877 con 8 ip statici HELP!

@lan72 · mer 27 mag , 2009 2:50 pm

Salve a tutti,
dovrei configurare una connessione Alice buisiness adaptive con 8 ip statici su un cisco 877, premetto che ho un po d'esperienza (grazie anche a questo forum) con le configurazione su ip dinamici infatti era mia intenzione adattare la mia attuale conf. di un 857 dimanico a un 877 statico.

intanto non avendo mai avuto a che fare con le buisiness non ho capito che me ne faccio di 8 ip, in teoria a me serve una semplice linea per internet tipo casa (solo che alle aziende vendono solo questa) che mi permetta di navigare.

la telecom mi ha lasciato un foglio con scritto:

IP punto punto 88.57.***.108
subnet 255.255.255.0
remoto 88.57.***.254

IP Lan 94.83.***.145
subnet 255.255.255.248

ip disponibili 94.83.***.146 a 150

la mia conf dinamico:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname C877
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 *****************************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-2397556458
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2397556458
revocation-check none
rsakeypair TP-self-signed-2397556458
!
!
crypto pki certificate chain TP-self-signed-2397556458
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333937 35353634 3538301E 170D3038 31303032 31313333
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33393735
35363435 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C978 3F37F253 85CCE831 AD22BC6E 99E3CD6F F3DEB800 3A7C7B42 287C1F1A
48AFE96F DC9BA803 D59F2C0F B0271978 7BD9249E D7239E79 0006A1AD B879DECE
007EAFF8 6D582DAA 2CD5C555 A680B841 E9EF4FF9 9A80F6C1 2D65E440 5FADA930
9F5E7B79 A1A53BC4 3E84FA08 6ED75219 8596F6D8 452A0F19 B1EB3B00 08B5D4D7
DB490203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C433835 37572E4D 41545249 58301F06 03551D23 04183016
8014D888 BD391A45 8405CF28 ACFBFB55 25A68AD0 9D6A301D 0603551D 0E041604
14D888BD 391A4584 05CF28AC FBFB5525 A68AD09D 6A300D06 092A8648 86F70D01
01040500 03818100 33A5A16C F7A8E4DC BB7F7257 172B0E67 860DC8DA 0A13DE3D
266496C7 43F73189 35B1511E B0C112CD 04A88A7A 0E22A684 4DB41FF1 4619E16A
A4AD83A8 759F199B 70717F5F 84B108DE B91FA92F C124BF94 783F069C E2C9CB87
D7BED6E1 D6E01E2C DC662FF9 86F61E73 BF23F050 4EB4093E 8456461A 027628B4
E7BD4EA2 949F4A1G
quit
!
!
!
ip cef
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
no ip bootp server
ip domain name MATRIX
ip name-server 85.37.17.39
ip name-server 85.38.28.71
ip ddns update method sdm_ddns1
HTTP
add http://*****:*****@members.dyndns.org/n ... h>&myip=<a>
remove http://*****:*****@members.dyndns.org/n ... h>&myip=<a>
!
!
!
!
username Admin privilege 15 secret 5 ************************
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
description
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description
!
interface FastEthernet1
description
!
interface FastEthernet2
description
!
interface FastEthernet3
description
!
!
interface Vlan1
description
no ip address
bridge-group 1
!
interface Dialer0
description
ip ddns update hostname *****.gotdns.com
ip ddns update sdm_ddns1
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer idle-timeout 3600 either
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username *****@alice.it password 7 *******************
!
interface BVI1
description Bridge Virtual Interface$FW_INSIDE$
ip address 192.168.0.221 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.211 80 interface Dialer0 80
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp host 85.37.17.39 eq domain any
access-list 101 permit udp host 85.38.28.71 eq domain any
access-list 101 permit tcp host 204.13.248.112 eq www any log
access-list 101 permit udp host 207.46.232.182 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit tcp any any eq www
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.0.221
access-list 102 deny ip any host 192.168.0.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C.::.::. Cisco Systems, Inc

Cisco 877 - IOS 124-15.T7

Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 207.46.232.182
sntp server 192.43.244.18
end

ho seguito la conf di wizard ma non mi funziona..

http://www.ciscoforums.it/viewtopic.php?t=9410

non ho capito ma la dialer la devo mettere???

e gli ip che mi hanno fornito dove li inserisco nella conf.. dovrei configurare questa ip statica tipo home solo che a differenza l'ip esterno non cambierebbe

mi date una mano..

Grazie

francesco_savona · mer 27 mag , 2009 4:06 pm

Questa config va bene per le connessioni ppoe e protocollo chap/pap.
Tu hai una connessione aal5snap con punto punto e 8 ip fissi.
1 al gateway
1 al pool di nat

Questa configurazione che hai postato tu non va bene

@lan72 · gio 28 mag , 2009 9:05 am

grazie ma nono mi sono arreso ho adattato questa che ora funziona..

service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname C877
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret *****************************+
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
ip cef
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
!
no ip bootp server
!
ip domain name ************
ip name-server 151.99.125.1
ip name-server 208.67.222.222
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
username Admin privilege 15 secret 5 ********************
archive
log config
hidekeys
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
interface Null0
no ip unreachables
!
interface ATM0
description Alice Buisiness 20 Mbps
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description Interfaccia per accesso Internet
mtu 1500
ip address 88.57.***.*** 255.255.255.252
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect IDS out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Connessione LAN Virtuale
ip address 192.218.254.220 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
no ip http server
no ip http secure-server
!
ip nat pool INTERNET 94.83.***.*** 94.83.***.*** netmask 255.255.255.248
ip nat inside source list 100 pool INTERNET overload
ip nat inside source static tcp 192.218.254.243 443 interface ATM0.1 443
!
access-list 100 remark *************************************************************
access-list 100 remark *** ACL PER PAT E NAT0 ***
access-list 100 permit ip 192.218.254.0 0.0.0.255 any
!
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 permit tcp any any eq 443
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log
!
control-plane
!
banner motd ^C
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE ---- *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************
^C
!
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end

allora adesso navigo perfettamente ma ci sono 2 cose che ancora non vanno..

1 dall'esterno non riesco a pingare il router e poi ho fatto il forwording della porta 443 così:

ip nat inside source static tcp 192.218.254.243 443 interface ATM0.1 443

ma non funziona tra l'altro ho aperto anche il firewall...

potete darmi una mano..

francesco_savona · gio 28 mag , 2009 9:22 am

La telecom filtra la punto punto.
L'ip di tale tipo non è inutilizzabile.

Il router non è pingabile perchè devri creare l'interfaccia loopback alla quale associare il default gateway del tuo contratto.

@lan72 · gio 28 mag , 2009 9:29 am

potresti farmi un'esempio ..

francesco_savona · gio 28 mag , 2009 10:01 am

ip nat in sou sta tcp ip_privato porta_privata ip_defaulty_gateway+1 porta_pubblica

@lan72 · gio 28 mag , 2009 10:23 am

ciao scusa ma questo e per il ping e per il port forwarding.. ??

la mia necessità apparte il ping e di fare il port forwording dallesterno di tutti gli ip su porta 443 su ip locale interno 192.218.254.243 su 443

@lan72 · gio 28 mag , 2009 10:47 am

ho provato a fare cosi ma non funziona il port forwording

ip nat inside source static tcp 192.218.254.243 443 ip_pubblico 443

@lan72 · gio 28 mag , 2009 2:45 pm

cosa strana che se provo a fare il ping dll'ip pubblico dal compiuter dove e collegato il router l'atm0.1 mi risponde se provo a farlo da un collegamento internet di una altra adsl non mi risponde neanche al ping..

magari dipende da questo..

wizaaaard...

francesco_savona · ven 29 mag , 2009 8:59 am

A forza.....L'ATM0.1 E' SCHERMATA, TELECOM NON TE LA FA VEDERE.
pROVA A TOGLIWERE L'ACCESS-LIST DA ATM0.1
TI FACCIO VEDERE CHE FUNZIONA

DA QUI POI RICONTROMLLA LA ACL CHE DEVE ESSERE CORRETTA,

@lan72 · ven 29 mag , 2009 11:27 am

allora francesco ho disabilitato acl e ipinspect su tutte le interfacce ma continua a non funzionare

cosa posso fare ancora

@lan72 · sab 30 mag , 2009 10:26 am

potrebbe essere che il server di posta sulla lan (che devo raggiungere dall'esterno) interna non ha come default gateway l'ip di questo router anche se si trova sotto la stessa classe

francesco_savona · sab 30 mag , 2009 11:00 am

Certo !!

877 con 8 ip statici HELP!

Login • Iscriviti