juz wyjasniam: wprowadzilem niezbedne zapisy enceladus-a, niestety nie pomoglo. usunalam zmiany. pozniej wprowadzilem komendy cytowane przez toczyskik-a, podobnie beze efktu. dlatego postanowilem wycofac zmiany, bowiem zakladam, ze dokladajac te komendy moge jedynie "pogorszyc/utrudnic" analize tego co jest obecnie.
jesli chodzi o ACLki do interfejsow, skoro mam ZBF. jak rozumiem ZBF to zone-based firewall. rzeczywiscie ACL-ki to one niewiele wnosza. jak widze po naglowku jest to wygenerowane automatycznie przez SDM. tak czy siak bez sensu, jednak i one nie zalatwia sprawy...
moj adres publiczny nieosiagalny z sieci wewnetrznej
witam,
zalaczam config ze zmianami zaproponowanymi przez enceladus-a
usunalem mase dziadostwa zasianego przez SDM. config znacznie bardziej przejrzysty, ale nadal nie moge sie dostac do poczty (po adresie zewntrznym) bedac w sieci domowej.
1. siec DMZ 10.10.12.0 (z serwerem pocztowym o adresie 10.10.12.2)
2. siec lokalna 10.10.10.0
3. zewnetrzny IP adres przypisany do interfesju Dialer1 (enceladus wskazywal na FF, ale chyba nie ma to znaczenia)
czy macie koledzy jakies propozycje ?
zalaczam config ze zmianami zaproponowanymi przez enceladus-a
usunalem mase dziadostwa zasianego przez SDM. config znacznie bardziej przejrzysty, ale nadal nie moge sie dostac do poczty (po adresie zewntrznym) bedac w sieci domowej.
1. siec DMZ 10.10.12.0 (z serwerem pocztowym o adresie 10.10.12.2)
2. siec lokalna 10.10.10.0
3. zewnetrzny IP adres przypisany do interfesju Dialer1 (enceladus wskazywal na FF, ale chyba nie ma to znaczenia)
czy macie koledzy jakies propozycje ?
Kod: Zaznacz cały
!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 877W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
server 10.10.10.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap2
server 10.10.10.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods2 group rad_eap2
aaa authentication login VPN_auth_login local
aaa authorization ipmobile default group rad_pmip
aaa authorization network VPN_network_auth local
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone Warsaw 1
clock summer-time Warsaw date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3274552524
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3274552524
revocation-check none
rsakeypair TP-self-signed-3274552524
!
!
crypto pki certificate chain TP-self-signed-3274552524
certificate self-signed 01
xxx
quit
dot11 syslog
dot11 vlan-name guests vlan 4
dot11 vlan-name xxx vlan 1
!
dot11 ssid guests
vlan 4
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxx
!
dot11 ssid xxx
vlan 1
authentication open eap eap_methods2
authentication network-eap eap_methods2
authentication key-management wpa
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.41 192.168.1.254
ip dhcp excluded-address 10.10.10.51 10.10.10.254
ip dhcp excluded-address 10.10.12.5 10.10.12.254
!
ip dhcp pool vlan4
network 192.168.1.0 255.255.255.0
domain-name xxx.pl
dns-server 62.233.233.233 87.204.204.204
default-router 192.168.1.1
lease infinite
!
ip dhcp pool vlan1
network 10.10.10.0 255.255.255.0
domain-name xxx.pl
dns-server 62.233.233.233 87.204.204.204
default-router 10.10.10.1
netbios-name-server 10.10.10.15
lease infinite
!
ip dhcp pool vlan3
import all
network 10.10.12.0 255.255.255.0
domain-name xxx.pl
dns-server 62.233.233.233 87.204.204.204
default-router 10.10.12.1
lease infinite
!
!
!
ip domain name xxx.pl
ip name-server 62.233.233.233
ip name-server 87.204.204.204
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxx
key xxx
dns 10.10.10.1 62.233.233.233
wins 10.10.10.15
domain xxx.pl
pool VPN_POOL1
save-password
max-users 10
crypto isakmp profile VPN_xxx-ike-profile-1
match identity group xxx
client authentication list VPN_auth_login
isakmp authorization list VPN_network_auth
client configuration address initiate
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSec_profile_1
set transform-set SDM_TRANSFORMSET_1
!
crypto ipsec profile VPN_xxx
set transform-set SDM_TRANSFORMSET_1
set isakmp-profile VPN_xxx-ike-profile-1
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 3
!
interface FastEthernet3
switchport access vlan 4
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_xxx
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 4 mode ciphers tkip
!
ssid guests
!
ssid xxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.4
encapsulation dot1Q 4
no cdp enable
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 spanning-disabled
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip nat enable
ip tcp adjust-mss 1452
bridge-group 1
!
interface Vlan4
description glan4
no ip address
bridge-group 4
!
interface Vlan3
no ip address
bridge-group 3
!
interface Vlan2
no ip address
!
interface Dialer0
ip address 888.888.888.888 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx@webnet24.pl
ppp chap password 7 xxx
!
interface BVI1
description $ES_LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface BVI4
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI3
ip address 10.10.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VPN_POOL1 10.10.10.100 10.10.10.110
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source list acl-nat interface Dialer0 overload
ip nat source static tcp 10.10.12.2 50025 88.88.88.88 25 extendable
ip nat source static tcp 10.10.12.2 143 88.88.88.88 143 extendable
ip nat source static tcp 10.10.12.2 25 88.88.88.88 50025 extendable
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source list 4 interface Dialer0 overload
!
ip access-list extended acl-nat
deny ip 10.10.10.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
!
no logging trap
access-list 1 remark NAT 1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 3 remark NAT 3
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.10.12.0 0.0.0.255
access-list 4 remark NAT 4
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 104 remark VTY telnet access
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 deny ip any any
access-list 700 permit 0011.1111.1100 0000.0000.0000
access-list 700 permit 0022.2222.2200 0000.0000.0000
access-list 700 permit 0033.3333.3300 0000.0000.0000
access-list 700 permit 0044.4444.4400 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
!
!
radius-server local
no authentication eapfast
nas 10.10.10.1 key 7 999
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key 7 999
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 3 protocol ieee
bridge 3 route ip
bridge 4 protocol ieee
bridge 4 route ip
banner exec ^CCCCC
% Password expiration warning.
-----------------------------------------------------------------------
hahaha
-----------------------------------------------------------------------
^C
banner login ^CCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
speed 115200
line aux 0
line vty 0 3
access-class 104 in
exec-timeout 60 0
privilege level 15
transport input telnet ssh
line vty 4
access-class 104 in
exec-timeout 60 0
privilege level 15
transport input telnet ssh
parser view SDM_EasyVPN_Remote
secret 5 999
commands interface include all crypto
commands interface include all no crypto
commands interface include no
commands configure include end
commands configure include all radius-server
commands configure include all access-list
commands configure include ip radius source-interface
commands configure include ip radius
commands configure include all ip nat
commands configure include ip dns server
commands configure include ip dns
commands configure include all interface
commands configure include all identity policy
commands configure include identity profile
commands configure include identity
commands configure include all dot1x
commands configure include all ip domain lookup
commands configure include ip domain
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands configure include default end
commands configure include all default radius-server
commands configure include all default access-list
commands configure include default ip radius source-interface
commands configure include default ip radius
commands configure include all default ip nat
commands configure include default ip dns server
commands configure include default ip dns
commands configure include all default interface
commands configure include all default identity policy
commands configure include default identity profile
commands configure include default identity
commands configure include all default dot1x
commands configure include all default ip domain lookup
commands configure include default ip domain
commands configure include default ip
commands configure include all default crypto
commands configure include all default aaa
commands configure include default
commands configure include no end
commands configure include all no radius-server
commands configure include all no access-list
commands configure include no ip radius source-interface
commands configure include no ip radius
commands configure include all no ip nat
commands configure include no ip dns server
commands configure include no ip dns
commands configure include all no interface
commands configure include all no identity policy
commands configure include no identity profile
commands configure include no identity
commands configure include all no dot1x
commands configure include all no ip domain lookup
commands configure include no ip domain
commands configure include no ip
commands configure include all no crypto
commands configure include all no aaa
commands configure include no
commands exec include dir all-filesystems
commands exec include dir
commands exec include crypto ipsec client ezvpn connect
commands exec include crypto ipsec client ezvpn xauth
commands exec include crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include write memory
commands exec include write
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all show
commands exec include no
commands exec include all debug appfw
commands exec include all debug ip inspect
commands exec include debug ip
commands exec include debug
commands exec include all clear
!
!
scheduler max-task-time 5000
end
vrankom dziekuje
trzeba bylo dodac w puli adresow siecli lokalnej na pierwszym miejscu adres mojego routera jako DNS oraz dodatkowo jedna komende:
ktora wskazuje, ze dla tego konkretnego serwera (xxx.pl) adres jest 10.10.12.2.
dzieki temu komputery w sieci wewnetrznej majac zdefiniowany adres publiczny (xxx.pl) jako serwer poczty sa "przekierowawane" przez dns routera na adres lokalny
trzeba bylo dodac w puli adresow siecli lokalnej na pierwszym miejscu adres mojego routera jako DNS oraz dodatkowo jedna komende:
Kod: Zaznacz cały
ip host xxx.pl 10.10.12.2
dzieki temu komputery w sieci wewnetrznej majac zdefiniowany adres publiczny (xxx.pl) jako serwer poczty sa "przekierowawane" przez dns routera na adres lokalny