Voor een externe vestiging die via een Cisco 836 router via een VPN tunnel verbinding heeft met de pix 515 op onze hoofdlocatie moet een pc op de externe vestiging benaderbaar worden via de poorten UDP 5632 en TCP 5631. Het beheer wordt gedaan door een derde partij (ziek de access-list) en moet ook alleen via hun publieke ip benaderbaar zijn.
Gegevens externe vestiging:
PC: 192.168.40.11
Sub: 255.255.255.0
ISP: Planet Internet
Locatie hoofd:
IP 10.103.10.X
Sub: 255.255.255.0
Ik heb via google en Cisco en via tweakers (portforwarding / vpn connectie op cisco 800 series) de config gemaakt.
Kan iemand aangeven of de config zou moeten werken. Ik ben namelijk een redelijk newbie met Cisco.
De volgende config zou volgens mij moeten werken:
Building configuration...
Current configuration : 4867 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CISCO836KD
!
logging buffered 51200 warnings
enable secret WWW
!
username cadmin privilege 15 password www
no aaa new-model
ip subnet-zero
no ip domain lookup
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.40.1 192.168.40.11
ip dhcp excluded-address 192.168.40.250 192.168.40.254
!
ip dhcp pool CLIENT
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.254
netbios-name-server 10.103.10.10 10.103.10.11
no dns-server 10.103.10.10 10.103.10.11
lease 0 2
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key www address EXTERN_IP_PIX
!
!
crypto ipsec transform-set hobaho esp-des esp-md5-hmac
!
crypto map mymap 11 ipsec-isakmp
set peer EXTERN_IP_PIX
set transform-set NAAM
match address 120
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.40.254 255.255.255.0
ip access-group 100 in
ip nat inside
no keepalive
hold-queue 100 out
!
interface BRI0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password WWW
crypto map mymap
!
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static udp 192.168.40.11 5632 EXTERN_IP_LOCATIE 5632 nonat ext
ip nat inside source static tcp 192.168.40.11 5631 EXTERN_IP_LOCATIE 5631 nonat ext
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp host EXTERN_IP_PIX any
access-list 101 permit esp host EXTERN_IP_PIX any
access-list 101 permit udp host EXTERN_IP_PIX any eq isakmp
access-list 101 permit udp host EXTERN_IP_PIXany eq non500-isakmp
access-list 101 permit tcp host EXTERN_IP_BEHEERBEDRIJF host EXTERN_IP_LOCATIE eq 5631
access-list 101 permit udp host EXTERN_IP_BEHEERBEDRIJF hosy EXTERN_IP_LOCATIE eq 5632
access-list 101 permit ip 10.103.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 192.9.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.40.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 120 permit ip 192.168.40.0 0.0.0.255 10.103.0.0 0.0.255.255
access-list 120 permit ip 192.168.40.0 0.0.0.255 192.9.0.0 0.0.255.255
access-list 130 deny ip 192.168.40.0 0.0.0.255 10.103.0.0 0.0.255.255
access-list 130 deny ip 192.168.40.0 0.0.0.255 192.9.0.0 0.0.255.255
access-list 130 permit ip 192.168.40.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 130
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
password WWW
login
transport input telnet ssh
!
scheduler max-task-time 5000
!
!
end
Gegevens externe vestiging:
PC: 192.168.40.11
Sub: 255.255.255.0
ISP: Planet Internet
Locatie hoofd:
IP 10.103.10.X
Sub: 255.255.255.0
Ik heb via google en Cisco en via tweakers (portforwarding / vpn connectie op cisco 800 series) de config gemaakt.
Kan iemand aangeven of de config zou moeten werken. Ik ben namelijk een redelijk newbie met Cisco.
De volgende config zou volgens mij moeten werken:
Building configuration...
Current configuration : 4867 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CISCO836KD
!
logging buffered 51200 warnings
enable secret WWW
!
username cadmin privilege 15 password www
no aaa new-model
ip subnet-zero
no ip domain lookup
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.40.1 192.168.40.11
ip dhcp excluded-address 192.168.40.250 192.168.40.254
!
ip dhcp pool CLIENT
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.254
netbios-name-server 10.103.10.10 10.103.10.11
no dns-server 10.103.10.10 10.103.10.11
lease 0 2
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key www address EXTERN_IP_PIX
!
!
crypto ipsec transform-set hobaho esp-des esp-md5-hmac
!
crypto map mymap 11 ipsec-isakmp
set peer EXTERN_IP_PIX
set transform-set NAAM
match address 120
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.40.254 255.255.255.0
ip access-group 100 in
ip nat inside
no keepalive
hold-queue 100 out
!
interface BRI0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password WWW
crypto map mymap
!
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static udp 192.168.40.11 5632 EXTERN_IP_LOCATIE 5632 nonat ext
ip nat inside source static tcp 192.168.40.11 5631 EXTERN_IP_LOCATIE 5631 nonat ext
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp host EXTERN_IP_PIX any
access-list 101 permit esp host EXTERN_IP_PIX any
access-list 101 permit udp host EXTERN_IP_PIX any eq isakmp
access-list 101 permit udp host EXTERN_IP_PIXany eq non500-isakmp
access-list 101 permit tcp host EXTERN_IP_BEHEERBEDRIJF host EXTERN_IP_LOCATIE eq 5631
access-list 101 permit udp host EXTERN_IP_BEHEERBEDRIJF hosy EXTERN_IP_LOCATIE eq 5632
access-list 101 permit ip 10.103.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 192.9.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.40.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 120 permit ip 192.168.40.0 0.0.0.255 10.103.0.0 0.0.255.255
access-list 120 permit ip 192.168.40.0 0.0.0.255 192.9.0.0 0.0.255.255
access-list 130 deny ip 192.168.40.0 0.0.0.255 10.103.0.0 0.0.255.255
access-list 130 deny ip 192.168.40.0 0.0.0.255 192.9.0.0 0.0.255.255
access-list 130 permit ip 192.168.40.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 130
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
password WWW
login
transport input telnet ssh
!
scheduler max-task-time 5000
!
!
end
Dit topic is gesloten.