moj adres publiczny nieosiagalny z sieci wewnetrznej

Problemy związane z routingiem
Wiadomość
Autor
and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

moj adres publiczny nieosiagalny z sieci wewnetrznej

#1

#1 Post autor: and800 »

dzien dobry koledzy

zakladam, ze temat jest wiekszosci fachowcow doskonale znany, jednak nie znalazlem jednoznacznego wyjasnienia tego zagadnienia na forum. prosze tez o wyrozumialosc, bowiem jestem amatorem.

w czym rzecz ?

mam staly adres zewnetrzny z przypisana nazwa domeny (np. ab-cd.pl). bedac w sieci publicznej lacze sie z serwerem mojej poczty za posrednictwej tej nazwy domeny. wszystko bez problemu. problem powstaje, gdy chce wykorzystywac ta nazwe domeny bedac w swojej sieci domowej. wtedy moj ruter (cisco 877 W) nie jest w stanie sobie poradzic. zakladam, ze to zagadnienie jest dobrze znane wiekoszosci z Was. problem polega na tym, ze nie wiem dalej co zrobic, wgryzalem sie w "NAT on stick" oraz "ip NAT enable", jednak niewiele mi sie udalo (a dokladnie: nic).

sprawa jest o tyle meczaca, ze bedac w domu musze rekonfigurowac swoje urzadzenia (komorka, laptop) na adres wewentrzny serwera pocztowego, zas bedac poza domem musz wstukiwac adres zewnetrzny/ewentualnie nazwe domeny. czy znacie jakis magiczny sposob ?

Awatar użytkownika
enceladus
inner circle
inner circle
Posty: 506
Rejestracja: 27 paź 2003, 14:32
Lokalizacja: Poznan

#2

#2 Post autor: enceladus »

Sposób sieciowy - zrób DMZ z inną adresacją niż LAN. Do tego translacja adresu serwera w DMZ na adres publiczny w kierunku LAN jak i internet.
Sposób systemowy - zrób sobie widok twojej domeny dla LANu z adresami wewnętrznymi. Z internetu a.ab-cd.pl to a.a.a.a a z lanu a.ab-cd.pl to np. 192.168.1.1 i w konfiguracji posługuj się nazwami zamiast IP.
<: Enceladus :>

and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

#3

#3 Post autor: and800 »

enceladus

dzieki za szybka odpowiedz.

tak sie sklada, ze mam kilka VLAN-ow na swoim ruterze i jeden z nich to wlasnie DMZ (w nim stoi serwer pocztowy). moja wewnetrzna siec to 10.10.11.0, zas siec DMZ to 10.10.12.0

niestety nie rozumiem co znaczy:
enceladus pisze:... Do tego translacja adresu serwera w DMZ na adres publiczny w kierunku LAN jak i internet...

Awatar użytkownika
enceladus
inner circle
inner circle
Posty: 506
Rejestracja: 27 paź 2003, 14:32
Lokalizacja: Poznan

#4

#4 Post autor: enceladus »

Na szybko NVI:

Kod: Zaznacz cały

interface vlan 1
  desc [DMZ]
  ip addr 10.10.12.1 255.255.255.0
  ip nat enable
interfafce vlan 2
  desc [LAN]
  ip addr 10.10.11.1 255.255.255.0
  ip nat enable
interface fast 4
  desc [internet]
  ip addr a.b.c.d 255.255.255.252
  ip nat enable
ip access-list extended acl-nat
 deny   ip 10.10.11.0 0.0.0.255 10.10.12.0 0.0.0.255
 permit ip 10.10.11.0 0.0.0.255 any
ip nat source list acl-nat interface FastEthernet4 overload
ip nat source static tcp 10.10.12.2 25 a.b.c.d 25 extendable
10.10.12.2 - to adres serwera poczty.
zakładam że serwer poczty translujesz na adres interfejsu a.b.c.d
<: Enceladus :>

and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

#5

#5 Post autor: and800 »

dziekuje za informacje. zastosowalem powyzsze wpisy do mojego config'u, ale niestety komendy nie przyniosly oczekiwanego rezultatu. wydaje mi sie, ze jest to spowodowane firewall'ami jakie mam pomiedzy kazdym vlan-em. czy sa komendy, ktore potrafia zweryfikowac co jest zle ?

PS mialem te wpisy z wyjatkiem ACL'ki o nazwie 'acl-nat' oraz komend 'ip nat enable' dla kazdego interfejsu. linijka, gdzie translatuje port 25 wewn IP na zewn IP istniala juz wczesniej (ip nat source static tcp ...), dodatkowo mam translatowany port 143

Awatar użytkownika
pogrom
wannabe
wannabe
Posty: 154
Rejestracja: 24 lip 2007, 15:25
Lokalizacja: Warszawa

#6

#6 Post autor: pogrom »

Na Cisco ASA jest ficzer zwany DNS rewrite. Doskonale pasuje do Twojego problemu. Niestety nie wiem, czy da się coś takiego zrobić na routrze. Możesz jednak poszukać idąc tym tropem.

and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

#7

#7 Post autor: and800 »

no wlasnie. nie ukrywam, ze tez napotkalem na ta funkcjonalnosc, jednak jest on wylacznie przeznacony dla switch'y

Awatar użytkownika
toczyskik
wannabe
wannabe
Posty: 312
Rejestracja: 09 maja 2006, 14:28
Lokalizacja: Warszawa

#8

#8 Post autor: toczyskik »

and800 pisze:no wlasnie. nie ukrywam, ze tez napotkalem na ta funkcjonalnosc, jednak jest on wylacznie przeznacony dla switch'y
Przepis z forum:

Kod: Zaznacz cały

Oto przepis: 

1. Na kompach jako adres serwera DNS wpisz gateway swojego routera (inside) 

2. na routerku wpisz (przykladowo): 
- ip domain round-robin 
- ip host www.blabla.pl 192.168.1.20 (to jest Twoj serwer wewnetrzny ze static nat) 
- ip name-server NS1_OPERATORA
- ip name-server NS2_OPERATORA
Jak chcesz wiecej podzialac z DNSami na routerach to poszukaj informacji o Split DNS.
Pozdrawiam
Krzysiek Te.

and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

#9

#9 Post autor: and800 »

dzieki za odpowiedz.

niestety nie dziala.
instrukcje wydaja mi sie proste, jednak na wszelki wypadek napisze co zrobilem (dwa punkty - analogicznie do Twoich zalecen)

1.

Kod: Zaznacz cały

ip dhcp pool WLAN2
   network 10.10.11.0 255.255.255.0
   dns-server 10.10.11.1 
   default-router 10.10.11.1 
   lease infinite
2.

Kod: Zaznacz cały

ip domain round-robin
 ip host blabla.pl 10.10.12.2 (to jest wewnetrzny adres mojego serwera pocztowego)
 ip name-server 62.233.233.233
 ip name-server 87.204.204.204
efekt jest taki, ze nadal moja nazwa (blabla.pl) nie jest osiagalna z sieci wewnetrznej, zas komputery stracily dostep do internetu. probowalem wprowadzic "z palca" wartosci dns w komputerze, jednak efekt identyczny...


\\EDIT: znaczniki code :!:
gryglas
Ostatnio zmieniony 14 lut 2012, 13:04 przez and800, łącznie zmieniany 1 raz.

Kyniu
wannabe
wannabe
Posty: 3595
Rejestracja: 04 lis 2006, 16:23
Kontakt:

#10

#10 Post autor: Kyniu »

and800 pisze: niestety nie dziala.
Napisz z jakiego jesteś miasta, zaproponuj na zachętę sześciopak browca i może któryś kolega skusi się podjechać zobaczyć co w trawie piszczy. Dla tych co się uczą, nie mają laba w domu i szukają jakiejkolwiek szansy na praktykę to może być ciekawa propozycja.

and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

#11

#11 Post autor: and800 »

czesc, to bardzo bliskie okolice Warszawy.

EDIT: szesciopak juz kupiony

and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

#12

#12 Post autor: and800 »

koledzy, czy jesli wkleje moj config, to jestescie w stanie rzucic okiem ?

dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:

#13

#13 Post autor: dorvin »

Konfig zawsze warto wrzucić. :) Rozwiązanie podane przez enceladusa na oko powinno zadziałać. Może wyłącz tego swojego firewalla, zdejmij ACLki, czy co tam masz i sprawdź, czy wtedy ruszy.

and800
wannabe
wannabe
Posty: 56
Rejestracja: 16 maja 2008, 19:43

#14

#14 Post autor: and800 »

kurcze, jak na to patrze to sam nie wierze, ze cos moze dzialac ...
... choc nie ukrywam, ze wszysko dziala.

Kod: Zaznacz cały

!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname C877W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 4096 informational
enable secret 5 xxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.10.10.1 auth-port 1814 acct-port 1815
!
aaa group server radius rad_mac
 server 10.10.10.1 auth-port 1814 acct-port 1815
!
aaa group server radius rad_acct
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login mac-user local-case group rad_mac
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization ipmobile default group rad_pmip 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 4:00
!
crypto pki trustpoint tti
 revocation-check crl
 rsakeypair tti
!
crypto pki trustpoint TP-self-signed-333
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-333
 revocation-check none
 rsakeypair TP-self-signed-333
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-333
 certificate self-signed 01

	999  

  	quit

dot11 mbssid
dot11 syslog
dot11 vlan-name GLAN4 vlan 4
dot11 vlan-name WLAN2 vlan 2
dot11 vlan-name WLAN3 vlan 3
!
dot11 ssid xxx
   vlan 4
   authentication open 
   authentication key-management wpa
   wpa-psk ascii 7 999
!
dot11 ssid xxx
   vlan 2
   authentication open eap mac_methods 
   authentication network-eap mac_methods 
   authentication key-management wpa
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.131 10.10.10.254
ip dhcp excluded-address 10.10.12.4 10.10.12.254
ip dhcp excluded-address 192.168.1.31 192.168.1.254
ip dhcp excluded-address 10.10.11.15 10.10.11.254
!
ip dhcp pool LAN1
   network 10.10.10.0 255.255.255.0
   dns-server 62.233.233.233 87.204.204.204 
   default-router 10.10.10.1 
   netbios-name-server 10.10.10.115 
   lease infinite
!
ip dhcp pool WLAN4
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 62.233.233.233 87.204.204.204 
   netbios-name-server 10.10.10.115 
   domain-name ml-ab.pl
   lease infinite
!
ip dhcp pool WLAN2
   network 10.10.11.0 255.255.255.0
   dns-server 62.233.233.233 87.204.204.204 
   default-router 10.10.11.1 
   netbios-name-server 10.10.10.115 
   lease infinite
!
ip dhcp pool DLAN3
   import all
   network 10.10.12.0 255.255.255.0
   default-router 10.10.12.1 
   dns-server 62.233.233.233 87.204.204.204 
   netbios-name-server 10.10.10.115 
   lease infinite
!
!
no ip bootp server
ip domain name xxx.pl
ip name-server 62.233.233.233
ip name-server 87.204.204.204
ip name-server 10.10.10.1
no ip port-map x11 port tcp from 6000 to 6606  description X Window System
ip inspect audit-trail
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips config location flash:/ips5/ retries 5 timeout 10
ip ips notify SDEE
no ip ips notify log
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
!
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]

password encryption aes
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any Q209-out-access
 match protocol user-20
 match protocol ftp
 match protocol http
 match protocol https
 match protocol user-1222
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-any X61-WiFi-utorrent
 match protocol user-25692
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map X61-WiFi-utorrent
 match access-group name X61-WiFi-utorrent
class-map type inspect match-any DL-in-access
 match protocol user-3389
 match protocol microsoft-ds
 match protocol netbios-dgm
 match protocol netbios-ssn
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM_WEBVPN
 match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
 match class-map SDM_WEBVPN
 match access-group 107
class-map type inspect match-all sdm-cls--9
 match access-group name any
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any printer-9100
 match protocol user-9100
class-map type inspect match-all sdm-cls--8
 match class-map printer-9100
 match access-group name guest-ezvpn-print
class-map type inspect match-any samba
 match protocol netbios-dgm
 match protocol netbios-ssn
 match protocol netbios-ns
 match protocol microsoft-ds
class-map type inspect match-any dmz-samba
 match class-map samba
class-map type inspect match-all sdm-cls--3
 match class-map dmz-samba
 match access-group name dmz-samba
class-map type inspect match-any DL-vpn-access
 match protocol user-3389
 match protocol microsoft-ds
 match protocol netbios-dgm
 match protocol netbios-ssn
class-map type inspect match-all sdm-cls--2
 match class-map DL-vpn-access
 match access-group name DL-vpn-access
class-map type inspect match-all sdm-cls--1
 match class-map DL-vpn-access
 match access-group name DL-vpn-access
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-all sdm-cls--7
 match access-group name all
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any print-9100
 match protocol user-9100
class-map type inspect match-all sdm-cls--6
 match access-group name guests_network_printer
 match class-map print-9100
class-map type inspect match-all sdm-cls--5
 match access-group name internet
class-map type inspect match-all sdm-cls--4
 match access-group name printer
class-map type inspect match-any mail-access
 match protocol imap
 match protocol smtp
 match protocol user-6017
 match protocol user-50110
 match protocol user-50025
class-map type inspect match-any nfs-service
 match protocol nfs
 match protocol sunrpc
class-map type inspect imap match-any imap-mail
 match  login clear-text
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
class-map type inspect match-any sdm-dmz-protocols
 match protocol http
 match protocol user-20
 match protocol ftp
 match protocol user-25691
class-map type inspect match-all sdm-dmz-traffic
 match access-group name dmz-traffic
 match class-map sdm-dmz-protocols
class-map type inspect match-any DL-torrent-access
 match protocol user-25691
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-any Q209-in-access
 match protocol user-8089
 match protocol user-7965
 match protocol user-20
 match protocol ftp
 match protocol netbios-dgm
 match protocol netbios-ssn
class-map type inspect match-any rlogin-q409
 match protocol user-25873
class-map type inspect match-any dns
 match protocol dns
 match protocol wins
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-8
 match class-map dns
 match access-group name dns
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-any rlogin-q209
 match protocol user-25873
class-map type inspect match-all sdm-cls-sdm-policy-sdm-cls--3-1
 match class-map rlogin-q409
 match access-group name rlogin-q409
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-1
 match class-map DL-torrent-access
 match access-group name DL-torrent-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-2
 match class-map DL-in-access
 match access-group name DL-in-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-3
 match class-map Q209-in-access
 match access-group name Q209-in-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-4
 match class-map Q209-out-access
 match access-group name Q209-out-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-5
 match class-map mail-access
 match access-group name mail-access
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-6
 match class-map nfs-service
 match access-group name nfs-service
class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-7
 match class-map rlogin-q209
 match access-group name rlogin-q209
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  drop
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  inspect
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class type inspect SDM_WEBVPN_TRAFFIC
  inspect
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class class-default
policy-map type inspect sdm-policy-sdm-cls--3
 class type inspect sdm-cls--3
  inspect
 class type inspect sdm-cls-sdm-policy-sdm-cls--3-1
  inspect
 class class-default
policy-map type inspect sdm-permit-dmzservice
 class type inspect sdm-cls-sdm-permit-dmzservice-7
  inspect
 class type inspect sdm-cls-sdm-permit-dmzservice-3
  inspect
 class type inspect sdm-cls-sdm-permit-dmzservice-2
  inspect
 class type inspect sdm-cls-sdm-permit-dmzservice-5
  inspect
 class type inspect sdm-cls-sdm-permit-dmzservice-4
  inspect
 class type inspect sdm-cls-sdm-permit-dmzservice-1
  inspect
 class class-default
  drop
policy-map type inspect sdm-policy-sdm-cls--2
 class type inspect sdm-cls--2
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--5
 class type inspect sdm-cls--5
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--4
 class type inspect sdm-cls--4
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--7
 class type inspect sdm-cls--7
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--6
 class type inspect sdm-cls--6
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--9
 class type inspect sdm-cls--9
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--8
 class type inspect sdm-cls--8
  inspect
 class class-default
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone security dmz-zone
zone security guest-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
zone-pair security sdm-zp-ezvpn-dmz source ezvpn-zone destination dmz-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-dmz-zone-ezvpn-zone source dmz-zone destination ezvpn-zone
 service-policy type inspect sdm-policy-sdm-cls--2
zone-pair security sdm-zp-dmz-out source dmz-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone
 service-policy type inspect sdm-policy-sdm-cls--3
zone-pair security sdm-zp-in-zone-guest-zone source in-zone destination guest-zone
 service-policy type inspect sdm-policy-sdm-cls--4
zone-pair security sdm-zp-guest-zone-out-zone source guest-zone destination out-zone
 service-policy type inspect sdm-policy-sdm-cls--5
zone-pair security sdm-zp-guest-zone-in-zone source guest-zone destination in-zone
 service-policy type inspect sdm-policy-sdm-cls--6
zone-pair security sdm-zp-dmz-zone-guest-zone source dmz-zone destination guest-zone
 service-policy type inspect sdm-policy-sdm-cls--7
zone-pair security sdm-zp-guest-zone-ezvpn-zone source guest-zone destination ezvpn-zone
 service-policy type inspect sdm-policy-sdm-cls--8
zone-pair security sdm-zp-ezvpn-zone-guest-zone source ezvpn-zone destination guest-zone
 service-policy type inspect sdm-policy-sdm-cls--9
!
bridge irb
!
!
interface ATM0
 bandwidth 1012
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.2 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 zone-member security out-zone
 pvc 0/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface FastEthernet0
 description LAN1
!
interface FastEthernet1
 description WLAN2
 switchport access vlan 2
!
interface FastEthernet2
 switchport trunk native vlan 3
 switchport mode trunk
!
interface FastEthernet3
 description GLAN4
 switchport access vlan 4
!
interface Virtual-Template1 type tunnel
 description VTempl1$FW_INSIDE$
 ip unnumbered Dialer1
 ip flow ingress
 ip flow egress
 ip virtual-reassembly
 zone-member security ezvpn-zone
 ip route-cache flow
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
 no ip address
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 !
 encryption vlan 2 mode ciphers aes-ccm 
 !
 encryption vlan 4 mode ciphers tkip 
 !
 encryption mode ciphers tkip 
 !
 encryption vlan 3 mode ciphers aes-ccm 
 !
 ssid xxx
 !
 ssid xxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 l2-filter bridge-group-acl
!
interface Dot11Radio0.2
 description WLAN2
 encapsulation dot1Q 2
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 input-address-list 700
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!
interface Dot11Radio0.4
 description GLAN4
 encapsulation dot1Q 4
 no cdp enable
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 spanning-disabled
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
!
interface Vlan1
 description LAN1$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip flow ingress
 ip route-cache flow
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Vlan4
 description GLAN4
 no ip address
 traffic-shape rate 64000 8000 8000 1000
 bridge-group 4
!
interface Vlan2
 description WLAN2
 no ip address
 bridge-group 2
!
interface Vlan3
 no ip address
 bridge-group 3
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 2
 dialer-group 2
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname 888@w999.pl
 ppp chap password 7 777
!
interface BVI1
 description LAN1$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 103 in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface BVI4
 description GLAN4$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security guest-zone
!
interface BVI2
 description WLAN2$FW_INSIDE$
 ip address 10.10.11.1 255.255.255.0
 ip access-group 108 in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
interface BVI3
 description WLAN3$FW_DMZ$
 ip address 10.10.12.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security dmz-zone
!
ip local pool VPN_POOL1 10.10.10.150 10.10.10.155 cache-size 2
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip flow-cache timeout active 1
ip flow-export source Dot11Radio0
ip flow-export version 5
ip flow-export destination 10.10.10.114 9996
ip flow-export destination 10.10.1.4 9996
!
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source list 3 interface Dialer1 overload
ip nat inside source list 4 interface Dialer1 overload
ip nat inside source static tcp 10.10.12.2 21 interface Dialer1 21
ip nat inside source static tcp 10.10.12.2 20 interface Dialer1 20
ip nat inside source static tcp 10.10.12.3 25691 interface Dialer1 25691
ip nat inside source static tcp 10.10.12.2 50025 interface Dialer1 25
ip nat inside source static tcp 10.10.12.2 110 interface Dialer1 50110
ip nat inside source static tcp 10.10.12.2 6017 interface Dialer1 6017
ip nat inside source static tcp 10.10.12.2 143 interface Dialer1 143
ip nat inside source static tcp 10.10.12.2 25 interface Dialer1 50025
ip nat inside source static tcp 10.10.12.2 80 interface Dialer1 1222
!
ip access-list extended B10
 remark SDM_ACL Category=128
 permit ip any host 10.10.10.106
ip access-list extended DL-in-access
 remark SDM_ACL Category=128
 permit ip host 10.10.10.117 host 10.10.12.3
 permit ip host 10.10.11.7 host 10.10.12.3
ip access-list extended DL-torrent-access
 remark SDM_ACL Category=128
 permit ip any host 10.10.12.3
ip access-list extended DL-vpn-access
 remark SDM_ACL Category=128
 permit ip 10.10.10.0 0.0.0.255 host 10.10.12.3
ip access-list extended Q209-in-access
 remark SDM_ACL Category=128
 permit ip host 10.10.10.117 host 10.10.12.2
 permit ip host 10.10.11.7 host 10.10.12.2
ip access-list extended Q209-out-access
 remark SDM_ACL Category=128
 permit ip any host 10.10.12.2
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
ip access-list extended SDM_WEBVPN
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended X61
 remark X61 privilige
 remark SDM_ACL Category=256
 permit tcp host 10.10.10.110 any
ip access-list extended X61-WiFi-utorrent
 remark SDM_ACL Category=128
 permit ip any host 10.10.11.4
ip access-list extended all
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended any
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended dmz-samba
 remark SDM_ACL Category=128
 permit ip 10.10.12.0 0.0.0.255 host 10.10.10.115
ip access-list extended dmz-traffic
 remark SDM_ACL Category=1
 permit ip any host 10.10.12.2
 permit ip any host 10.10.12.3
ip access-list extended dns
 remark SDM_ACL Category=128
 permit ip any host 10.10.12.2
ip access-list extended guest-ezvpn-print
 remark SDM_ACL Category=128
 permit ip host 192.168.1.2 any
 permit ip host 192.168.1.3 any
 permit ip host 192.168.1.4 any
ip access-list extended guests_network_printer
 remark SDM_ACL Category=128
 permit ip host 192.168.1.2 any
 permit ip host 192.168.1.3 any
 permit ip host 192.168.1.4 any
 deny   ip any any
ip access-list extended internet
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended mail-access
 remark SDM_ACL Category=128
 permit ip any host 10.10.12.2
ip access-list extended nfs-service
 remark SDM_ACL Category=128
 permit ip host 10.10.10.115 10.10.12.0 0.0.0.255
ip access-list extended printer
 remark SDM_ACL Category=128
 permit ip any any
ip access-list extended rlogin-q209
 remark SDM_ACL Category=128
 permit ip host 10.10.10.115 host 10.10.12.2
ip access-list extended rlogin-q409
 remark SDM_ACL Category=128
 permit ip host 10.10.12.2 host 10.10.10.115
!
no logging trap
logging 10.10.10.1
access-list 1 remark inside to Internet
access-list 1 remark SDM_ACL Category=2
access-list 1 remark LAN1
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark WLAN2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.11.0 0.0.0.255
access-list 3 remark DLAN3
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.10.12.0 0.0.0.255
access-list 4 remark WLAN4
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 remark HTTP Access-class list
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 5 deny   any
access-list 6 remark HTTP Access-class list
access-list 6 remark SDM_ACL Category=1
access-list 6 permit 10.10.10.0 0.0.0.255
access-list 6 deny   any
access-list 7 remark Auto generated by SDM Management Access feature
access-list 7 remark SDM_ACL Category=1
access-list 7 permit 10.10.11.4
access-list 7 permit 10.10.10.114
access-list 8 permit 10.10.11.7
access-list 8 remark Auto generated by SDM Management Access feature
access-list 8 remark SDM_ACL Category=1
access-list 8 permit 10.10.10.117
access-list 9 permit 10.10.11.7
access-list 9 remark Auto generated by SDM Management Access feature
access-list 9 remark SDM_ACL Category=1
access-list 9 permit 10.10.10.117
access-list 10 permit 10.10.11.7
access-list 10 remark Auto generated by SDM Management Access feature
access-list 10 remark SDM_ACL Category=1
access-list 10 permit 10.10.10.117
access-list 35 remark 10.10.10.0 NETWORK ACCESS
access-list 35 remark SDM_ACL Category=16
access-list 35 permit 10.10.10.120
access-list 35 deny   10.10.10.0 0.0.0.255
access-list 35 permit any
access-list 37 permit 192.168.1.3
access-list 37 remark printer - guests network
access-list 37 remark SDM_ACL Category=1
access-list 37 permit 192.168.1.2
access-list 37 permit 192.168.1.4
access-list 37 deny   any
access-list 38 remark GLAN4 internet only
access-list 38 remark SDM_ACL Category=1
access-list 38 remark brak dostepu do LAN1
access-list 38 deny   10.10.10.0 0.0.0.255
access-list 38 remark brak dostepu do WLAN2
access-list 38 deny   10.10.11.0 0.0.0.255
access-list 38 permit any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.11.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.12.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq telnet
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq 22
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq www
access-list 103 permit tcp host 10.10.10.114 host 10.10.10.1 eq www
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq 443
access-list 103 permit tcp host 10.10.10.114 host 10.10.10.1 eq 443
access-list 103 permit tcp host 10.10.10.117 host 10.10.10.1 eq cmd
access-list 103 deny   tcp any host 10.10.10.1 eq telnet
access-list 103 deny   tcp any host 10.10.10.1 eq 22
access-list 103 deny   tcp any host 10.10.10.1 eq www
access-list 103 deny   tcp any host 10.10.10.1 eq 443
access-list 103 deny   tcp any host 10.10.10.1 eq cmd
access-list 103 deny   udp any host 10.10.10.1 eq snmp
access-list 103 permit udp host 10.10.10.1 eq domain any
access-list 103 permit udp host 10.10.10.115 eq domain any
access-list 103 permit ip any host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1645 host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1646 host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1812 host 10.10.10.1
access-list 103 permit udp host 10.10.10.1 eq 1813 host 10.10.10.1
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip host 10.10.10.117 any
access-list 104 permit ip host 10.10.11.7 any
access-list 104 permit ip 10.10.10.0 0.0.0.255 any log
access-list 104 deny   ip any any log
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq telnet
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq telnet
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq 22
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq 22
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq www
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq www
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq 443
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq 443
access-list 105 permit tcp host 10.10.11.7 host 10.10.11.1 eq cmd
access-list 105 permit tcp host 10.10.11.4 host 10.10.11.1 eq cmd
access-list 105 deny   tcp any host 10.10.11.1 eq telnet
access-list 105 deny   tcp any host 10.10.11.1 eq 22
access-list 105 deny   tcp any host 10.10.11.1 eq www
access-list 105 deny   tcp any host 10.10.11.1 eq 443
access-list 105 deny   tcp any host 10.10.11.1 eq cmd
access-list 105 deny   udp any host 10.10.11.1 eq snmp
access-list 105 permit ip any any
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 10.10.10.120
access-list 107 remark SDM_ACL Category=128
access-list 107 permit ip any host 77.253.216.9
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark SDM_ACL Category=1
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq telnet
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq 22
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq www
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq 443
access-list 108 permit tcp host 10.10.11.7 host 10.10.11.1 eq cmd
access-list 108 deny   tcp any host 10.10.11.1 eq telnet
access-list 108 deny   tcp any host 10.10.11.1 eq 22
access-list 108 deny   tcp any host 10.10.11.1 eq www
access-list 108 deny   tcp any host 10.10.11.1 eq 443
access-list 108 deny   tcp any host 10.10.11.1 eq cmd
access-list 108 deny   udp any host 10.10.11.1 eq snmp
access-list 108 permit ip any any
access-list 140 remark speed limit WLAN4
access-list 140 remark SDM_ACL Category=1
access-list 140 permit ip 192.168.1.0 0.0.0.255 any
access-list 140 permit ip any 192.168.1.0 0.0.0.255
access-list 700 permit 999   0000.0000.0000
access-list 700 permit 999   0000.0000.0000
access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
no cdp run
!
!
!
radius-server local
  nas 10.10.10.1 key 7 999
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.1 auth-port 1814 acct-port 1815 key 7 999
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
bridge 4 protocol ieee
bridge 4 route ip
banner exec ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------
 
nice, huh ?
 
-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
 speed 115200
line aux 0
 transport output telnet
line vty 0 3
 access-class 104 in
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
line vty 4
 access-class 104 in
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
parser view SDM_EasyVPN_Remote
 secret 5 999
! Last configuration change at 19:08:29 CET Sun May 6 2012 by admin
! NVRAM config last updated at 19:09:21 CET Sun May 6 2012 by admin
!
! Last configuration change at 19:08:29 CET Sun May 6 2012 by admin
! NVRAM config last updated at 19:09:21 CET Sun May 6 2012 by admin
!
! Last configuration change at 19:08:29 CET Sun May 6 2012 by admin
! NVRAM config last updated at 19:09:21 CET Sun May 6 2012 by admin
!
 commands interface include all crypto
 commands interface include all no crypto
 commands interface include no
 commands configure include end
 commands configure include all radius-server
 commands configure include all access-list
 commands configure include ip radius source-interface
 commands configure include ip radius
 commands configure include all ip nat
 commands configure include ip dns server
 commands configure include ip dns
 commands configure include all interface
 commands configure include all identity policy
 commands configure include identity profile
 commands configure include identity
 commands configure include all dot1x
 commands configure include all ip domain lookup
 commands configure include ip domain
 commands configure include ip
 commands configure include all crypto
 commands configure include all aaa
 commands configure include default end
 commands configure include all default radius-server
 commands configure include all default access-list
 commands configure include default ip radius source-interface
 commands configure include default ip radius
 commands configure include all default ip nat
 commands configure include default ip dns server
 commands configure include default ip dns
 commands configure include all default interface
 commands configure include all default identity policy
 commands configure include default identity profile
 commands configure include default identity
 commands configure include all default dot1x
 commands configure include all default ip domain lookup
 commands configure include default ip domain
 commands configure include default ip
 commands configure include all default crypto
 commands configure include all default aaa
 commands configure include default
 commands configure include no end
 commands configure include all no radius-server
 commands configure include all no access-list
 commands configure include no ip radius source-interface
 commands configure include no ip radius
 commands configure include all no ip nat
 commands configure include no ip dns server
 commands configure include no ip dns
 commands configure include all no interface
 commands configure include all no identity policy
 commands configure include no identity profile
 commands configure include no identity
 commands configure include all no dot1x
 commands configure include all no ip domain lookup
 commands configure include no ip domain
 commands configure include no ip
 commands configure include all no crypto
 commands configure include all no aaa
 commands configure include no
 commands exec include dir all-filesystems
 commands exec include dir
 commands exec include crypto ipsec client ezvpn connect
 commands exec include crypto ipsec client ezvpn xauth
 commands exec include crypto ipsec client ezvpn
 commands exec include crypto ipsec client
 commands exec include crypto ipsec
 commands exec include crypto
 commands exec include write memory
 commands exec include write
 commands exec include all ping ip
 commands exec include ping
 commands exec include configure terminal
 commands exec include configure
 commands exec include all show
 commands exec include no
 commands exec include all debug appfw
 commands exec include all debug ip inspect
 commands exec include debug ip
 commands exec include debug
 commands exec include all clear
!
!
scheduler max-task-time 5000
ntp clock-period 17175417
ntp server 193.110.137.171 source Dialer1
ntp server 212.244.36.227 source Dialer1
ntp server 150.254.183.15 source Dialer1 prefer
!
end



dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:

#15

#15 Post autor: dorvin »

Nie widzę w konfigu żadnej konfiguracji związanej z już udzielonymi Ci poradami. Za to nie wiem, po co masz przypisane ACLki do interfejsów, skoro skonfigurowałeś ZBF. :)

ODPOWIEDZ