boeotian
26-09-10, 11:33
Λοιπόν νομίζω τα κατάφερα. Τα δύο configs του router και του access point:
!
! Last configuration change at 01:28:30 EEST Sun Sep 26 2010 by root
! NVRAM config last updated at 01:28:34 EEST Sun Sep 26 2010 by root
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime year
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXX
!
no aaa new-model
memory-size iomem 10
clock timezone EET 2 0
clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.44
ip dhcp excluded-address 192.168.1.51 192.168.1.254
!
ip dhcp pool lanpool
network 192.168.1.0 255.255.255.0
domain-name xxx.gr
dns-server 192.168.1.1 212.70.194.250 212.70.194.244
default-router 192.168.1.200
!
!
ip cef
no ip domain lookup
ip domain name xxx.gr
ip name-server 192.168.1.1
ip name-server 212.70.194.244
ip name-server 212.70.194.250
ip ddns update method DynDNS
HTTP
add http://xxx:xxx@members.dyndns.org/nic/update?hostname=xxx.com&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG&myip=&system=dyndns
interval maximum 28 0 0 0
!
no ipv6 cef
!
!
isdn switch-type basic-net3
license udi pid CISCO886W-GN-E-K9 sn XXX
!
!
username root privilege 15 secret 5 xxx
username panos secret 5 xxx
!
!
!
!
!
track 1 interface Dialer0 ip routing
!
!
!
!
!
!
!
interface BRI0
description ISDN BRI Interface
bandwidth 128
no ip address
encapsulation ppp
dialer pool-member 2
isdn switch-type basic-net3
isdn termination multidrop
isdn point-to-point-setup
!
interface ATM0
description ATM Connection to ISP
backup delay 120 0
backup interface Dialer1
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description Server Connection
!
interface FastEthernet1
description PC LAN Connection 1
!
interface FastEthernet2
description PC LAN Connection 2
!
interface FastEthernet3
description Spare LAN Connection
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description Virtual LAN 1
ip address 192.168.1.200 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description ADSL link to ISP
ip ddns update hostname xxx.com
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxx@xxx.gr password 7 xxx
!
interface Dialer1
description ISDN backup Dialer Interface
ip ddns update hostname xxx.com
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
shutdown
dialer pool 2
dialer idle-timeout 45
dialer fast-idle 15
dialer string 8962511000
dialer-group 2
ppp authentication pap callin
ppp pap sent-username xxx password 7 xxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 2222
ip nat inside source static tcp 192.168.1.1 80 interface Dialer0 9876
ip nat inside source static tcp 192.168.1.200 22 interface Dialer0 3322
ip nat inside source route-map rmap_dialer0 interface Dialer0 overload
ip nat inside source route-map rmap_dialer1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging esm config
logging 192.168.1.1
access-list 1 remark Home LAN addresses
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 100 remark Firewall Configuration
access-list 100 permit udp host 194.177.210.214 eq ntp any
access-list 100 permit udp host 195.251.27.1 eq ntp any
access-list 100 permit udp host 147.102.224.241 eq ntp any
access-list 100 permit udp host 212.70.194.249 eq ntp any
access-list 100 permit tcp host 62.192.67.3 eq 500 any
access-list 100 permit udp host 62.192.67.3 eq isakmp any
access-list 100 permit tcp host 63.208.196.95 any established
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny tcp any any lt 1024 log
access-list 100 deny udp any any lt 1024 log
access-list 100 permit icmp any any
access-list 100 permit ip any any
access-list 102 remark Interesting IP Traffic for ISDN
access-list 102 deny udp any any eq ntp
access-list 102 deny tcp any any eq telnet
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip list 102
!
!
!
!
route-map rmap_dialer0 permit 10
match ip address 1
match interface Dialer0
!
route-map rmap_dialer1 permit 10
match ip address 1
match interface Dialer1
!
snmp-server community public RO
snmp-server location Home
snmp-server contact xxx <xxx@xxx.gr>
!
control-plane
!
alias exec dot11radio service-module wlan-ap 0 session
!
line con 0
exec-timeout 0 0
login local
no modem enable
speed 115200
line aux 0
exec-timeout 0 0
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
exec-timeout 0 0
login local
transport input all
!
ntp server 147.102.224.241
ntp server 212.70.194.249
end
!
! Last configuration change at 11:14:34 EEST Sun Sep 26 2010 by root
! NVRAM config last updated at 11:15:21 EEST Sun Sep 26 2010 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$x2E5$Z6.911aq50GrcgTcRXD0F0
!
no aaa new-model
clock timezone EET 2
clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00
no ip domain lookup
ip domain name xxx.gr
ip name-server 212.70.194.244
!
!
dot11 syslog
!
dot11 ssid MorakiNet
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxx
!
!
!
username root privilege 15 secret 5 xxx
username panos secret 5 xxx
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid MorakiNet
!
antenna gain 0
no preamble-short
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.201 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging 192.168.1.1
bridge 1 route ip
!
!
banner motd
Welcome to Moraki Corporation
!
line con 0
exec-timeout 0 0
login local
no activation-character
line vty 0 4
exec-timeout 0 0
login local
!
sntp server 147.102.224.241
sntp server 212.70.194.249
end
Οι ερωτήσεις μου είναι:
1. Χρειάζομαι vpdn για το pppoe; Είδα σε μερικά παραδείγματα να έχουν, αλλά αυτά ήταν για fastethernet configuration και όχι atm. Επίσης το pppoe θέλει κανένα encapsulation όπως έβαζα στο pppoa για aal5mux;
2. To ssh key το έφτιαξα 1024bit. Για v2 ssh θέλει τουλάχιστον 768bit. Καλά είναι ή να το ανεβάσω;
3. Το security του access point το έχω με WPA. Είχε ένα σωρό security models, αλλά ήθελα κάποιο απλά να μου δουλέψει. Προτείνετε κάτι καλύτερο να κοιτάξω;
4. Το ISDN backup δεν μου παίζει και θυμάμαι παλιά να μου έπαιζε μια χαρά. Σηκώνει το isdn interface και είχα ping από router αλλά όχι από το LAN. Τίποτα στο nat μου βρομάει.
5. Οποιαδήποτε άλλη παρατήρηση είναι ευπρόσδεκτη.
!
! Last configuration change at 01:28:30 EEST Sun Sep 26 2010 by root
! NVRAM config last updated at 01:28:34 EEST Sun Sep 26 2010 by root
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime year
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXX
!
no aaa new-model
memory-size iomem 10
clock timezone EET 2 0
clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.44
ip dhcp excluded-address 192.168.1.51 192.168.1.254
!
ip dhcp pool lanpool
network 192.168.1.0 255.255.255.0
domain-name xxx.gr
dns-server 192.168.1.1 212.70.194.250 212.70.194.244
default-router 192.168.1.200
!
!
ip cef
no ip domain lookup
ip domain name xxx.gr
ip name-server 192.168.1.1
ip name-server 212.70.194.244
ip name-server 212.70.194.250
ip ddns update method DynDNS
HTTP
add http://xxx:xxx@members.dyndns.org/nic/update?hostname=xxx.com&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG&myip=&system=dyndns
interval maximum 28 0 0 0
!
no ipv6 cef
!
!
isdn switch-type basic-net3
license udi pid CISCO886W-GN-E-K9 sn XXX
!
!
username root privilege 15 secret 5 xxx
username panos secret 5 xxx
!
!
!
!
!
track 1 interface Dialer0 ip routing
!
!
!
!
!
!
!
interface BRI0
description ISDN BRI Interface
bandwidth 128
no ip address
encapsulation ppp
dialer pool-member 2
isdn switch-type basic-net3
isdn termination multidrop
isdn point-to-point-setup
!
interface ATM0
description ATM Connection to ISP
backup delay 120 0
backup interface Dialer1
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description Server Connection
!
interface FastEthernet1
description PC LAN Connection 1
!
interface FastEthernet2
description PC LAN Connection 2
!
interface FastEthernet3
description Spare LAN Connection
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description Virtual LAN 1
ip address 192.168.1.200 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description ADSL link to ISP
ip ddns update hostname xxx.com
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxx@xxx.gr password 7 xxx
!
interface Dialer1
description ISDN backup Dialer Interface
ip ddns update hostname xxx.com
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
shutdown
dialer pool 2
dialer idle-timeout 45
dialer fast-idle 15
dialer string 8962511000
dialer-group 2
ppp authentication pap callin
ppp pap sent-username xxx password 7 xxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 2222
ip nat inside source static tcp 192.168.1.1 80 interface Dialer0 9876
ip nat inside source static tcp 192.168.1.200 22 interface Dialer0 3322
ip nat inside source route-map rmap_dialer0 interface Dialer0 overload
ip nat inside source route-map rmap_dialer1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging esm config
logging 192.168.1.1
access-list 1 remark Home LAN addresses
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 100 remark Firewall Configuration
access-list 100 permit udp host 194.177.210.214 eq ntp any
access-list 100 permit udp host 195.251.27.1 eq ntp any
access-list 100 permit udp host 147.102.224.241 eq ntp any
access-list 100 permit udp host 212.70.194.249 eq ntp any
access-list 100 permit tcp host 62.192.67.3 eq 500 any
access-list 100 permit udp host 62.192.67.3 eq isakmp any
access-list 100 permit tcp host 63.208.196.95 any established
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny tcp any any lt 1024 log
access-list 100 deny udp any any lt 1024 log
access-list 100 permit icmp any any
access-list 100 permit ip any any
access-list 102 remark Interesting IP Traffic for ISDN
access-list 102 deny udp any any eq ntp
access-list 102 deny tcp any any eq telnet
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip list 102
!
!
!
!
route-map rmap_dialer0 permit 10
match ip address 1
match interface Dialer0
!
route-map rmap_dialer1 permit 10
match ip address 1
match interface Dialer1
!
snmp-server community public RO
snmp-server location Home
snmp-server contact xxx <xxx@xxx.gr>
!
control-plane
!
alias exec dot11radio service-module wlan-ap 0 session
!
line con 0
exec-timeout 0 0
login local
no modem enable
speed 115200
line aux 0
exec-timeout 0 0
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
exec-timeout 0 0
login local
transport input all
!
ntp server 147.102.224.241
ntp server 212.70.194.249
end
!
! Last configuration change at 11:14:34 EEST Sun Sep 26 2010 by root
! NVRAM config last updated at 11:15:21 EEST Sun Sep 26 2010 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$x2E5$Z6.911aq50GrcgTcRXD0F0
!
no aaa new-model
clock timezone EET 2
clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00
no ip domain lookup
ip domain name xxx.gr
ip name-server 212.70.194.244
!
!
dot11 syslog
!
dot11 ssid MorakiNet
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxx
!
!
!
username root privilege 15 secret 5 xxx
username panos secret 5 xxx
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid MorakiNet
!
antenna gain 0
no preamble-short
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.201 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging 192.168.1.1
bridge 1 route ip
!
!
banner motd
Welcome to Moraki Corporation
!
line con 0
exec-timeout 0 0
login local
no activation-character
line vty 0 4
exec-timeout 0 0
login local
!
sntp server 147.102.224.241
sntp server 212.70.194.249
end
Οι ερωτήσεις μου είναι:
1. Χρειάζομαι vpdn για το pppoe; Είδα σε μερικά παραδείγματα να έχουν, αλλά αυτά ήταν για fastethernet configuration και όχι atm. Επίσης το pppoe θέλει κανένα encapsulation όπως έβαζα στο pppoa για aal5mux;
2. To ssh key το έφτιαξα 1024bit. Για v2 ssh θέλει τουλάχιστον 768bit. Καλά είναι ή να το ανεβάσω;
3. Το security του access point το έχω με WPA. Είχε ένα σωρό security models, αλλά ήθελα κάποιο απλά να μου δουλέψει. Προτείνετε κάτι καλύτερο να κοιτάξω;
4. Το ISDN backup δεν μου παίζει και θυμάμαι παλιά να μου έπαιζε μια χαρά. Σηκώνει το isdn interface και είχα ping από router αλλά όχι από το LAN. Τίποτα στο nat μου βρομάει.
5. Οποιαδήποτε άλλη παρατήρηση είναι ευπρόσδεκτη.