Ciao a tutti,
ricomincio con una nuova discussione per fare un pò di chiarezza, visto che ora è chiaro quale il problema.
Ho un router Cisco 877, al quale sono collegati dei pc.
Tutti i pc riescono ad andare su internet e navigare, riescono a fare ping, ma non riescono a risolvere un indirizzo con traceroute.
Ad esempio: traceroute google.com
traceroute to google.com (209.85.149.106), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 1.380 ms 1.095 ms 1.171 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
Se invece faccio un traceroute dal router, riesce a risolverlo perfettamente.
Quindi presuppongo che ci sia qualcosa tra router e pc...
Oppure che ho sbagliato qualche parametro sui dns assegnati ai pc (però la cosa strana è che navigano...).
La telecom mi ha dato i DNS di Alice business e un default gateway (che è come il mio ip statico, ma con finale .254).
Interfaccia PPPoE
Grazie in anticipo a tutti!
Ecco la mia configurazione
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$FsEK$vYhPPJ4yUYoUTN4.Xh2Y8.
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1671754495
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1671754495
revocation-check none
rsakeypair TP-self-signed-1671754495
!
!
crypto pki certificate chain TP-self-signed-1671754495
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363731 37353434 3935301E 170D3032 30333031 30343231
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373137
35343439 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009A4D 67DA1FF2 3F15B124 5ACAC2D4 65F78F74 06F79853 A75EABC8 D49AAA13
2D02A86C 5AD701E3 7C71E19C 413F70E8 A5B326A3 FEED33A6 0A0864BE BC680BE4
974D39DC 4773CC86 EF3CA519 3AA80110 F245D635 80B3E839 57093762 3DBDB227
3DB08AD8 B703CA1A 5FA44B2D 09E55114 A5585E46 D48C31D8 363C405C 9AA9F0A1
FA590203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15526F75 7465722E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801496 7C1EB06E E5F7EEDF 132DDDC6 FDCB218D B5F10C30
1D060355 1D0E0416 0414967C 1EB06EE5 F7EEDF13 2DDDC6FD CB218DB5 F10C300D
06092A86 4886F70D 01010405 00038181 006ABEA9 2D4D5B8B 1E25ED0C 500539E1
FCBB5DE6 15ED2521 0804891C B30D2C57 D1FA3821 12815836 72F62302 0C37FD32
505089CD 93E1C4DB 61E52877 87768D72 4BCCDDE5 8BEB648B 5650191B 257FF0F2
D1DE4BAC 5728526C 165D48E4 C30F76AC B6706C8D F2201923 C0D970F8 71A47ECB
37EFD411 0CD3C07D D1116473 6BF58213 8C
quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool ccp-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 151.99.125.1 151.99.0.100
default-router 192.168.1.1
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 151.99.125.1
ip name-server 151.99.0.100
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$YysX$9rjqbN7PEwq7YyKMewAae0
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 082040470A1C0B12050A0B
ppp pap sent-username [email protected] password 7 050A0A062249400C0E0410
!
ip default-gateway GatewayOfAdslCompany
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp any any
access-list 101 permit ip any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 102 permit ip any any
access-list 102 permit icmp any any
dialer-list 1 protocol ip list 101
no cdp run
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
traceroute da host non funziona, navigazione si
Moderatore: Federico.Lagni
-
ghira
- Holy network Shaman
- Messaggi: 668
- Iscritto il: mer 30 mar , 2011 5:25 pm
sul router fai "debug ip nat port" e poi dal pc fai "traceroute www.google.com"
e dimmi cosa esce sul router.
probabilmente sul router devi fare "term mon"
e dimmi cosa esce sul router.
probabilmente sul router devi fare "term mon"
-
Jyonny
- n00b
- Messaggi: 23
- Iscritto il: ven 03 giu , 2011 11:40 am
Ciao ghira!
Router#debug ip nat port
IP NAT PORT debugging is on
Router#debug ip nat detailed
IP NAT detailed debugging is on
fatto tracert... come prima.... non lo risolve
faccio term mon mi esce una sfilza di roba, tipo la seguente: (ho sostituito MioIp al mio ip pubblico)
*Jun 7 00:18:07.219: NAT: [0] Allocated Port for 192.168.1.100 -> MioIp: wanted 34066 got 34066
*Jun 7 00:18:07.219: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33438) [34070]
*Jun 7 00:18:07.219: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33438) [34070]
*Jun 7 00:18:07.219: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34070]
*Jun 7 00:18:09.739: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50650 (50650)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50649 (50649)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50644 (50644)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50641 (50641)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50640 (50640)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50639 (50639)
*Jun 7 00:18:12.216: mapping pointer available mapping:0
*Jun 7 00:18:12.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33439) [34071]
*Jun 7 00:18:12.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33439) [34071]
*Jun 7 00:18:12.220: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34071]
*Jun 7 00:18:14.860: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:17.216: mapping pointer available mapping:0
*Jun 7 00:18:17.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33440) [34072]
*Jun 7 00:18:17.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33440) [34072]
*Jun 7 00:18:17.216: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34072]
*Jun 7 00:18:19.469: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:22.217: mapping pointer available mapping:0
*Jun 7 00:18:22.217: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33441) [34073]
*Jun 7 00:18:22.217: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33441) [34073]
*Jun 7 00:18:22.217: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34073]
*Jun 7 00:18:24.589: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:25.757: NAT - SYSTEM PORT for MioIp: allocated port 0, refcount 16, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 16, proto 6
*Jun 7 00:18:26.690: NAT - SYSTEM PORT for MioIp: allocated port 0, refcount 17, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 17, proto 6
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 52807 (52807)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 50172 (50172)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 53746 (53746)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 64320 (643
Router#debug ip nat port
IP NAT PORT debugging is on
Router#debug ip nat detailed
IP NAT detailed debugging is on
fatto tracert... come prima.... non lo risolve
faccio term mon mi esce una sfilza di roba, tipo la seguente: (ho sostituito MioIp al mio ip pubblico)
*Jun 7 00:18:07.219: NAT: [0] Allocated Port for 192.168.1.100 -> MioIp: wanted 34066 got 34066
*Jun 7 00:18:07.219: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33438) [34070]
*Jun 7 00:18:07.219: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33438) [34070]
*Jun 7 00:18:07.219: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34070]
*Jun 7 00:18:09.739: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50650 (50650)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50649 (50649)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50644 (50644)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50641 (50641)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50640 (50640)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50639 (50639)
*Jun 7 00:18:12.216: mapping pointer available mapping:0
*Jun 7 00:18:12.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33439) [34071]
*Jun 7 00:18:12.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33439) [34071]
*Jun 7 00:18:12.220: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34071]
*Jun 7 00:18:14.860: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:17.216: mapping pointer available mapping:0
*Jun 7 00:18:17.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33440) [34072]
*Jun 7 00:18:17.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33440) [34072]
*Jun 7 00:18:17.216: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34072]
*Jun 7 00:18:19.469: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:22.217: mapping pointer available mapping:0
*Jun 7 00:18:22.217: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33441) [34073]
*Jun 7 00:18:22.217: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33441) [34073]
*Jun 7 00:18:22.217: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34073]
*Jun 7 00:18:24.589: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:25.757: NAT - SYSTEM PORT for MioIp: allocated port 0, refcount 16, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 16, proto 6
*Jun 7 00:18:26.690: NAT - SYSTEM PORT for MioIp: allocated port 0, refcount 17, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 17, proto 6
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 52807 (52807)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 50172 (50172)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 53746 (53746)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 64320 (643
-
ghira
- Holy network Shaman
- Messaggi: 668
- Iscritto il: mer 30 mar , 2011 5:25 pm
ma che dici?Jyonny ha scritto:Ciao ghira!
Router#debug ip nat port
IP NAT PORT debugging is on
Router#debug ip nat detailed
IP NAT detailed debugging is on
fatto tracert... come prima.... non lo risolve
Jyonny ha scritto:faccio term mon mi esce una sfilza di roba, tipo la seguente: (ho sostituito MioIp al mio ip pubblico)
*Jun 7 00:18:07.219: NAT: [0] Allocated Port for 192.168.1.100 -> MioIp: wanted 34066 got 34066
*Jun 7 00:18:07.219: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33438) [34070]
*Jun 7 00:18:07.219: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33438) [34070]
*Jun 7 00:18:07.219: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34070]
*Jun 7 00:18:09.739: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50650 (50650)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50649 (50649)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50644 (50644)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50641 (50641)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50640 (50640)
*Jun 7 00:18:11.788: NAT: expiring MioIp (192.168.1.100) tcp 50639 (50639)
*Jun 7 00:18:12.216: mapping pointer available mapping:0
*Jun 7 00:18:12.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33439) [34071]
*Jun 7 00:18:12.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33439) [34071]
*Jun 7 00:18:12.220: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34071]
*Jun 7 00:18:14.860: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:17.216: mapping pointer available mapping:0
*Jun 7 00:18:17.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33440) [34072]
*Jun 7 00:18:17.216: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33440) [34072]
*Jun 7 00:18:17.216: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34072]
*Jun 7 00:18:19.469: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:22.217: mapping pointer available mapping:0
*Jun 7 00:18:22.217: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33441) [34073]
*Jun 7 00:18:22.217: NAT*: i: udp (192.168.1.100, 34066) -> (209.85.149.104, 33441) [34073]
*Jun 7 00:18:22.217: NAT*: s=192.168.1.100->MioIp, d=209.85.149.104 [34073]
*Jun 7 00:18:24.589: NAT: expiring MioIp (192.168.1.100) udp 34053 (34053)
*Jun 7 00:18:25.757: NAT - SYSTEM PORT for MioIp: allocated port 0, refcount 16, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 16, proto 6
*Jun 7 00:18:26.690: NAT - SYSTEM PORT for MioIp: allocated port 0, refcount 17, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 17, proto 6
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 52807 (52807)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 50172 (50172)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 53746 (53746)
*Jun 7 00:18:27.150: NAT: expiring MioIp (192.168.1.100) udp 64320 (643
facevi traceroute da 192.168.1.100 verso 209.85.149.104? qui vediamo varie porte udp.
stai facendo traceroute da un sistema non-windows?
secondo me la roba esce. magari non arrivano le risposte per qualche motivo.
se lo fai da .1.50 cosa succede?
-
ghira
- Holy network Shaman
- Messaggi: 668
- Iscritto il: mer 30 mar , 2011 5:25 pm
fai
no debug all
poi mentre non sta succedendo molto
access-list 110 permit ip any any log
int dialer0
access-group 110 in
access-group 110 out
poi fai traceroute (e magari sucessivamente provi ad usare l'applicazione che ti interessa davvero)
cosi' vediamo tutto quello che esce e tutto quello che entra.
no debug all
poi mentre non sta succedendo molto
access-list 110 permit ip any any log
int dialer0
access-group 110 in
access-group 110 out
poi fai traceroute (e magari sucessivamente provi ad usare l'applicazione che ti interessa davvero)
cosi' vediamo tutto quello che esce e tutto quello che entra.
-
ghira
- Holy network Shaman
- Messaggi: 668
- Iscritto il: mer 30 mar , 2011 5:25 pm
Hai fermato il traceroute dopo 7 salti?
Se lo fai andare avanti fino a 30, e' sempre cosi'?
se fai traceroute -n invece di traceroute sara' velocissimo.
poi per quanto riguarda il tuo vero problema, perche' hai aperto quelle porte in particolare?
cercando "dreambox port firewall" e "dreambox nat cisco 877" e cosi' via trovo riferimenti
ad altre porte.
se non ci dici cosa stai cercando di fare esattamente e' difficile aiutarti
Se lo fai andare avanti fino a 30, e' sempre cosi'?
se fai traceroute -n invece di traceroute sara' velocissimo.
poi per quanto riguarda il tuo vero problema, perche' hai aperto quelle porte in particolare?
cercando "dreambox port firewall" e "dreambox nat cisco 877" e cosi' via trovo riferimenti
ad altre porte.
se non ci dici cosa stai cercando di fare esattamente e' difficile aiutarti
-
ghira
- Holy network Shaman
- Messaggi: 668
- Iscritto il: mer 30 mar , 2011 5:25 pm
visto che io uso ip inspect e tu no, mettiamo ip inspect su tuo router e riproviamo. traceroute
da linux attraverso il mio 877 funziona, e ip inspect mi sembra la differenza piu' grossa.
non mi e' molto chiaro cosa avrebbe fatto traceroute da linux attraverso nat senza ip inspect.
in ogni caso hai chiesto commenti sulla sicurezza del tuo config e staresti meglio con ip
inspect. (se vuoi essere super aggiornato magari potresti usare zone-based firewall.
io non l'ho ancora usato. per adesso usa ip inspect)
ti ho dato i comandi in un altro messaggio.
da linux attraverso il mio 877 funziona, e ip inspect mi sembra la differenza piu' grossa.
non mi e' molto chiaro cosa avrebbe fatto traceroute da linux attraverso nat senza ip inspect.
in ogni caso hai chiesto commenti sulla sicurezza del tuo config e staresti meglio con ip
inspect. (se vuoi essere super aggiornato magari potresti usare zone-based firewall.
io non l'ho ancora usato. per adesso usa ip inspect)
ti ho dato i comandi in un altro messaggio.
