moj adres publiczny nieosiagalny z sieci wewnetrznej

Wiadomość

and800 · #16

juz wyjasniam: wprowadzilem niezbedne zapisy enceladus-a, niestety nie pomoglo. usunalam zmiany. pozniej wprowadzilem komendy cytowane przez toczyskik-a, podobnie beze efktu. dlatego postanowilem wycofac zmiany, bowiem zakladam, ze dokladajac te komendy moge jedynie "pogorszyc/utrudnic" analize tego co jest obecnie.

jesli chodzi o ACLki do interfejsow, skoro mam ZBF. jak rozumiem ZBF to zone-based firewall. rzeczywiscie ACL-ki to one niewiele wnosza. jak widze po naglowku jest to wygenerowane automatycznie przez SDM. tak czy siak bez sensu, jednak i one nie zalatwia sprawy...

dorvin · #17

Ty się o trudność analizy nie martw. SDM już tak utrudnił tę konfigurację, że Tobie się bardziej nie uda.

and800 · #18

witam,

zalaczam config ze zmianami zaproponowanymi przez enceladus-a
usunalem mase dziadostwa zasianego przez SDM. config znacznie bardziej przejrzysty, ale nadal nie moge sie dostac do poczty (po adresie zewntrznym) bedac w sieci domowej.

1. siec DMZ 10.10.12.0 (z serwerem pocztowym o adresie 10.10.12.2)
2. siec lokalna 10.10.10.0
3. zewnetrzny IP adres przypisany do interfesju Dialer1 (enceladus wskazywal na FF, ale chyba nie ma to znaczenia)

czy macie koledzy jakies propozycje ?

Kod: Zaznacz cały

!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 877W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.10.10.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
 server 10.10.10.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap2
 server 10.10.10.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods2 group rad_eap2
aaa authentication login VPN_auth_login local
aaa authorization ipmobile default group rad_pmip 
aaa authorization network VPN_network_auth local 
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone Warsaw 1
clock summer-time Warsaw date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3274552524
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3274552524
 revocation-check none
 rsakeypair TP-self-signed-3274552524
!
!
crypto pki certificate chain TP-self-signed-3274552524
 certificate self-signed 01

  xxx
 	quit

dot11 syslog
dot11 vlan-name guests vlan 4
dot11 vlan-name xxx vlan 1
!
dot11 ssid guests
   vlan 4
   authentication open 
   authentication key-management wpa
   wpa-psk ascii 7 xxx
!
dot11 ssid xxx
   vlan 1
   authentication open eap eap_methods2 
   authentication network-eap eap_methods2 
   authentication key-management wpa
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.41 192.168.1.254
ip dhcp excluded-address 10.10.10.51 10.10.10.254
ip dhcp excluded-address 10.10.12.5 10.10.12.254
!
ip dhcp pool vlan4
   network 192.168.1.0 255.255.255.0
   domain-name xxx.pl
   dns-server 62.233.233.233 87.204.204.204 
   default-router 192.168.1.1 
   lease infinite
!
ip dhcp pool vlan1
   network 10.10.10.0 255.255.255.0
   domain-name xxx.pl
   dns-server 62.233.233.233 87.204.204.204 
   default-router 10.10.10.1 
   netbios-name-server 10.10.10.15 
   lease infinite
!
ip dhcp pool vlan3
   import all
   network 10.10.12.0 255.255.255.0
   domain-name xxx.pl
   dns-server 62.233.233.233 87.204.204.204 
   default-router 10.10.12.1 
   lease infinite
!
!
!
ip domain name xxx.pl
ip name-server 62.233.233.233
ip name-server 87.204.204.204
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 xxx
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxx
 key xxx
 dns 10.10.10.1 62.233.233.233
 wins 10.10.10.15
 domain xxx.pl
 pool VPN_POOL1
 save-password
 max-users 10
crypto isakmp profile VPN_xxx-ike-profile-1
   match identity group xxx
   client authentication list VPN_auth_login
   isakmp authorization list VPN_network_auth
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSec_profile_1
 set transform-set SDM_TRANSFORMSET_1 
!
crypto ipsec profile VPN_xxx
 set transform-set SDM_TRANSFORMSET_1 
 set isakmp-profile VPN_xxx-ike-profile-1
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
 switchport access vlan 2
!
interface FastEthernet2
 switchport access vlan 3
!
interface FastEthernet3
 switchport access vlan 4
!
interface Virtual-Template1 type tunnel
 ip unnumbered BVI1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN_xxx
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 4 mode ciphers tkip 
 !
 ssid guests
 !
 ssid xxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 l2-filter bridge-group-acl
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 input-address-list 700
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.4
 encapsulation dot1Q 4
 no cdp enable
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 spanning-disabled
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip nat enable
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Vlan4
 description glan4
 no ip address
 bridge-group 4
!
interface Vlan3
 no ip address
 bridge-group 3
!
interface Vlan2
 no ip address
!
interface Dialer0
 ip address 888.888.888.888 255.255.255.252
 ip nat outside
 ip nat enable
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxx@webnet24.pl
 ppp chap password 7 xxx
!
interface BVI1
 description $ES_LAN$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface BVI4
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface BVI3
 ip address 10.10.12.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool VPN_POOL1 10.10.10.100 10.10.10.110
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source list acl-nat interface Dialer0 overload
ip nat source static tcp 10.10.12.2 50025 88.88.88.88 25 extendable
ip nat source static tcp 10.10.12.2 143 88.88.88.88 143 extendable
ip nat source static tcp 10.10.12.2 25 88.88.88.88 50025 extendable
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source list 4 interface Dialer0 overload
!
ip access-list extended acl-nat
 deny   ip 10.10.10.0 0.0.0.255 10.10.12.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any
!
no logging trap
access-list 1 remark NAT 1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 3 remark NAT 3
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.10.12.0 0.0.0.255
access-list 4 remark NAT 4
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 104 remark VTY telnet access
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 deny   ip any any
access-list 700 permit 0011.1111.1100   0000.0000.0000
access-list 700 permit 0022.2222.2200   0000.0000.0000
access-list 700 permit 0033.3333.3300   0000.0000.0000
access-list 700 permit 0044.4444.4400   0000.0000.0000
access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
!
!
radius-server local
  no authentication eapfast
  nas 10.10.10.1 key 7 999
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key 7 999
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 3 protocol ieee
bridge 3 route ip
bridge 4 protocol ieee
bridge 4 route ip
banner exec ^CCCCC
% Password expiration warning.
-----------------------------------------------------------------------
 
hahaha
 
-----------------------------------------------------------------------
^C
banner login ^CCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 speed 115200
line aux 0
line vty 0 3
 access-class 104 in
 exec-timeout 60 0
 privilege level 15
 transport input telnet ssh
line vty 4
 access-class 104 in
 exec-timeout 60 0
 privilege level 15
 transport input telnet ssh
parser view SDM_EasyVPN_Remote
 secret 5 999
 commands interface include all crypto
 commands interface include all no crypto
 commands interface include no
 commands configure include end
 commands configure include all radius-server
 commands configure include all access-list
 commands configure include ip radius source-interface
 commands configure include ip radius
 commands configure include all ip nat
 commands configure include ip dns server
 commands configure include ip dns
 commands configure include all interface
 commands configure include all identity policy
 commands configure include identity profile
 commands configure include identity
 commands configure include all dot1x
 commands configure include all ip domain lookup
 commands configure include ip domain
 commands configure include ip
 commands configure include all crypto
 commands configure include all aaa
 commands configure include default end
 commands configure include all default radius-server
 commands configure include all default access-list
 commands configure include default ip radius source-interface
 commands configure include default ip radius
 commands configure include all default ip nat
 commands configure include default ip dns server
 commands configure include default ip dns
 commands configure include all default interface
 commands configure include all default identity policy
 commands configure include default identity profile
 commands configure include default identity
 commands configure include all default dot1x
 commands configure include all default ip domain lookup
 commands configure include default ip domain
 commands configure include default ip
 commands configure include all default crypto
 commands configure include all default aaa
 commands configure include default
 commands configure include no end
 commands configure include all no radius-server
 commands configure include all no access-list
 commands configure include no ip radius source-interface
 commands configure include no ip radius
 commands configure include all no ip nat
 commands configure include no ip dns server
 commands configure include no ip dns
 commands configure include all no interface
 commands configure include all no identity policy
 commands configure include no identity profile
 commands configure include no identity
 commands configure include all no dot1x
 commands configure include all no ip domain lookup
 commands configure include no ip domain
 commands configure include no ip
 commands configure include all no crypto
 commands configure include all no aaa
 commands configure include no
 commands exec include dir all-filesystems
 commands exec include dir
 commands exec include crypto ipsec client ezvpn connect
 commands exec include crypto ipsec client ezvpn xauth
 commands exec include crypto ipsec client ezvpn
 commands exec include crypto ipsec client
 commands exec include crypto ipsec
 commands exec include crypto
 commands exec include write memory
 commands exec include write
 commands exec include all ping ip
 commands exec include ping
 commands exec include configure terminal
 commands exec include configure
 commands exec include all show
 commands exec include no
 commands exec include all debug appfw
 commands exec include all debug ip inspect
 commands exec include debug ip
 commands exec include debug
 commands exec include all clear
!
!
scheduler max-task-time 5000
end

vrankom · #19

hym wyglada na to ze problem z dnsem juz rozwiazany

and800 · #20

vrankom dziekuje

trzeba bylo dodac w puli adresow siecli lokalnej na pierwszym miejscu adres mojego routera jako DNS oraz dodatkowo jedna komende:

Kod: Zaznacz cały

ip host xxx.pl 10.10.12.2

ktora wskazuje, ze dla tego konkretnego serwera (xxx.pl) adres jest 10.10.12.2.

dzieki temu komputery w sieci wewnetrznej majac zdefiniowany adres publiczny (xxx.pl) jako serwer poczty sa "przekierowawane" przez dns routera na adres lokalny