Portforwarding cisco 877

alessandro77 · dom 10 mag , 2009 12:48 pm

Ciao, ho utilizzato la configurazione in sticky (quella con fw e dyndns) omettendo la parte relativa al wireless.
Avrei però la necessità di inoltrare alcune porte sulle macchine interna alla lan ( porte diverse per macchine diverse).
Prima utilizzavo questi comandi

Codice: Seleziona tutto

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 46661 interface Dialer0 46661

e la cosa funzionava, ora invece vedo sempre la connessione buttata giù suppongo da un access-list (lo vedo dalla console dove dice che l'access-list 101 denied ...)

posto anche la configurazione che sto utilizzando sperando che qualcuno mi possa aiutare..

Codice: Seleziona tutto

Current configuration : 6973 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname alessandro
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 password
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
!
 no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.2 192.168.1.30
!
ip dhcp pool Pool1
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.100
   dns-server 85.37.17.8
   lease infinite
!
!
ip domain name cisco.com
ip name-server 85.37.17.8
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
multilink bundle-name authenticated
!
username alessandro privilege 15 secret 5 password
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no snmp trap link-status
 pvc 8/35
 pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 ip ddns update hostname ale77.dyndns.org
 ip ddns update dyndns1
 ip address negotiated
 ip access-group 101 in
 ip mtu 1492
 ip nat outside
ip inspect Firewall out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username user password 7 pass
!
interface BVI1
 ip address 192.168.1.100 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark Traffico abilitato ad entrare nel router da internet
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit udp host 85.37.17.8 eq domain any
access-list 101 permit tcp host 63.208.196.96 eq www any log
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit gre any any
access-list 101 permit icmp any any echo
access-list 101 deny   ip any any log
access-list 101 deny   icmp any any echo
access-list 102 remark Traffico abilitato ad entrare nel router dalla ethernet
access-list 102 permit ip any host 192.168.1.100
access-list 102 deny   ip any host 192.168.1.255
access-list 102 deny   udp any any eq tftp log
access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 193.204.114.232
ntp server 193.204.114.233
end

alessandro77 · dom 10 mag , 2009 1:51 pm

Ok ho risolto, mi sono accorto che mancava l'access list che consentisse il traffico per la porta inoltrata.
Ciao

Portforwarding cisco 877

Login • Iscriviti