
0AB50203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14B8BC39 12B6C38F ECFDEF73 FAC7DE95 62F05350
D7301D06 03551D0E 04160414 B8BC3912 B6C38FEC FDEF73FA C7DE9562 F05350D7
300D0609 2A864886 F70D0101 04050003 8181004F 8F01A928 2BD127A5 051D0B7E
3C9E9E8D EE7494FE C5380EFF 9797B6C9 3585BE9D E8A7A93C 214704CD 954BE760
14F39EBE 243C00B9 CBFCCD9E E78A18E0 C9C5CBDF 5400DDF1 399B5546 3495AA78
5A4EFC50 7BEB61E1 418BF6D3 E4E61106 2F91D94B 144A87A6 F152F6EB D1CE4EF2
78B32D04 8F99C4EB 59ABADC8 582CB526 D0A34E
quit
crypto pki certificate chain tti
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address *.*.*.*
ip dhcp excluded-address *.*.*.*!
ip dhcp pool sdm-pool
import all
network *.*.*.* 255.255.255.252
default-router *.*.*.*
lease 0 2
!
!
no ip domain lookup
ip domain name prova
!
!
username demo privilege 15 secret 5 $1$M69e$T3Li2dWEvzFxT.LEfQ.c5/
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface Loopback0
description INTERFACCIA VIRTUALE END_POINT
ip address *.*.*.* 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
description INTERFACCIA ACCESSO INTERNET$FW_OUTSIDE$$ES_WAN$
ip address *.*.*.* 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip virtual-reassembly
zone-member security out-zone
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description CONNESSIONE LAN$FW_INSIDE$
ip address *.*.*.* 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly
zone-member security in-zone
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
hold-queue 100 out
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool INTERNET *.*.*.* *.*.*.* netmask 255.255.255.252
ip nat inside source list 100 pool INTERNET overload
!
access-list 100 remark *************************************
access-list 100 remark ** acl per pat e nat0 **
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip *.*.*.* 0.0.0.3 any
access-list 101 permit tcp any any eq smtp
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.6
access-list 131 remark ***********************************
access-list 131 remark *** ACL ANTI-SPOOFING **
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip any any log
access-list 131 remark ************************************
access-list 131 remark ** ACL PER CONTROLLO TRAFFICO ICMP **
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark ********************************************
access-list 131 remark ** ACL BLOCCO ACCESSO VIRUS E ATTACCHI **
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark ***********************************************
access-list 131 remark ** ACL BLOCCO ACCESSI NON AUTORIZZATI **
no cdp run
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
banner motd ^CC
************************************************************
------------------------------------------------------------
* *** ROUTER PERIMETRALE ---- *** *
------------------------------------------------------------
* WARNING : System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
**
* If you are NOT authorized to use this system, LOG OFF NOW! *
**
****************************************************************
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end

[Wizard]

Cerca sul forum, ci sono decine di topic dove si spiega in tutte le lingue come fare nat su router

[antonio1971]

grazie per la gentile risposta