PDA

Επιστροφή στο Forum : Cisco 876 + FTP Server (port forward)



mogsub
19-06-08, 11:35
Καλημέρα,

έχω ένα cisco 876 και προσπαθώ να κάνω publish κάποιους server (ftp, ssh) αλλά μου δεν μπορώ να κάνω connect

το configuration του cisco είναι



!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxx
!
username xxx privilege 15 secret 5 x
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 group radius local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
ip flow-cache timeout active 1
no ip bootp server
ip domain name ath.yiltd
ip name-server 195.170.0.1
ip name-server 195.170.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips notify SDEE
ip ips po max-events 100
ip ddns update method sdm_ddns1
HTTP
add http:xxx
remove http:xxx
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group RemoteYI
key Yis1uff.
dns 192.168.0.2
domain xxx
pool SDM_POOL_1
max-users 5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxx password 7 xxx
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.0.70 192.168.0.80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 192.168.0.5 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static udp 192.168.0.19 2200 interface Dialer0 2200
ip nat inside source static tcp 192.168.0.19 2200 interface Dialer0 2200
ip nat inside source static tcp 192.168.0.19 21 interface Dialer0 21
ip nat inside source static udp 192.168.0.19 21 interface Dialer0 21
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.0.2 eq 1645 host 192.168.0.1
access-list 100 permit udp host 192.168.0.2 eq 1646 host 192.168.0.1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.0.70 any
access-list 101 permit ip host 192.168.0.71 any
access-list 101 permit ip host 192.168.0.72 any
access-list 101 permit ip host 192.168.0.73 any
access-list 101 permit ip host 192.168.0.74 any
access-list 101 permit ip host 192.168.0.75 any
access-list 101 permit ip host 192.168.0.76 any
access-list 101 permit ip host 192.168.0.77 any
access-list 101 permit ip host 192.168.0.78 any
access-list 101 permit ip host 192.168.0.79 any
access-list 101 permit ip host 192.168.0.80 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp host 195.170.2.2 eq domain any
access-list 101 permit udp host 195.170.0.1 eq domain any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 192.168.0.70
access-list 102 deny ip any host 192.168.0.71
access-list 102 deny ip any host 192.168.0.72
access-list 102 deny ip any host 192.168.0.73
access-list 102 deny ip any host 192.168.0.74
access-list 102 deny ip any host 192.168.0.75
access-list 102 deny ip any host 192.168.0.76
access-list 102 deny ip any host 192.168.0.77
access-list 102 deny ip any host 192.168.0.78
access-list 102 deny ip any host 192.168.0.79
access-list 102 deny ip any host 192.168.0.80
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
radius-server host 192.168.0.2 auth-port 1645 acct-port 1646
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport preferred all
transport output telnet
line aux 0
transport preferred all
transport output telnet
line vty 0 4
transport preferred all
transport input telnet ssh
transport output all
line vty 5 15
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endτα access-lists και τα inspects τα έχω απενεργοποιήσει από τα interfaces όσο τo τεστάρω για να είμαι βέβαιος ότι δεν τα κόβουν αυτά

Μπορεί κάποιος να με βοηθήσει;

Ευχαριστώ!

taxiarxos
19-06-08, 16:27
Καλησπέρα φίλε,

Καταρχίν αν έχεις conn-x απενεργοποίησε την αυξημένη προστασία απο το site της Otenet

http://my.otenet.gr

Επίσης τσέκαρε αν εχείς τις απετούμενες πόρτες ανοιχτές με

http://www.utorrent.com/testport.php?port=(Αριθμός Πόρτας που θέλεις να τσεκάρεις)

σε πρώτη φάση να ξέρουμε αν είναι ανοιχτές οι πόρτες γιατι μπόρει να είναι κάποιο άλλο το πρόβλημα

mogsub
19-06-08, 17:00
Ευχαριστώ για την βοήθεια,

απενεργοποίησα την αυξημένη προστασία απο το site της Otenet και έκανα reconnect όπως λένε

έλεξα την πόρτα και μου δείχνει ότι είναι κλειστή

άλλαξα την πόρτα στον ftp server σε 21212 και πρόσθεσα τα ίδια nat στο router και ενώ μου δείχνει ότι η πόρτα είναι ανοικτή το (utorrent), δεν μπορώ και πάλι να συνδεθώ

hedgehog
19-06-08, 17:05
Αν θες ρίξε μια ματιά και σε αυτό το νήμα ;)

mogsub
19-06-08, 17:42
ευχαριστώ παιδιά.

Τελικά βρήκα τι έφταιγε: προσπαθούσα να συνδεθώ από το εσωτερικό μου δίκτυο στην internetική IP του router μου.

Χρησιμοποίησα έναν remote client και μπόρεσα να μπω!

@ ADSLgr.com All rights reserved.