CBAC e JAVA help me

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
moorpheus
Cisco fan
Messaggi: 53
Iscritto il: mer 12 set , 2007 7:44 am

Ciao a tutto il belforum,
ritorno, dopo tanto, per un vostro aiutino su uno strano problema che si è verificato ultimamente su un router CISCO 877.
Ho attivato, su pressione del mio carissimo amico a cui do una mano su networking e sistemistica in generale, il CBAC o IOS firewall.
La sua necessità principale è quella di utilizzare l'url filtering e in seconda battuta quella di dormire sonni semitranquilli sapendo che la sua bella Lan ha un minimo di sicurezza dall'esterno.
Vi premetto che questo router è il centrostella di una doppia VPN dove si collegano altri 2 877 disposti su 2 sedi diverse, e che x la configurazione uso l'SDM (non me ne vogliate :oops: )
Ma fin qui tutto ok, funziona tutto a meraviglia (anche grazie ad un intervento fatto a suo tempo da Wizard che non finirò mai di ringraziare. Mi aveva aperto gli occhi sul quel maledetto valore di MTU).
Il problemone è sorto quando ho attivato il CBAC.
In poche parole dopo aver associato l'acl SDM_HIGH sull'ATM 0.1 in OUT, i 2 o 3 siti fondamentali, di cui si serve questa azienda per svolgere alcuni lavori (programmati in JAVA) non funzionano più (diciamo che non si visualizzano tutti i menù, e alcune pagine con dei FRAME funzionano a metà), e se si prova a scaricare una versione di JAVA dal sito omonimo, il download non finisce mai, ossia il tempo aumente all'infinito. In poche parole non fa il download.

Dando uno sguardo qua è là su questo forum e su quello inglese ho visto che c'è la possibilità di disattivare l'inspect sul protocollo http-java, ma non ho capito bene come implementarlo sul mio router, anche perchè nell'SDM ci sono tutti i procollli ma di JAVA nemmeno l'ombra, quindi presumo che la modifica vada fatta a riga di comando.

Vi posto la conf (parziale) così da rendervi conto come è strutturata:

Versone IOS 12.4(6)T7
Versione SDM 2.3.4

ip inspect log drop-pkt
ip inspect alert-off
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH http urlfilter
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
no ip ips sdf builtin
no ip ips notify log
ip urlfilter source-interface ATM0.1
ip urlfilter allow-mode on
ip urlfilter audit-trail
ip urlfilter urlf-server-log
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
content-type-verification match-req-rsp action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on

questa è l'ATM

interface ATM0.1 point-to-point
description IP Esterno$ES_WAN$$FW_OUTSIDE$
ip address IP PUBLICO 255.255.255.248
ip access-group 106 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap


e Vlan

interface Vlan1
description IP Interno$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 108 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452

questa l'access list

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit IP PUBLICO
access-list 2 permit 192.168.2.0
access-list 2 permit IP PUBLICO
access-list 2 permit 194.184.64.129
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq www
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 103 deny tcp any host 192.168.1.1 eq telnet
access-list 103 deny tcp any host 192.168.1.1 eq 22
access-list 103 deny tcp any host 192.168.1.1 eq www
access-list 103 deny tcp any host 192.168.1.1 eq 443
access-list 103 deny tcp any host 192.168.1.1 eq cmd
access-list 103 deny udp any host 192.168.1.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=2
access-list 104 permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip host IP PUBLICO any
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip host 192.168.2.0 any
access-list 105 permit ip host IP PUBLICO any
access-list 105 permit ip host IP PUBLICO any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark SDM_ACL Category=1
access-list 106 remark Auto generated by SDM for NTP (123) ntp.inrim.it
access-list 106 permit udp host 193.204.114.105 eq ntp host IP PUBLICO eq ntp
access-list 106 permit udp host 151.99.0.100 eq domain host IP PUBLICO
access-list 106 permit udp host 151.99.125.1 eq domain host IP PUBLICO
access-list 106 permit udp host 151.99.0.100 eq domain any
access-list 106 permit udp host 151.99.125.1 eq domain any
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq telnet
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host IP PUBLICO eq telnet
access-list 106 permit tcp host 192.168.2.0 host IP PUBLICO eq telnet
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host IP PUBLICO eq telnet
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq telnet
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq telnet
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq 22
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host IP PUBLICO eq 22
access-list 106 deny ip 192.168.1.0 0.0.0.255 any
access-list 106 permit icmp any host IP PUBLICO echo-reply
access-list 106 permit icmp any host IP PUBLICO time-exceeded
access-list 106 permit icmp any host IP PUBLICO unreachable
access-list 106 deny ip 10.0.0.0 0.255.255.255 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 any
access-list 106 deny ip 192.168.0.0 0.0.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip host 0.0.0.0 any
access-list 106 permit tcp host 192.168.2.0 host IP PUBLICO eq 22
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host IP PUBLICO eq 22
access-list 106 permit tcp host 194.184.64.129 host IP PUBLICO eq 22
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq 22
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq www
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host IP PUBLICO eq www
access-list 106 permit tcp host 192.168.2.0 host IP PUBLICO eq www
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host IP PUBLICO eq www
access-list 106 permit tcp host 194.184.64.129 host IP PUBLICO eq www
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq www
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq 443
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host IP PUBLICO eq 443
access-list 106 permit tcp host 192.168.2.0 host IP PUBLICO eq 443
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host IP PUBLICO eq 443
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq 443
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq 443
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq cmd
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host IP PUBLICO eq cmd
access-list 106 permit tcp host 192.168.2.0 host IP PUBLICO eq cmd
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host IP PUBLICO eq cmd
access-list 106 permit tcp host 194.184.64.129 host IP PUBLICO eq cmd
access-list 106 permit tcp host IP PUBLICO host IP PUBLICO eq cmd
access-list 106 deny tcp any host IP PUBLICO eq telnet
access-list 106 deny tcp any host IP PUBLICO eq 22
access-list 106 deny tcp any host IP PUBLICO eq www
access-list 106 deny tcp any host IP PUBLICO eq 443
access-list 106 deny tcp any host IP PUBLICO eq cmd
access-list 106 deny udp any host IP PUBLICO eq snmp
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit udp host IP PUBLICO host IP PUBLICO eq non500-isakmp
access-list 106 permit udp host IP PUBLICO host IP PUBLICO eq isakmp
access-list 106 permit esp host IP PUBLICO host IP PUBLICO
access-list 106 permit ahp host IP PUBLICO host IP PUBLICO
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit udp host IP PUBLICO host IP PUBLICO eq non500-isakmp
access-list 106 permit udp host IP PUBLICO host IP PUBLICO eq isakmp
access-list 106 permit esp host IP PUBLICO host IP PUBLICO
access-list 106 permit ahp host IP PUBLICO host IP PUBLICO
access-list 106 permit ip any any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 deny ip IP PUBLICO 0.0.0.7 any
access-list 108 deny ip host 255.255.255.255 any
access-list 108 deny ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
no cdp run


IP PUBLICO=sono i diversi IP delle connessioni VPN

In questa conf l'acl SDM_HIGH non è assegnata all'ATM 0.1, altrimenti non lavorerebbero più con i siti JAVA.


Se un santuomo può aiutarmi gliene sarei molto grato :D
Top
moorpheus
Cisco fan
Messaggi: 53
Iscritto il: mer 12 set , 2007 7:44 am

Proprio nessuno mi sa aiutare?
Wizard nemmeno tu? :cry:
Top
moorpheus
Cisco fan
Messaggi: 53
Iscritto il: mer 12 set , 2007 7:44 am

Vabbuò ho risolto da solo.
Posto qui come fare in modo da essere utile x gli altri.


HTTP Inspection Syntax

ip inspect name inspection-name http [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (Java protocol only)


In poche parole creare una ACL, ad esempio 10, che contenga un "permit any" se si vuol abilitare java x tutti i siti, oppure un "permit indirizzo ip del sito" se si vogliono abilitare solo alcuni siti.

es:
access-list 10 permit any

Inserire il controllo "IP INSPECT NAME nome inspect (tipo SDM_HIGH x chi configura con SDM) HTTP JAVA-LIST 10"

es:
ip inspect name SDM_HIGH http java-list 10

Come consigliato anche da Cisco Official l'inspect si dovrebbe associare in OUT sull'interfaccia esterna.

Correggetemi se ho detto qualche castroneria 8)
Top
Rispondi

Torna a “Configurazioni”