2
Cisco 878 Port-Forwarding
Hallo Community,
Ich bin neu hier und deshlab hier weil ich ein Problem habe mit einem Cisco 878. Dieser Router wird ausgeliefert im Rahmen eines G.SHDSL Anschlusses von O2.
Bei O2 läuft derSupport für dieses Gerät als "unmanaged" , d.h. es gibt keinen Support. Bestellt man eine solche Leitung, so wird sie gelegt, getestet und der Router vorkonfiguriert ausgeliefert. Die konfiguration des Cisco's ist auf die Nutzung eines kleinen Netzes ausgelegt.
Soweit so gut. Ich habe leider nun die Aufgabe, diesen Router an das Kundennetzwerk anzupassen, inkl. diverser Portweiterleitungen. Während das Umstellen auf eine Fixe IP mit Hilfe des SDM Tools ohne Probleme gelang, lege ich mit mittlerweile etwas die Karten.
Die Problematik sind die Port Weiterleitungen, die sich am vorherigen System (LANCOM 1821) ohne Probleme einrichten liessen. Ich vermute aber , das der Fehler definitiv bei mir liegt, bzw. an meinem Unverstand der Config von Cisco.
Hier beim Kunden gibt es ein 192.168.0.0/24 Netzwerk, in dem sich drei Server befinden. x.250 (Windows 2k3),x.253 (Linux NFS Storage), x.252 (Asterisk VoIP Anlage)
weiterhin müssen einzelne Clients (alle WinXP Pro) von aussen erreichbar sein , x.2 (Port 5902),x.1 (Port 22), x.3 (port 5903). die asterisk muss zwecks wartung via Port 22 und 80 erreichbar sein, und dank einigen Aussendienstlern muss es eine weiterleitung der Mailprotokolle auf den x.250 geben (25,110,143 bzw. 993,995)
Der Cisco läuft wunderbar, wenn man im Netz hier arbeitet, man kommt ins iNternet mit 2.3 Mbit/s symmetrisch, ebenso kann man entspannt telefonieren, was über zwei SIP Acct's läuft über die gleiche Leitung. das SIP an sich kann ausser acht gelassen werden , das es nur für abgehende Rufe (zur zeit) eingerichtet ist , später sollen aber die aussendienstler ebenso softphones nutzen können um mit SIP telefonieren zu können (im Testbetrieb ging das schon auf dem LANCOM).
Mein Problem ist das Forwarding. ich bekomme mit dem SDM tool (CLI traue ich mich nicht so richt ran) keine NAT portweiterleitung eingerichtet im SInn von:
ATM0(ip.vom.provi.der:5902) -> 192.168.0.2:5902 als tcp
(per dyndns erreichbar also sollte auch host:5902 funktionieren)
anbei die akt. Konfig vom 878:
Building configuration...
Current configuration : 11896 bytes
!
! Last configuration change at 17:01:03 Berlin Tue Feb 26 2008 by ght_6240
!
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname ght_6240
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 $1$Na1c$f46tzKXLlePqDk.pVnUgn0
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
no ip dhcp conflict logging
!
!
ip port-map user-protocol--2 port tcp 5901
ip port-map user-protocol--3 port tcp 8001
ip port-map user-protocol--1 port tcp 5902
ip telnet source-interface Dialer3
ip tftp source-interface Dialer3
no ip bootp server
ip domain name dsl.o2online.de
ip ddns update method sdm_ddns1
HTTP
add http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
remove http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
!
!
!
crypto pki trustpoint TP-self-signed-1132382139
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1132382139
revocation-check none
rsakeypair TP-self-signed-1132382139
!
!
crypto pki certificate chain TP-self-signed-1132382139
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313332 33383231 3339301E 170D3038 30313232 31343132
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31333233
38323133 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D48C E61E4D5E EE7FF513 8C811ED6 E39B0B32 A5DBD814 B4D7E014 6DD1657A
A2AE7AF8 F56B0F50 35F5DB5F 3E2706B8 4D7A20E0 5F981294 28251E84 F775114F
F894B121 B29A38A5 3EB741FC FE74C470 48F29574 8B87A3A6 CECD5C6F 21CCBCD3
4844C237 9295ED35 E16B6640 1D15E2F6 18429369 5C249977 319FDB87 08300F8A
B56F0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18676874 5F363234 302E6473 6C2E6F32 6F6E6C69 6E652E64
65301F06 03551D23 04183016 8014A10E 15FC9A21 26B26B1B A061F253 02131FCA
FDD9301D 0603551D 0E041604 14A10E15 FC9A2126 B26B1BA0 61F25302 131FCAFD
D9300D06 092A8648 86F70D01 01040500 03818100 49C379D7 BD1B5276 045D5D26
D211792D 4CA026CF 5105F00D 186A31D4 2124A7A5 E0EF0A38 0592B51F 51A65EE4
DA9DADF7 8D2DDE74 C1AD02F7 E224C2B8 177DFE82 4C336B61 D8145B08 AE97064D
2E5F25C7 3C3B0CF4 7A0237AA ACB6D55A 5160F643 4CBF9F21 6F35D4A6 50E71067
827C0F5D 112B779B A2A6E4BA 911091C8 7B8EDFBF
quit
!
!
username ght_6240 privilege 15 secret 5 $1$/Wcc$PgoxDB.f9jfU0W0QhwPPJ/
!
!
controller DSL 0
mode atm
line-term cpe
line-mode auto
dsl-mode shdsl symmetric annex B
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 111
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 112
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-smtp-1
match access-group 106
match protocol smtp
class-map type inspect match-all sdm-nat-http-3
match access-group 114
match protocol http
class-map type inspect match-all sdm-nat-imap-1
match access-group 108
match protocol imap
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-pop3-1
match access-group 107
match protocol pop3
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 113
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-ssh-1
match access-group 104
match protocol ssh
class-map type inspect match-all sdm-nat-ssh-2
match access-group 105
match protocol ssh
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-ssh-1
inspect
class type inspect sdm-nat-ssh-2
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-pop3-1
inspect
class type inspect sdm-nat-imap-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-http-3
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group externals
key ghtberlinexternal
dns 192.168.0.250
wins 192.168.0.250
domain ghtbln.net
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
bridge irb
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
!
interface ATM0
description * SHDSL interface (UR2) Telefonica DSL *$ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 3
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
bridge-group 1
!
interface Dialer3
description * DSL Einwahl *$FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 3
no cdp enable
ppp pap sent-username dslflat/ght_6240%inet-xdsl password 7 08377E771E0D312202
ppp ipcp dns request
ppp ipcp route default
!
interface BVI1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.0.220 192.168.0.229
ip local pool SDM_POOL_2 192.168.1.10 192.168.1.20
ip flow-top-talkers
top 10
sort-by bytes
!
no ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 2 interface Dialer3 overload
ip nat inside source static tcp 192.169.0.252 80 interface Dialer3 8001
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
ip access-list extended srv1
remark SDM_ACL Category=2
remark Flow 5901
permit tcp any host 192.168.0.250
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 20 remark SDM_ACL Category=17
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 37 permit 62.54.254.0 0.0.0.3
access-list 37 permit 192.168.0.0 0.0.0.255
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.0.252
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.250
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.169.0.252
access-list 113 remark SDM_ACL Category=128
access-list 113 permit ip any any
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 1313252B1C18301F3B
no modem enable
line aux 0
password 7 07191375591D2D3007
line vty 0 4
access-class 37 in
privilege level 15
password 7 10583B201203263E1C
!
scheduler max-task-time 5000
ntp server 131.234.137.23 source ATM0 prefer
end
ich wäre froh wenn mir hier jemand mal den klumpen aus dem kopf entfernen könnte und einen Hinweis geben könnte.
Danke im Vorraus
zaphodb
Die Problematik sind die Port Weiterleitungen, die sich am vorherigen System (LANCOM 1821) ohne Probleme einrichten liessen. Ich vermute aber , das der Fehler definitiv bei mir liegt, bzw. an meinem Unverstand der Config von Cisco.
Hier beim Kunden gibt es ein 192.168.0.0/24 Netzwerk, in dem sich drei Server befinden. x.250 (Windows 2k3),x.253 (Linux NFS Storage), x.252 (Asterisk VoIP Anlage)
weiterhin müssen einzelne Clients (alle WinXP Pro) von aussen erreichbar sein , x.2 (Port 5902),x.1 (Port 22), x.3 (port 5903). die asterisk muss zwecks wartung via Port 22 und 80 erreichbar sein, und dank einigen Aussendienstlern muss es eine weiterleitung der Mailprotokolle auf den x.250 geben (25,110,143 bzw. 993,995)
Der Cisco läuft wunderbar, wenn man im Netz hier arbeitet, man kommt ins iNternet mit 2.3 Mbit/s symmetrisch, ebenso kann man entspannt telefonieren, was über zwei SIP Acct's läuft über die gleiche Leitung. das SIP an sich kann ausser acht gelassen werden , das es nur für abgehende Rufe (zur zeit) eingerichtet ist , später sollen aber die aussendienstler ebenso softphones nutzen können um mit SIP telefonieren zu können (im Testbetrieb ging das schon auf dem LANCOM).
Mein Problem ist das Forwarding. ich bekomme mit dem SDM tool (CLI traue ich mich nicht so richt ran) keine NAT portweiterleitung eingerichtet im SInn von:
ATM0(ip.vom.provi.der:5902) -> 192.168.0.2:5902 als tcp
(per dyndns erreichbar also sollte auch host:5902 funktionieren)
anbei die akt. Konfig vom 878:
Building configuration...
Current configuration : 11896 bytes
!
! Last configuration change at 17:01:03 Berlin Tue Feb 26 2008 by ght_6240
!
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname ght_6240
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 $1$Na1c$f46tzKXLlePqDk.pVnUgn0
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
no ip dhcp conflict logging
!
!
ip port-map user-protocol--2 port tcp 5901
ip port-map user-protocol--3 port tcp 8001
ip port-map user-protocol--1 port tcp 5902
ip telnet source-interface Dialer3
ip tftp source-interface Dialer3
no ip bootp server
ip domain name dsl.o2online.de
ip ddns update method sdm_ddns1
HTTP
add http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
remove http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
!
!
!
crypto pki trustpoint TP-self-signed-1132382139
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1132382139
revocation-check none
rsakeypair TP-self-signed-1132382139
!
!
crypto pki certificate chain TP-self-signed-1132382139
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313332 33383231 3339301E 170D3038 30313232 31343132
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31333233
38323133 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D48C E61E4D5E EE7FF513 8C811ED6 E39B0B32 A5DBD814 B4D7E014 6DD1657A
A2AE7AF8 F56B0F50 35F5DB5F 3E2706B8 4D7A20E0 5F981294 28251E84 F775114F
F894B121 B29A38A5 3EB741FC FE74C470 48F29574 8B87A3A6 CECD5C6F 21CCBCD3
4844C237 9295ED35 E16B6640 1D15E2F6 18429369 5C249977 319FDB87 08300F8A
B56F0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18676874 5F363234 302E6473 6C2E6F32 6F6E6C69 6E652E64
65301F06 03551D23 04183016 8014A10E 15FC9A21 26B26B1B A061F253 02131FCA
FDD9301D 0603551D 0E041604 14A10E15 FC9A2126 B26B1BA0 61F25302 131FCAFD
D9300D06 092A8648 86F70D01 01040500 03818100 49C379D7 BD1B5276 045D5D26
D211792D 4CA026CF 5105F00D 186A31D4 2124A7A5 E0EF0A38 0592B51F 51A65EE4
DA9DADF7 8D2DDE74 C1AD02F7 E224C2B8 177DFE82 4C336B61 D8145B08 AE97064D
2E5F25C7 3C3B0CF4 7A0237AA ACB6D55A 5160F643 4CBF9F21 6F35D4A6 50E71067
827C0F5D 112B779B A2A6E4BA 911091C8 7B8EDFBF
quit
!
!
username ght_6240 privilege 15 secret 5 $1$/Wcc$PgoxDB.f9jfU0W0QhwPPJ/
!
!
controller DSL 0
mode atm
line-term cpe
line-mode auto
dsl-mode shdsl symmetric annex B
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 111
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 112
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-smtp-1
match access-group 106
match protocol smtp
class-map type inspect match-all sdm-nat-http-3
match access-group 114
match protocol http
class-map type inspect match-all sdm-nat-imap-1
match access-group 108
match protocol imap
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-pop3-1
match access-group 107
match protocol pop3
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 113
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-ssh-1
match access-group 104
match protocol ssh
class-map type inspect match-all sdm-nat-ssh-2
match access-group 105
match protocol ssh
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-ssh-1
inspect
class type inspect sdm-nat-ssh-2
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-pop3-1
inspect
class type inspect sdm-nat-imap-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-http-3
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group externals
key ghtberlinexternal
dns 192.168.0.250
wins 192.168.0.250
domain ghtbln.net
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
bridge irb
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
!
interface ATM0
description * SHDSL interface (UR2) Telefonica DSL *$ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 3
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
bridge-group 1
!
interface Dialer3
description * DSL Einwahl *$FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 3
no cdp enable
ppp pap sent-username dslflat/ght_6240%inet-xdsl password 7 08377E771E0D312202
ppp ipcp dns request
ppp ipcp route default
!
interface BVI1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.0.220 192.168.0.229
ip local pool SDM_POOL_2 192.168.1.10 192.168.1.20
ip flow-top-talkers
top 10
sort-by bytes
!
no ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 2 interface Dialer3 overload
ip nat inside source static tcp 192.169.0.252 80 interface Dialer3 8001
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
ip access-list extended srv1
remark SDM_ACL Category=2
remark Flow 5901
permit tcp any host 192.168.0.250
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 20 remark SDM_ACL Category=17
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 37 permit 62.54.254.0 0.0.0.3
access-list 37 permit 192.168.0.0 0.0.0.255
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.0.252
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.250
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.169.0.252
access-list 113 remark SDM_ACL Category=128
access-list 113 permit ip any any
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 1313252B1C18301F3B
no modem enable
line aux 0
password 7 07191375591D2D3007
line vty 0 4
access-class 37 in
privilege level 15
password 7 10583B201203263E1C
!
scheduler max-task-time 5000
ntp server 131.234.137.23 source ATM0 prefer
end
ich wäre froh wenn mir hier jemand mal den klumpen aus dem kopf entfernen könnte und einen Hinweis geben könnte.
Danke im Vorraus
zaphodb
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 81709
Url: https://administrator.de/contentid/81709
Printed on: May 5, 2024 at 03:05 o'clock
2 Comments
Latest comment
Folgendermaßen sieht die Port Weiterleitung in der Konfig aus:
ip nat inside source static tcp 192.168.0.10 5902 <DSL_IP_Adr> 5902 extendable
(Beispiel für den Host mit der Adresse .10 und Port TCP 5902)
ip nat inside source static tcp 192.168.0.20 22 <DSL_IP_Adr> 22 extendable
ip nat inside source static tcp 192.168.0.20 80 <DSL_IP_Adr> 80 extendable
(Beispiel für den Host Asterisk mit der Adresse .20 und Port TCP 22 und 80)
ip nat inside source static tcp 192.168.0.250 25 <DSL_IP_Adr> 25 extendable
ip nat inside source static tcp 192.168.0.250 110 <DSL_IP_Adr> 110 extendable
ip nat inside source static tcp 192.168.0.250 143 <DSL_IP_Adr> 143 extendable
(Beispiel für den Host Mail mit der Adresse .250 und Port TCP 25. 110 und 143)
usw. die Prozedur ist immer die gleiche für die Ports.
ip nat inside source static tcp 192.168.0.10 5902 <DSL_IP_Adr> 5902 extendable
(Beispiel für den Host mit der Adresse .10 und Port TCP 5902)
ip nat inside source static tcp 192.168.0.20 22 <DSL_IP_Adr> 22 extendable
ip nat inside source static tcp 192.168.0.20 80 <DSL_IP_Adr> 80 extendable
(Beispiel für den Host Asterisk mit der Adresse .20 und Port TCP 22 und 80)
ip nat inside source static tcp 192.168.0.250 25 <DSL_IP_Adr> 25 extendable
ip nat inside source static tcp 192.168.0.250 110 <DSL_IP_Adr> 110 extendable
ip nat inside source static tcp 192.168.0.250 143 <DSL_IP_Adr> 143 extendable
(Beispiel für den Host Mail mit der Adresse .250 und Port TCP 25. 110 und 143)
usw. die Prozedur ist immer die gleiche für die Ports.
Danke für die schnelle antwort, ich war nur leider zwischendurch kurzfristig auf dienstreise.
ich habe die änderung in die Config eingebaut, mit keinem ergebnis, aber es kann auch die falsche stelle sein.
hier noch einmal die geänderte konfig:
Building configuration...
Current configuration : 14328 bytes
!
! Last configuration change at 13:54:37 Berlin Mon Mar 10 2008 by ght_6240
!
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname ght_6240
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 $1$Na1c$f46tzKXLlePqDk.pVnUgn0
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
no ip dhcp conflict logging
!
!
ip port-map user-protocol--2 port tcp 5901 list 4 description Server vnc
ip port-map user-protocol--3 port tcp 8001
ip port-map user-protocol--1 port tcp 5902 list 3 description Armin VNC
ip telnet source-interface Dialer3
ip tftp source-interface Dialer3
no ip bootp server
ip domain name dsl.o2online.de
ip ddns update method sdm_ddns1
HTTP
add http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
remove http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
!
!
!
crypto pki trustpoint TP-self-signed-1132382139
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1132382139
revocation-check none
rsakeypair TP-self-signed-1132382139
!
!
crypto pki certificate chain TP-self-signed-1132382139
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313332 33383231 3339301E 170D3038 30313232 31343132
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31333233
38323133 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D48C E61E4D5E EE7FF513 8C811ED6 E39B0B32 A5DBD814 B4D7E014 6DD1657A
A2AE7AF8 F56B0F50 35F5DB5F 3E2706B8 4D7A20E0 5F981294 28251E84 F775114F
F894B121 B29A38A5 3EB741FC FE74C470 48F29574 8B87A3A6 CECD5C6F 21CCBCD3
4844C237 9295ED35 E16B6640 1D15E2F6 18429369 5C249977 319FDB87 08300F8A
B56F0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18676874 5F363234 302E6473 6C2E6F32 6F6E6C69 6E652E64
65301F06 03551D23 04183016 8014A10E 15FC9A21 26B26B1B A061F253 02131FCA
FDD9301D 0603551D 0E041604 14A10E15 FC9A2126 B26B1BA0 61F25302 131FCAFD
D9300D06 092A8648 86F70D01 01040500 03818100 49C379D7 BD1B5276 045D5D26
D211792D 4CA026CF 5105F00D 186A31D4 2124A7A5 E0EF0A38 0592B51F 51A65EE4
DA9DADF7 8D2DDE74 C1AD02F7 E224C2B8 177DFE82 4C336B61 D8145B08 AE97064D
2E5F25C7 3C3B0CF4 7A0237AA ACB6D55A 5160F643 4CBF9F21 6F35D4A6 50E71067
827C0F5D 112B779B A2A6E4BA 911091C8 7B8EDFBF
quit
!
!
username bliblablub privilege 15 secret 5 $1$/Wcc$PgoxDB.f9jfU1W0QhwPPJ/
!
!
controller DSL 0
mode atm
line-term cpe
line-mode auto
dsl-mode shdsl symmetric annex B
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-any VNC
match protocol user-protocol--1
match protocol user-protocol--3
match protocol user-protocol--2
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map VNC
match access-group name VNCS
class-map type inspect match-all sdm-nat-smtp-1
match access-group 106
match protocol smtp
class-map type inspect match-all sdm-nat-http-3
match access-group 114
match protocol http
class-map type inspect match-all sdm-nat-imap-1
match access-group 108
match protocol imap
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-pop3-1
match access-group 107
match protocol pop3
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 113
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-ssh-1
match access-group 104
match protocol ssh
class-map type inspect match-all sdm-nat-ssh-2
match access-group 105
match protocol ssh
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-ssh-1
inspect
class type inspect sdm-nat-ssh-2
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-pop3-1
inspect
class type inspect sdm-nat-imap-1
inspect
class type inspect sdm-nat-http-3
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group externals
key ghtberlinexternal
dns 192.168.0.250
wins 192.168.0.250
domain bliblibbel.net
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
bridge irb
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
!
interface ATM0
description * SHDSL interface (UR2) Telefonica DSL *$ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 3
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
bridge-group 1
!
interface Dialer3
description * DSL Einwahl *$FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 3
no cdp enable
ppp pap sent-username dslflat/blablablub%inet-xdsl password 7 08375E771E0D312202
ppp ipcp dns request
ppp ipcp route default
!
interface BVI1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.0.220 192.168.0.229
ip local pool SDM_POOL_2 192.168.1.10 192.168.1.20
ip flow-top-talkers
top 10
sort-by bytes
!
no ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 2 interface Dialer3 overload
ip nat inside source static tcp 192.168.0.20 22 62.54.184.228 22 extendable
ip nat inside source static tcp 192.168.0.250 25 62.54.184.228 25 extendable
ip nat inside source static tcp 192.168.0.20 80 62.54.184.228 80 extendable
ip nat inside source static tcp 192.168.0.250 110 62.54.184.228 110 extendable
ip nat inside source static tcp 192.168.0.250 143 62.54.184.228 143 extendable
ip nat inside source static tcp 192.168.0.250 5901 62.54.184.228 5901 extendable
ip nat inside source static tcp 192.168.0.1 5902 62.54.184.228 5902 extendable
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended VNCS
remark SDM_ACL Category=128
permit ip any host 192.168.0.250
ip access-list extended srv1
remark SDM_ACL Category=2
remark Flow 5901
permit tcp any host 192.168.0.250
remark SDM_ACL Category=2
remark Flow 5901
remark SDM_ACL Category=2
remark Flow 5901
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.2
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.0.250
access-list 20 remark SDM_ACL Category=17
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 37 permit 62.54.254.0 0.0.0.3
access-list 37 permit 192.168.0.0 0.0.0.255
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.0.252
access-list 101 remark SDM_ACL Category=0
access-list 101 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.250
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.169.0.252
access-list 103 remark SDM_ACL Category=0
access-list 103 remark SDM_ACL Category=0
access-list 113 remark SDM_ACL Category=128
access-list 113 permit ip any any
access-list 113 remark SDM_ACL Category=128
access-list 113 remark SDM_ACL Category=128
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 1313252B1C18301F3B
no modem enable
line aux 0
password 7 07191375591D2D3007
line vty 0 4
access-class 37 in
privilege level 15
password 7 10583B201203263E1C
!
scheduler max-task-time 5000
ntp server 131.234.137.23 source ATM0 prefer
end
--end config
vielleicht kann man diese config mal ausdünnen bis auf das notwendige ? VPN und QoS sind ersteinmal nicht notwendig. Ausserdem habe ich bei der Config plötzlich ein neues Interface "BV1" zusätzlich zum "Vlan1" .... bin etwas ratlos
Danke nocheinmal
ich habe die änderung in die Config eingebaut, mit keinem ergebnis, aber es kann auch die falsche stelle sein.
hier noch einmal die geänderte konfig:
Building configuration...
Current configuration : 14328 bytes
!
! Last configuration change at 13:54:37 Berlin Mon Mar 10 2008 by ght_6240
!
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname ght_6240
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 $1$Na1c$f46tzKXLlePqDk.pVnUgn0
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
no ip dhcp conflict logging
!
!
ip port-map user-protocol--2 port tcp 5901 list 4 description Server vnc
ip port-map user-protocol--3 port tcp 8001
ip port-map user-protocol--1 port tcp 5902 list 3 description Armin VNC
ip telnet source-interface Dialer3
ip tftp source-interface Dialer3
no ip bootp server
ip domain name dsl.o2online.de
ip ddns update method sdm_ddns1
HTTP
add http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
remove http://bla:blub@members.dyndns.org/nic/update?system=dyndns&hostnam ...;
!
!
!
crypto pki trustpoint TP-self-signed-1132382139
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1132382139
revocation-check none
rsakeypair TP-self-signed-1132382139
!
!
crypto pki certificate chain TP-self-signed-1132382139
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313332 33383231 3339301E 170D3038 30313232 31343132
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31333233
38323133 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D48C E61E4D5E EE7FF513 8C811ED6 E39B0B32 A5DBD814 B4D7E014 6DD1657A
A2AE7AF8 F56B0F50 35F5DB5F 3E2706B8 4D7A20E0 5F981294 28251E84 F775114F
F894B121 B29A38A5 3EB741FC FE74C470 48F29574 8B87A3A6 CECD5C6F 21CCBCD3
4844C237 9295ED35 E16B6640 1D15E2F6 18429369 5C249977 319FDB87 08300F8A
B56F0203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18676874 5F363234 302E6473 6C2E6F32 6F6E6C69 6E652E64
65301F06 03551D23 04183016 8014A10E 15FC9A21 26B26B1B A061F253 02131FCA
FDD9301D 0603551D 0E041604 14A10E15 FC9A2126 B26B1BA0 61F25302 131FCAFD
D9300D06 092A8648 86F70D01 01040500 03818100 49C379D7 BD1B5276 045D5D26
D211792D 4CA026CF 5105F00D 186A31D4 2124A7A5 E0EF0A38 0592B51F 51A65EE4
DA9DADF7 8D2DDE74 C1AD02F7 E224C2B8 177DFE82 4C336B61 D8145B08 AE97064D
2E5F25C7 3C3B0CF4 7A0237AA ACB6D55A 5160F643 4CBF9F21 6F35D4A6 50E71067
827C0F5D 112B779B A2A6E4BA 911091C8 7B8EDFBF
quit
!
!
username bliblablub privilege 15 secret 5 $1$/Wcc$PgoxDB.f9jfU1W0QhwPPJ/
!
!
controller DSL 0
mode atm
line-term cpe
line-mode auto
dsl-mode shdsl symmetric annex B
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-any VNC
match protocol user-protocol--1
match protocol user-protocol--3
match protocol user-protocol--2
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map VNC
match access-group name VNCS
class-map type inspect match-all sdm-nat-smtp-1
match access-group 106
match protocol smtp
class-map type inspect match-all sdm-nat-http-3
match access-group 114
match protocol http
class-map type inspect match-all sdm-nat-imap-1
match access-group 108
match protocol imap
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-pop3-1
match access-group 107
match protocol pop3
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 113
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-ssh-1
match access-group 104
match protocol ssh
class-map type inspect match-all sdm-nat-ssh-2
match access-group 105
match protocol ssh
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-ssh-1
inspect
class type inspect sdm-nat-ssh-2
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-pop3-1
inspect
class type inspect sdm-nat-imap-1
inspect
class type inspect sdm-nat-http-3
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group externals
key ghtberlinexternal
dns 192.168.0.250
wins 192.168.0.250
domain bliblibbel.net
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
bridge irb
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
!
interface ATM0
description * SHDSL interface (UR2) Telefonica DSL *$ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 3
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
bridge-group 1
!
interface Dialer3
description * DSL Einwahl *$FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 3
no cdp enable
ppp pap sent-username dslflat/blablablub%inet-xdsl password 7 08375E771E0D312202
ppp ipcp dns request
ppp ipcp route default
!
interface BVI1
description * LAN Verbindung zum Kunden *$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.0.220 192.168.0.229
ip local pool SDM_POOL_2 192.168.1.10 192.168.1.20
ip flow-top-talkers
top 10
sort-by bytes
!
no ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 2 interface Dialer3 overload
ip nat inside source static tcp 192.168.0.20 22 62.54.184.228 22 extendable
ip nat inside source static tcp 192.168.0.250 25 62.54.184.228 25 extendable
ip nat inside source static tcp 192.168.0.20 80 62.54.184.228 80 extendable
ip nat inside source static tcp 192.168.0.250 110 62.54.184.228 110 extendable
ip nat inside source static tcp 192.168.0.250 143 62.54.184.228 143 extendable
ip nat inside source static tcp 192.168.0.250 5901 62.54.184.228 5901 extendable
ip nat inside source static tcp 192.168.0.1 5902 62.54.184.228 5902 extendable
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
remark SDM_ACL Category=1
remark SDM_ACL Category=1
ip access-list extended VNCS
remark SDM_ACL Category=128
permit ip any host 192.168.0.250
ip access-list extended srv1
remark SDM_ACL Category=2
remark Flow 5901
permit tcp any host 192.168.0.250
remark SDM_ACL Category=2
remark Flow 5901
remark SDM_ACL Category=2
remark Flow 5901
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.2
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.0.250
access-list 20 remark SDM_ACL Category=17
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 37 permit 62.54.254.0 0.0.0.3
access-list 37 permit 192.168.0.0 0.0.0.255
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 37 remark SDM_ACL Category=17
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 100 remark SDM_ACL Category=128
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.0.252
access-list 101 remark SDM_ACL Category=0
access-list 101 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.250
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 102 remark SDM_ACL Category=0
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.169.0.252
access-list 103 remark SDM_ACL Category=0
access-list 103 remark SDM_ACL Category=0
access-list 113 remark SDM_ACL Category=128
access-list 113 permit ip any any
access-list 113 remark SDM_ACL Category=128
access-list 113 remark SDM_ACL Category=128
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
password 7 1313252B1C18301F3B
no modem enable
line aux 0
password 7 07191375591D2D3007
line vty 0 4
access-class 37 in
privilege level 15
password 7 10583B201203263E1C
!
scheduler max-task-time 5000
ntp server 131.234.137.23 source ATM0 prefer
end
--end config
vielleicht kann man diese config mal ausdünnen bis auf das notwendige ? VPN und QoS sind ersteinmal nicht notwendig. Ausserdem habe ich bei der Config plötzlich ein neues Interface "BV1" zusätzlich zum "Vlan1" .... bin etwas ratlos
Danke nocheinmal
