ho un cisco 1841 con una HWIC adsl. Lo configuro un po' con la CLI e un po' con CCP. Ho provato a configurare il basic firewall ma ho notato che, una volta applicata la configurazione, non riesco più a collegare i server pptp microsoft. Nella fattispecie il client MS sostiene che il traffico GRE non passa dal router.
Mi pare di averlo abilitato il maledetto traffico gre, ma è evidente che qualcosa mi sfugge.
Di seguito la mia config, mi date una mano pliz?
Codice: Seleziona tutto
Building configuration...
Current configuration : 9602 bytes
!
! Last configuration change at 14:56:17 PCTime Tue Dec 16 2014 by root
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ****************
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.151-4.M8.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
enable secret 4
!
aaa new-model
!
!
aaa group server radius ADAUTH
server XXX.XXX.XXX.XXX
!
aaa authentication login default group ADAUTH local
aaa authorization exec default group ADAUTH local
!
!
!
!
!
aaa session-id common
!
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
dot11 syslog
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.39.201 192.168.39.254
!
ip dhcp pool ccp-pool1
network XXX.XXX.XXX.XXX 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router XXX.XXX.XXX.XXX
!
!
ip cef
no ip bootp server
ip domain name xx.xx
ip name-server XXX.XXX.XXX.XXX
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FCZ104312RR
username root privilege 15 secret 4 kufggvgvghchkdftkftddtyyrjtdjd
!
redundancy
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-isakmp-1
match access-group 103
match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all sdm-nat-l2tp-1
match access-group 103
match protocol l2tp
class-map type inspect match-all sdm-nat-ipsec-msft-1
match access-group 103
match protocol ipsec-msft
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-ssh-1
match access-group 102
match protocol ssh
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-ssh-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-isakmp-1
inspect
class type inspect sdm-nat-l2tp-1
inspect
class type inspect sdm-nat-ipsec-msft-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname @alicebiz.routed
ppp chap password 7
ppp pap sent-username @alicebiz.routed password 7
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp XXX.XXX.XXX.XXX 22 interface Dialer0 22
ip nat inside source static tcp XXX.XXX.XXX.XXX 443 interface Dialer0 443
ip nat inside source static udp XXX.XXX.XXX.XXX 500 interface Dialer0 500
ip nat inside source static udp XXX.XXX.XXX.XXX 1701 interface Dialer0 1701
ip nat inside source static udp XXX.XXX.XXX.XXX 4500 interface Dialer0 4500
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
ip radius source-interface FastEthernet0/0
logging XXX.XXX.XXX.XXX
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit XXX.XXX.XXX.0 0.0.0.255
access-list 1 permit XXX.XXX.XXX.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit XXX.XXX.XXX.0 0.0.0.255
access-list 2 permit XXX.XXX.XXX.0 0.0.0.255
access-list 2 deny any
access-list 100 remark Interface_Isolation
access-list 100 remark CCP_ACL Category=1
access-list 100 remark From_LAB_to_Domain
access-list 100 deny ip 192.168.39.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 remark From_LAB_to_Domain
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.88.251
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.88.228
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
radius-server host XXX.XXX.XXX.XXX key 7
!
!
control-plane
!
banner login ^C
+----------------------------------------------------------+
| |
| |
| This device is for authorized personnel only. |
| If you have not been provided with permission to |
| access this device - disconnect at once. |
| *** Login Required. Unauthorized use is prohibited *** |
| |
| |
+----------------------------------------------------------+
^C
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 300 0
transport preferred ssh
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 193.204.114.232 prefer source FastEthernet0/0
ntp server 193.204.114.233 source FastEthernet0/0
end