CISCO 1841 Zone based firewall CCP

Mettete al sicuro la vostra rete!

Moderatore: Federico.Lagni

Rispondi
lordnemesi
n00b
Messaggi: 20
Iscritto il: mar 30 lug , 2013 7:40 am

Ciao a tutti,
ho un cisco 1841 con una HWIC adsl. Lo configuro un po' con la CLI e un po' con CCP. Ho provato a configurare il basic firewall ma ho notato che, una volta applicata la configurazione, non riesco più a collegare i server pptp microsoft. Nella fattispecie il client MS sostiene che il traffico GRE non passa dal router.
Mi pare di averlo abilitato il maledetto traffico gre, ma è evidente che qualcosa mi sfugge.

Di seguito la mia config, mi date una mano pliz? :D

Codice: Seleziona tutto

 
Building configuration...

Current configuration : 9602 bytes
!
! Last configuration change at 14:56:17 PCTime Tue Dec 16 2014 by root
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ****************
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.151-4.M8.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
enable secret 4 
!
aaa new-model
!
!
aaa group server radius ADAUTH
 server XXX.XXX.XXX.XXX
!
aaa authentication login default group ADAUTH local
aaa authorization exec default group ADAUTH local 
!
!
!
!
!
aaa session-id common
!
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
dot11 syslog
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.39.201 192.168.39.254
!
ip dhcp pool ccp-pool1
 network XXX.XXX.XXX.XXX 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4 
 default-router XXX.XXX.XXX.XXX 
!
!
ip cef
no ip bootp server
ip domain name xx.xx
ip name-server XXX.XXX.XXX.XXX
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FCZ104312RR
username root privilege 15 secret 4 kufggvgvghchkdftkftddtyyrjtdjd
!
redundancy
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-all sdm-nat-isakmp-1
 match access-group 103
 match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all sdm-nat-l2tp-1
 match access-group 103
 match protocol l2tp
class-map type inspect match-all sdm-nat-ipsec-msft-1
 match access-group 103
 match protocol ipsec-msft
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 101
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all sdm-nat-ssh-1
 match access-group 102
 match protocol ssh
class-map type inspect match-all sdm-nat-https-1
 match access-group 102
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-ssh-1
  inspect 
 class type inspect sdm-nat-https-1
  inspect 
 class type inspect sdm-nat-isakmp-1
  inspect 
 class type inspect sdm-nat-l2tp-1
  inspect 
 class type inspect sdm-nat-ipsec-msft-1
  inspect 
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
! 
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-LAN$$FW_INSIDE$
 ip address XXX.XXX.XXX.XXX 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address XXX.XXX.XXX.XXX 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname @alicebiz.routed
 ppp chap password 7 
 ppp pap sent-username @alicebiz.routed password 7 
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp XXX.XXX.XXX.XXX 22 interface Dialer0 22
ip nat inside source static tcp XXX.XXX.XXX.XXX 443 interface Dialer0 443
ip nat inside source static udp XXX.XXX.XXX.XXX 500 interface Dialer0 500
ip nat inside source static udp XXX.XXX.XXX.XXX 1701 interface Dialer0 1701
ip nat inside source static udp XXX.XXX.XXX.XXX 4500 interface Dialer0 4500
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
ip radius source-interface FastEthernet0/0 
logging XXX.XXX.XXX.XXX
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit XXX.XXX.XXX.0 0.0.0.255
access-list 1 permit XXX.XXX.XXX.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit XXX.XXX.XXX.0 0.0.0.255
access-list 2 permit XXX.XXX.XXX.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark Interface_Isolation
access-list 100 remark CCP_ACL Category=1
access-list 100 remark From_LAB_to_Domain
access-list 100 deny   ip 192.168.39.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 remark From_LAB_to_Domain
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.88.251
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.88.228
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
radius-server host XXX.XXX.XXX.XXX key 7 
!
!
control-plane
!

banner login ^C
+----------------------------------------------------------+
|                                                          |     
|                                                          |
|     This device is for authorized personnel only.        |
|    If you have not been provided with permission to      |
|        access this device - disconnect at once.          |
| *** Login Required.  Unauthorized use is prohibited ***  |
|                                                          |
|                                                          |
+----------------------------------------------------------+

^C
!
line con 0
line aux 0
line vty 0 4
 access-class 1 in
 exec-timeout 300 0
 transport preferred ssh
 transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 193.204.114.232 prefer source FastEthernet0/0
ntp server 193.204.114.233 source FastEthernet0/0
end

Rispondi