problema nat translation o ACL?

[sanvil]

salve a tutti vorrei chiedere un informazione

ho una linea in fibra con fastweb con assegnati 9 static ip in nat sulla rete interna.

nella rete interna ho un server (192.168.1.2)vpn e jabber, riscontro molti problemi, sicuramente per la chiusura di qualcosa!:P

nelle sezione nat translation ci sono dei tempi per port-timeout , potrebbero essere loro che influiscono ?

io uso nel server i protocolli GRE ESP udp porta 500 e udp porta 1701

non ho creato nessuna access list tranne la primaria, se nessuna access list fosse attiva ,oltre alla access list per la rete locale, i pacchetti vengono bloccati o vanno direttamente al ip nattato al interno ? il passaggio e trasparente? oppure devo applicare altre regole?

devo cambiare i timeing ? devo specificare le porta usate da me? ringrazion e saluto

posto mio conf

Codice: Seleziona tutto

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SanvilR0
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-15.T5.bin
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$YMkk@sa5Y$fYSARsHZUJcqxddWa6w6T.
enable password 7 1511021F0722256573377038233971
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 30 attempts 3 within 10
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username sanvil password 7 13510702075F4A672922372B83C
archive
 log config
  logging enable
  hidekeys
! 
!
!         
!
!
!
!
!
interface FastEthernet0/0
 description collegamento fastweb
 ip address 23.b.cc.56 255.255.255.0
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex full
 speed 100
 no mop enabled
!
interface FastEthernet0/1
 description Collegamento alla LAN interna
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no cdp enable
 no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 23.b.cc.1
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 10
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 301
ip nat translation finrst-timeout 61
ip nat translation syn-timeout 50
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 10
ip nat translation port-timeout tcp 6346 5
ip nat translation port-timeout tcp 6347 5
ip nat translation port-timeout tcp 6348 5
ip nat translation port-timeout tcp 6349 5
ip nat translation port-timeout udp 6346 5
ip nat translation port-timeout udp 6347 5
ip nat translation port-timeout udp 6348 5
ip nat translation port-timeout udp 6349 5
ip nat translation port-timeout udp 137 5
ip nat translation port-timeout tcp 1214 5
ip nat translation port-timeout tcp 20 1000
ip nat translation port-timeout tcp 21 1000
ip nat translation port-timeout udp 20 1000
ip nat translation port-timeout udp 21 1000
ip nat translation port-timeout tcp 1001 1000
ip nat translation port-timeout tcp 1002 1000
ip nat translation port-timeout tcp 1724 1000
ip nat translation port-timeout tcp 1726 1000
ip nat pool natpool 23.b.cc.58 23.b.cc.58 netmask 255.255.255.0
ip nat inside source list 1 pool natpool overload
ip nat inside source static 192.168.1.10 93.bb.cc.dd
ip nat inside source static 192.168.1.2 93.bb.cc.dd
ip nat inside source static 192.168.1.3 93.bb.cc.dd
ip nat inside source static 192.168.1.4 93.bb.cc.dd
ip nat inside source static 192.168.1.5 93.bb.cc.dd
ip nat inside source static 192.168.1.6 93.bb.cc.dd
ip nat inside source static 192.168.1.7 93.bb.cc.dd
ip nat inside source static 192.168.1.8 93.bb.cc.dd
ip nat inside source static 192.168.1.9 93.bb.cc.dd
!
!
logging trap debugging
logging facility local2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!         
!         
!         
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C^C
!
line con 0
 exec-timeout 5 0
 password 7 09185E19155656805911021F00725
 logging synchronous
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 password 7 055F16166F2D1777F000A1000016141D
 login authentication local_auth
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Saluti

[sanvil]

non capisco se i tempi di translation

ip nat translation timeout 10
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 301
ip nat translation finrst-timeout 61
ip nat translation syn-timeout 50
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 10

sono bassi ??

l' ACL deve essere standard?
access-list 1 permit 192.168.1.0 0.0.0.255

oppure extended?
access-list 100 permit 192.168.1.0 0.0.0.255

[sanvil]

salve a tutti

ci sono degli sviluppi il problema e il seguente

se si connettono due persone in vpn dalla stessa sede succede questo:
il primo che si collega gli viene assegnato un ip 192.168.1.200 dal server vpn 192.168.1.2 ed e possibile pingarlo, appena l atra persona si connette non e piu possibile pingarlo ma il nuovo cliente con ip 192.168.1.201 diventa pingabile!

che ne dite? qualche idea per come risolvere questa situazione?