moj adres publiczny nieosiagalny z sieci wewnetrznej
moj adres publiczny nieosiagalny z sieci wewnetrznej
dzien dobry koledzy
zakladam, ze temat jest wiekszosci fachowcow doskonale znany, jednak nie znalazlem jednoznacznego wyjasnienia tego zagadnienia na forum. prosze tez o wyrozumialosc, bowiem jestem amatorem.
w czym rzecz ?
mam staly adres zewnetrzny z przypisana nazwa domeny (np. ab-cd.pl). bedac w sieci publicznej lacze sie z serwerem mojej poczty za posrednictwej tej nazwy domeny. wszystko bez problemu. problem powstaje, gdy chce wykorzystywac ta nazwe domeny bedac w swojej sieci domowej. wtedy moj ruter (cisco 877 W) nie jest w stanie sobie poradzic. zakladam, ze to zagadnienie jest dobrze znane wiekoszosci z Was. problem polega na tym, ze nie wiem dalej co zrobic, wgryzalem sie w "NAT on stick" oraz "ip NAT enable", jednak niewiele mi sie udalo (a dokladnie: nic).
sprawa jest o tyle meczaca, ze bedac w domu musze rekonfigurowac swoje urzadzenia (komorka, laptop) na adres wewentrzny serwera pocztowego, zas bedac poza domem musz wstukiwac adres zewnetrzny/ewentualnie nazwe domeny. czy znacie jakis magiczny sposob ?
zakladam, ze temat jest wiekszosci fachowcow doskonale znany, jednak nie znalazlem jednoznacznego wyjasnienia tego zagadnienia na forum. prosze tez o wyrozumialosc, bowiem jestem amatorem.
w czym rzecz ?
mam staly adres zewnetrzny z przypisana nazwa domeny (np. ab-cd.pl). bedac w sieci publicznej lacze sie z serwerem mojej poczty za posrednictwej tej nazwy domeny. wszystko bez problemu. problem powstaje, gdy chce wykorzystywac ta nazwe domeny bedac w swojej sieci domowej. wtedy moj ruter (cisco 877 W) nie jest w stanie sobie poradzic. zakladam, ze to zagadnienie jest dobrze znane wiekoszosci z Was. problem polega na tym, ze nie wiem dalej co zrobic, wgryzalem sie w "NAT on stick" oraz "ip NAT enable", jednak niewiele mi sie udalo (a dokladnie: nic).
sprawa jest o tyle meczaca, ze bedac w domu musze rekonfigurowac swoje urzadzenia (komorka, laptop) na adres wewentrzny serwera pocztowego, zas bedac poza domem musz wstukiwac adres zewnetrzny/ewentualnie nazwe domeny. czy znacie jakis magiczny sposob ?
Sposób sieciowy - zrób DMZ z inną adresacją niż LAN. Do tego translacja adresu serwera w DMZ na adres publiczny w kierunku LAN jak i internet.
Sposób systemowy - zrób sobie widok twojej domeny dla LANu z adresami wewnętrznymi. Z internetu a.ab-cd.pl to a.a.a.a a z lanu a.ab-cd.pl to np. 192.168.1.1 i w konfiguracji posługuj się nazwami zamiast IP.
Sposób systemowy - zrób sobie widok twojej domeny dla LANu z adresami wewnętrznymi. Z internetu a.ab-cd.pl to a.a.a.a a z lanu a.ab-cd.pl to np. 192.168.1.1 i w konfiguracji posługuj się nazwami zamiast IP.
<: Enceladus :>
enceladus
dzieki za szybka odpowiedz.
tak sie sklada, ze mam kilka VLAN-ow na swoim ruterze i jeden z nich to wlasnie DMZ (w nim stoi serwer pocztowy). moja wewnetrzna siec to 10.10.11.0, zas siec DMZ to 10.10.12.0
niestety nie rozumiem co znaczy:
dzieki za szybka odpowiedz.
tak sie sklada, ze mam kilka VLAN-ow na swoim ruterze i jeden z nich to wlasnie DMZ (w nim stoi serwer pocztowy). moja wewnetrzna siec to 10.10.11.0, zas siec DMZ to 10.10.12.0
niestety nie rozumiem co znaczy:
enceladus pisze:... Do tego translacja adresu serwera w DMZ na adres publiczny w kierunku LAN jak i internet...
Na szybko NVI:
10.10.12.2 - to adres serwera poczty.
zakładam że serwer poczty translujesz na adres interfejsu a.b.c.d
Kod: Zaznacz cały
interface vlan 1
desc [DMZ]
ip addr 10.10.12.1 255.255.255.0
ip nat enable
interfafce vlan 2
desc [LAN]
ip addr 10.10.11.1 255.255.255.0
ip nat enable
interface fast 4
desc [internet]
ip addr a.b.c.d 255.255.255.252
ip nat enable
ip access-list extended acl-nat
deny ip 10.10.11.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 10.10.11.0 0.0.0.255 any
ip nat source list acl-nat interface FastEthernet4 overload
ip nat source static tcp 10.10.12.2 25 a.b.c.d 25 extendable
zakładam że serwer poczty translujesz na adres interfejsu a.b.c.d
<: Enceladus :>
dziekuje za informacje. zastosowalem powyzsze wpisy do mojego config'u, ale niestety komendy nie przyniosly oczekiwanego rezultatu. wydaje mi sie, ze jest to spowodowane firewall'ami jakie mam pomiedzy kazdym vlan-em. czy sa komendy, ktore potrafia zweryfikowac co jest zle ?
PS mialem te wpisy z wyjatkiem ACL'ki o nazwie 'acl-nat' oraz komend 'ip nat enable' dla kazdego interfejsu. linijka, gdzie translatuje port 25 wewn IP na zewn IP istniala juz wczesniej (ip nat source static tcp ...), dodatkowo mam translatowany port 143
PS mialem te wpisy z wyjatkiem ACL'ki o nazwie 'acl-nat' oraz komend 'ip nat enable' dla kazdego interfejsu. linijka, gdzie translatuje port 25 wewn IP na zewn IP istniala juz wczesniej (ip nat source static tcp ...), dodatkowo mam translatowany port 143
Przepis z forum:and800 pisze:no wlasnie. nie ukrywam, ze tez napotkalem na ta funkcjonalnosc, jednak jest on wylacznie przeznacony dla switch'y
Kod: Zaznacz cały
Oto przepis:
1. Na kompach jako adres serwera DNS wpisz gateway swojego routera (inside)
2. na routerku wpisz (przykladowo):
- ip domain round-robin
- ip host www.blabla.pl 192.168.1.20 (to jest Twoj serwer wewnetrzny ze static nat)
- ip name-server NS1_OPERATORA
- ip name-server NS2_OPERATORA
Pozdrawiam
Krzysiek Te.
Krzysiek Te.
dzieki za odpowiedz.
niestety nie dziala.
instrukcje wydaja mi sie proste, jednak na wszelki wypadek napisze co zrobilem (dwa punkty - analogicznie do Twoich zalecen)
1.
2.
efekt jest taki, ze nadal moja nazwa (blabla.pl) nie jest osiagalna z sieci wewnetrznej, zas komputery stracily dostep do internetu. probowalem wprowadzic "z palca" wartosci dns w komputerze, jednak efekt identyczny...
\\EDIT: znaczniki code
gryglas
niestety nie dziala.
instrukcje wydaja mi sie proste, jednak na wszelki wypadek napisze co zrobilem (dwa punkty - analogicznie do Twoich zalecen)
1.
Kod: Zaznacz cały
ip dhcp pool WLAN2
network 10.10.11.0 255.255.255.0
dns-server 10.10.11.1
default-router 10.10.11.1
lease infinite
Kod: Zaznacz cały
ip domain round-robin
ip host blabla.pl 10.10.12.2 (to jest wewnetrzny adres mojego serwera pocztowego)
ip name-server 62.233.233.233
ip name-server 87.204.204.204
\\EDIT: znaczniki code
gryglas
Ostatnio zmieniony 14 lut 2012, 13:04 przez and800, łącznie zmieniany 1 raz.
kurcze, jak na to patrze to sam nie wierze, ze cos moze dzialac ...
... choc nie ukrywam, ze wszysko dziala.
... choc nie ukrywam, ze wszysko dziala.
Kod: Zaznacz cały
!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname C877W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 4096 informational
enable secret 5 xxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.1 auth-port 1814 acct-port 1815
!
aaa group server radius rad_mac
server 10.10.10.1 auth-port 1814 acct-port 1815
!
aaa group server radius rad_acct
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login mac-user local-case group rad_mac
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 local
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 4:00
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-333
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-333
revocation-check none
rsakeypair TP-self-signed-333
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-333
certificate self-signed 01
999
quit
dot11 mbssid
dot11 syslog
dot11 vlan-name GLAN4 vlan 4
dot11 vlan-name WLAN2 vlan 2
dot11 vlan-name WLAN3 vlan 3
!
dot11 ssid xxx
vlan 4
authentication open
authentication key-management wpa
wpa-psk ascii 7 999
!
dot11 ssid xxx
vlan 2
authentication open eap mac_methods
authentication network-eap mac_methods
authentication key-management wpa
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.131 10.10.10.254
ip dhcp excluded-address 10.10.12.4 10.10.12.254
ip dhcp excluded-address 192.168.1.31 192.168.1.254
ip dhcp excluded-address 10.10.11.15 10.10.11.254
!
ip dhcp pool LAN1
network 10.10.10.0 255.255.255.0
dns-server 62.233.233.233 87.204.204.204
default-router 10.10.10.1
netbios-name-server 10.10.10.115
lease infinite
!
ip dhcp pool WLAN4
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 62.233.233.233 87.204.204.204
netbios-name-server 10.10.10.115
domain-name ml-ab.pl
lease infinite
!
ip dhcp pool WLAN2
network 10.10.11.0 255.255.255.0
dns-server 62.233.233.233 87.204.204.204
default-router 10.10.11.1
netbios-name-server 10.10.10.115
lease infinite
!
ip dhcp pool DLAN3
import all
network 10.10.12.0 255.255.255.0
default-router 10.10.12.1
dns-server 62.233.233.233 87.204.204.204
netbios-name-server 10.10.10.115
lease infinite
!
!
no ip bootp server
ip domain name xxx.pl
ip name-server 62.233.233.233
ip name-server 87.204.204.204
ip name-server 10.10.10.1
no ip port-map x11 port tcp from 6000 to 6606 description X Window System
ip inspect audit-trail
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips config location flash:/ips5/ retries 5 timeout 10
ip ips notify SDEE
no ip ips notify log
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
!
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
password encryption aes
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any Q209-out-access
match protocol user-20
match protocol ftp
match protocol http
match protocol https
match protocol user-1222
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any X61-WiFi-utorrent
match protocol user-25692
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map X61-WiFi-utorrent
match access-group name X61-WiFi-utorrent
class-map type inspect match-any DL-in-access
match protocol user-3389
match protocol microsoft-ds
match protocol netbios-dgm
match protocol netbios-ssn
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 107
class-map type inspect match-all sdm-cls--9
match access-group name any
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any printer-9100
match protocol user-9100
class-map type inspect match-all sdm-cls--8
match class-map printer-9100
match access-group name guest-ezvpn-print
class-map type inspect match-any samba
match protocol netbios-dgm
match protocol netbios-ssn
match protocol netbios-ns
match protocol microsoft-ds
class-map type inspect match-any dmz-samba
match class-map samba
class-map type inspect match-all sdm-cls--3
match class-map dmz-samba
match access-group name dmz-samba
class-map type inspect match-any DL-vpn-access
match protocol user-3389
match protocol microsoft-ds
match protocol netbios-dgm
match protocol netbios-ssn
class-map type inspect match-all sdm-cls--2
match class-map DL-vpn-access
match access-group name DL-vpn-access
class-map type inspect match-all sdm-cls--1
match class-map DL-vpn-access
match access-group name DL-vpn-access
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-all sdm-cls--7
match access-group name all
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any print-9100
match protocol user-9100
class-map type inspect match-all sdm-cls--6
match access-group name guests_network_printer
match class-map print-9100
class-map type inspect match-all sdm-cls--5
match access-group name internet
class-map type inspect match-all sdm-cls--4
match access-group name printer
class-map type inspect match-any mail-access
match protocol imap
match protocol smtp
match protocol user-6017
match protocol user-50110
match protocol user-50025
class-map type inspect match-any nfs-service
match protocol nfs
match protocol sunrpc
class-map type inspect imap match-any imap-mail
match login clear-text
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-any sdm-dmz-protocols
match protocol http
match protocol user-20
match protocol ftp
match protocol user-25691
class-map type inspect match-all sdm-dmz-traffic
match access-group name dmz-traffic
match class-map sdm-dmz-protocols
class-map type inspect match-any DL-torrent-access
match protocol user-25691
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-any Q209-in-access
match protocol user-8089
match protocol user-7965
match protocol user-20
match protocol ftp
match protocol netbios-dgm
match protocol netbios-ssn
class-map type inspect match-any rlogin-q409
match protocol user-25873
class-map type inspect match-any dns
match protocol dns
match protocol wins
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-8
match class-map dns
match access-group name dns
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-any rlogin-q209
match protocol user-25873
class-map type inspect match-all sdm-cls-sdm-policy-sdm-cls--3-1
match class-map rlogin-q409
match access-group name rlogin-q409
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-1
match class-map DL-torrent-access
match access-group name DL-torrent-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-2
match class-map DL-in-access
match access-group name DL-in-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-3
match class-map Q209-in-access
match access-group name Q209-in-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-4
match class-map Q209-out-access
match access-group name Q209-out-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-5
match class-map mail-access
match access-group name mail-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-6
match class-map nfs-service
match access-group name nfs-service
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-7
match class-map rlogin-q209
match access-group name rlogin-q209
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
drop
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
inspect
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-policy-sdm-cls--3
class type inspect sdm-cls--3
inspect
class type inspect sdm-cls-sdm-policy-sdm-cls--3-1
inspect
class class-default
policy-map type inspect sdm-permit-dmzservice
class type inspect sdm-cls-sdm-permit-dmzservice-7
inspect
class type inspect sdm-cls-sdm-permit-dmzservice-3
inspect
class type inspect sdm-cls-sdm-permit-dmzservice-2
inspect
class type inspect sdm-cls-sdm-permit-dmzservice-5
inspect
class type inspect sdm-cls-sdm-permit-dmzservice-4
inspect
class type inspect sdm-cls-sdm-permit-dmzservice-1
inspect
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--2
class type inspect sdm-cls--2
inspect
class class-default
policy-map type inspect sdm-policy-sdm-cls--5
class type inspect sdm-cls--5
inspect
class class-default
policy-map type inspect sdm-policy-sdm-cls--4
class type inspect sdm-cls--4
inspect
class class-default
policy-map type inspect sdm-policy-sdm-cls--7
class type inspect sdm-cls--7
inspect
class class-default
policy-map type inspect sdm-policy-sdm-cls--6
class type inspect sdm-cls--6
inspect
class class-default
policy-map type inspect sdm-policy-sdm-cls--9
class type inspect sdm-cls--9
inspect
class class-default
policy-map type inspect sdm-policy-sdm-cls--8
class type inspect sdm-cls--8
inspect
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone security dmz-zone
zone security guest-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-ezvpn-dmz source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-dmz-zone-ezvpn-zone source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-policy-sdm-cls--2
zone-pair security sdm-zp-dmz-out source dmz-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--3
zone-pair security sdm-zp-in-zone-guest-zone source in-zone destination guest-zone
service-policy type inspect sdm-policy-sdm-cls--4
zone-pair security sdm-zp-guest-zone-out-zone source guest-zone destination out-zone
service-policy type inspect sdm-policy-sdm-cls--5
zone-pair security sdm-zp-guest-zone-in-zone source guest-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--6
zone-pair security sdm-zp-dmz-zone-guest-zone source dmz-zone destination guest-zone
service-policy type inspect sdm-policy-sdm-cls--7
zone-pair security sdm-zp-guest-zone-ezvpn-zone source guest-zone destination ezvpn-zone
service-policy type inspect sdm-policy-sdm-cls--8
zone-pair security sdm-zp-ezvpn-zone-guest-zone source ezvpn-zone destination guest-zone
service-policy type inspect sdm-policy-sdm-cls--9
!
bridge irb
!
!
interface ATM0
bandwidth 1012
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.2 point-to-point
description $FW_OUTSIDE$$ES_WAN$
zone-member security out-zone
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
description LAN1
!
interface FastEthernet1
description WLAN2
switchport access vlan 2
!
interface FastEthernet2
switchport trunk native vlan 3
switchport mode trunk
!
interface FastEthernet3
description GLAN4
switchport access vlan 4
!
interface Virtual-Template1 type tunnel
description VTempl1$FW_INSIDE$
ip unnumbered Dialer1
ip flow ingress
ip flow egress
ip virtual-reassembly
zone-member security ezvpn-zone
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
ip nbar protocol-discovery
ip flow ingress
ip flow egress
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 4 mode ciphers tkip
!
encryption mode ciphers tkip
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid xxx
!
ssid xxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.2
description WLAN2
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 input-address-list 700
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Dot11Radio0.4
description GLAN4
encapsulation dot1Q 4
no cdp enable
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 spanning-disabled
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
!
interface Vlan1
description LAN1$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip flow ingress
ip route-cache flow
ip tcp adjust-mss 1452
bridge-group 1
!
interface Vlan4
description GLAN4
no ip address
traffic-shape rate 64000 8000 8000 1000
bridge-group 4
!
interface Vlan2
description WLAN2
no ip address
bridge-group 2
!
interface Vlan3
no ip address
bridge-group 3
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip route-cache flow
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname 888@w999.pl
ppp chap password 7 777
!
interface BVI1
description LAN1$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 103 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface BVI4
description GLAN4$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
!
interface BVI2
description WLAN2$FW_INSIDE$
ip address 10.10.11.1 255.255.255.0
ip access-group 108 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface BVI3
description WLAN3$FW_DMZ$
ip address 10.10.12.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
!
ip local pool VPN_POOL1 10.10.10.150 10.10.10.155 cache-size 2
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip flow-cache timeout active 1
ip flow-export source Dot11Radio0
ip flow-export version 5
ip flow-export destination 10.10.10.114 9996
ip flow-export destination 10.10.1.4 9996
!
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source list 3 interface Dialer1 overload
ip nat inside source list 4 interface Dialer1 overload
ip nat inside source static tcp 10.10.12.2 21 interface Dialer1 21
ip nat inside source static tcp 10.10.12.2 20 interface Dialer1 20
ip nat inside source static tcp 10.10.12.3 25691 interface Dialer1 25691
ip nat inside source static tcp 10.10.12.2 50025 interface Dialer1 25
ip nat inside source static tcp 10.10.12.2 110 interface Dialer1 50110
ip nat inside source static tcp 10.10.12.2 6017 interface Dialer1 6017
ip nat inside source static tcp 10.10.12.2 143 interface Dialer1 143
ip nat inside source static tcp 10.10.12.2 25 interface Dialer1 50025
ip nat inside source static tcp 10.10.12.2 80 interface Dialer1 1222
!
ip access-list extended B10
remark SDM_ACL Category=128
permit ip any host 10.10.10.106
ip access-list extended DL-in-access
remark SDM_ACL Category=128
permit ip host 10.10.10.117 host 10.10.12.3
permit ip host 10.10.11.7 host 10.10.12.3
ip access-list extended DL-torrent-access
remark SDM_ACL Category=128
permit ip any host 10.10.12.3
ip access-list extended DL-vpn-access
remark SDM_ACL Category=128
permit ip 10.10.10.0 0.0.0.255 host 10.10.12.3
ip access-list extended Q209-in-access
remark SDM_ACL Category=128
permit ip host 10.10.10.117 host 10.10.12.2
permit ip host 10.10.11.7 host 10.10.12.2
ip access-list extended Q209-out-access
remark SDM_ACL Category=128
permit ip any host 10.10.12.2
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_WEBVPN
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended X61
remark X61 privilige
remark SDM_ACL Category=256
permit tcp host 10.10.10.110 any
ip access-list extended X61-WiFi-utorrent
remark SDM_ACL Category=128
permit ip any host 10.10.11.4
ip access-list extended all
remark SDM_ACL Category=128
permit ip any any
ip access-list extended any
remark SDM_ACL Category=128
permit ip any any
ip access-list extended dmz-samba
remark SDM_ACL Category=128
permit ip 10.10.12.0 0.0.0.255 host 10.10.10.115
ip access-list extended dmz-traffic
remark SDM_ACL Category=1
permit ip any host 10.10.12.2
permit ip any host 10.10.12.3
ip access-list extended dns
remark SDM_ACL Category=128
permit ip any host 10.10.12.2
ip access-list extended guest-ezvpn-print
remark SDM_ACL Category=128
permit ip host 192.168.1.2 any
permit ip host 192.168.1.3 any
permit ip host 192.168.1.4 any
ip access-list extended guests_network_printer
remark SDM_ACL Category=128
permit ip host 192.168.1.2 any
permit ip host 192.168.1.3 any
permit ip host 192.168.1.4 any
deny ip any any
ip access-list extended internet
remark SDM_ACL Category=128
permit ip any any
ip access-list extended mail-access
remark SDM_ACL Category=128
permit ip any host 10.10.12.2
ip access-list extended nfs-service
remark SDM_ACL Category=128
permit ip host 10.10.10.115 10.10.12.0 0.0.0.255
ip access-list extended printer
remark SDM_ACL Category=128
permit ip any any
ip access-list extended rlogin-q209
remark SDM_ACL Category=128
permit ip host 10.10.10.115 host 10.10.12.2
ip access-list extended rlogin-q409
remark SDM_ACL Category=128
permit ip host 10.10.12.2 host 10.10.10.115
!
no logging trap
logging 10.10.10.1
access-list 1 remark inside to Internet
access-list 1 remark SDM_ACL Category=2
access-list 1 remark LAN1
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark WLAN2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.11.0 0.0.0.255
access-list 3 remark DLAN3
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.10.12.0 0.0.0.255
access-list 4 remark WLAN4
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 remark HTTP Access-class list
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 5 deny any
access-list 6 remark HTTP Access-class list
access-list 6 remark SDM_ACL Category=1
access-list 6 permit 10.10.10.0 0.0.0.255
access-list 6 deny any
access-list 7 remark Auto generated by SDM Management Access feature
access-list 7 remark SDM_ACL Category=1
access-list 7 permit 10.10.11.4
access-list 7 permit 10.10.10.114
access-list 8 permit 10.10.11.7
access-list 8 remark Auto generated by SDM Management Access feature
access-list 8 remark SDM_ACL Category=1
access-list 8 permit 10.10.10.117
access-list 9 permit 10.10.11.7
access-list 9 remark Auto generated by SDM Management Access feature
access-list 9 remark SDM_ACL Category=1
access-list 9 permit 10.10.10.117
access-list 10 permit 10.10.11.7
access-list 10 remark Auto generated by SDM Management Access feature
access-list 10 remark SDM_ACL Category=1
access-list 10 permit 10.10.10.117
access-list 35 remark 10.10.10.0 NETWORK ACCESS
access-list 35 remark SDM_ACL Category=16
access-list 35 permit 10.10.10.120
access-list 35 deny 10.10.10.0 0.0.0.255
access-list 35 permit any
access-list 37 permit 192.168.1.3
access-list 37 remark printer - guests network
access-list 37 remark SDM_ACL Category=1
access-list 37 permit 192.168.1.2
access-list 37 permit 192.168.1.4
access-list 37 deny any
access-list 38 remark GLAN4 internet only
access-list 38 remark SDM_ACL Category=1
access-list 38 remark brak dostepu do LAN1
access-list 38 deny 10.10.10.0 0.0.0.255
access-list 38 remark brak dostepu do WLAN2
access-list 38 deny 10.10.11.0 0.0.0.255
access-list 38 permit any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.11.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.12.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq telnet
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq 22
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq www
access-list 103 permit tcp host 10.10.10.114 host 10.10.10.1 eq www
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq 443
access-list 103 permit tcp host 10.10.10.114 host 10.10.10.1 eq 443
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq cmd
access-list 103 deny tcp any host 10.10.10.1 eq telnet
access-list 103 deny tcp any host 10.10.10.1 eq 22
access-list 103 deny tcp any host 10.10.10.1 eq www
access-list 103 deny tcp any host 10.10.10.1 eq 443
access-list 103 deny tcp any host 10.10.10.1 eq cmd
access-list 103 deny udp any host 10.10.10.1 eq snmp
access-list 103 permit udp host 10.10.10.1 eq domain any
access-list 103 permit udp host 10.10.10.115 eq domain any
access-list 103 permit ip any host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1645 host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1646 host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1812 host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1813 host 10.10.10.1
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip host 10.10.10.117 any
access-list 104 permit ip host 10.10.11.7 any
access-list 104 permit ip 10.10.10.0 0.0.0.255 any log
access-list 104 deny ip any any log
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq telnet
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq telnet
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq 22
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq 22
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq www
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq www
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq 443
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq 443
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq cmd
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq cmd
access-list 105 deny tcp any host 10.10.11.1 eq telnet
access-list 105 deny tcp any host 10.10.11.1 eq 22
access-list 105 deny tcp any host 10.10.11.1 eq www
access-list 105 deny tcp any host 10.10.11.1 eq 443
access-list 105 deny tcp any host 10.10.11.1 eq cmd
access-list 105 deny udp any host 10.10.11.1 eq snmp
access-list 105 permit ip any any
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 10.10.10.120
access-list 107 remark SDM_ACL Category=128
access-list 107 permit ip any host 77.253.216.9
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark SDM_ACL Category=1
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq telnet
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq 22
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq www
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq 443
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq cmd
access-list 108 deny tcp any host 10.10.11.1 eq telnet
access-list 108 deny tcp any host 10.10.11.1 eq 22
access-list 108 deny tcp any host 10.10.11.1 eq www
access-list 108 deny tcp any host 10.10.11.1 eq 443
access-list 108 deny tcp any host 10.10.11.1 eq cmd
access-list 108 deny udp any host 10.10.11.1 eq snmp
access-list 108 permit ip any any
access-list 140 remark speed limit WLAN4
access-list 140 remark SDM_ACL Category=1
access-list 140 permit ip 192.168.1.0 0.0.0.255 any
access-list 140 permit ip any 192.168.1.0 0.0.0.255
access-list 700 permit 999 0000.0000.0000
access-list 700 permit 999 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
no cdp run
!
!
!
radius-server local
nas 10.10.10.1 key 7 999
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.1 auth-port 1814 acct-port 1815 key 7 999
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
bridge 4 protocol ieee
bridge 4 route ip
banner exec ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------
nice, huh ?
-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
speed 115200
line aux 0
transport output telnet
line vty 0 3
access-class 104 in
exec-timeout 0 0
privilege level 15
transport input telnet ssh
line vty 4
access-class 104 in
exec-timeout 0 0
privilege level 15
transport input telnet ssh
parser view SDM_EasyVPN_Remote
secret 5 999
! Last configuration change at 19:08:29 CET Sun May 6 2012 by admin
! NVRAM config last updated at 19:09:21 CET Sun May 6 2012 by admin
!
! Last configuration change at 19:08:29 CET Sun May 6 2012 by admin
! NVRAM config last updated at 19:09:21 CET Sun May 6 2012 by admin
!
! Last configuration change at 19:08:29 CET Sun May 6 2012 by admin
! NVRAM config last updated at 19:09:21 CET Sun May 6 2012 by admin
!
commands interface include all crypto
commands interface include all no crypto
commands interface include no
commands configure include end
commands configure include all radius-server
commands configure include all access-list
commands configure include ip radius source-interface
commands configure include ip radius
commands configure include all ip nat
commands configure include ip dns server
commands configure include ip dns
commands configure include all interface
commands configure include all identity policy
commands configure include identity profile
commands configure include identity
commands configure include all dot1x
commands configure include all ip domain lookup
commands configure include ip domain
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands configure include default end
commands configure include all default radius-server
commands configure include all default access-list
commands configure include default ip radius source-interface
commands configure include default ip radius
commands configure include all default ip nat
commands configure include default ip dns server
commands configure include default ip dns
commands configure include all default interface
commands configure include all default identity policy
commands configure include default identity profile
commands configure include default identity
commands configure include all default dot1x
commands configure include all default ip domain lookup
commands configure include default ip domain
commands configure include default ip
commands configure include all default crypto
commands configure include all default aaa
commands configure include default
commands configure include no end
commands configure include all no radius-server
commands configure include all no access-list
commands configure include no ip radius source-interface
commands configure include no ip radius
commands configure include all no ip nat
commands configure include no ip dns server
commands configure include no ip dns
commands configure include all no interface
commands configure include all no identity policy
commands configure include no identity profile
commands configure include no identity
commands configure include all no dot1x
commands configure include all no ip domain lookup
commands configure include no ip domain
commands configure include no ip
commands configure include all no crypto
commands configure include all no aaa
commands configure include no
commands exec include dir all-filesystems
commands exec include dir
commands exec include crypto ipsec client ezvpn connect
commands exec include crypto ipsec client ezvpn xauth
commands exec include crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include write memory
commands exec include write
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all show
commands exec include no
commands exec include all debug appfw
commands exec include all debug ip inspect
commands exec include debug ip
commands exec include debug
commands exec include all clear
!
!
scheduler max-task-time 5000
ntp clock-period 17175417
ntp server 193.110.137.171 source Dialer1
ntp server 212.244.36.227 source Dialer1
ntp server 150.254.183.15 source Dialer1 prefer
!
end