Καλημέρα σε όλους!
Οι απορίες, μετά από ψάξιμο άνω των 2 ημερών, περιορίζονται στις εξής:
1] Τόσο το CRWS όσο και το SDM, παρατηρώντας αντίστοιχα τα webflash και flash, έχουν δικό τους .cfg file (ConfigExp.cfg και sdmconfig-83x.cfg αντίστοιχα). Τελικά ποιό φορτώνεται στο startup όταν "πειράζω" τόσο το CRWS όσο και το SDM;
Σχετικά με παραπάνω, όταν ενεργοποιώ π.χ. το firewall στο CRWS γιατί αυτό δεν φαίνεται στο SDM (και αντίστροφα);
2] Παρ' όλες τις πολλές χρονοβόρες μου προσπάθειες δεν έχω κατορθώσει ακόμα να κάνω port forwarding στο ciscάκι μου! Μπορεί παρακαλώ να βοηθήσει κάποιος;
Κατ' αρχάς δοκιμάζοντας το άνοιγμα θυρών (inbound και outbound είτε από ethernet είτε από dialer1 σε destination, συνήθως, ports) από SDM δεν επιτυγχάνεται το επιθυμητό. Μετά από υποδείξεις παιδιών, έκανα startup-config.cfg τον παρακάτω κώδικα. Έχω κάνει λάθη;;;
Το μήνυμα που παίρνω συνεχώς, έχοντας ανοιχτό hyperterminal συνδεδεμένο με το router, είναι
list 103 denied ip_address (6346) -> ... (ή αντίστροφα)
ή list 103 denied ip_address (4662) -> ... (ή αντίστροφα),
που αντιστοιχούν στο shareaza και emule.
Ιδού το startup-config μου:
Κώδικας:!version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname **hostname** ! boot-start-marker boot-end-marker ! no logging buffered enable secret ************* ! username **hostname** password ********* no aaa new-model ip subnet-zero ! ! ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool CLIENT import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 lease 0 2 ! ! ip name-server 195.170.0.1 ip name-server 195.170.2.2 ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip inspect name DEFAULT100 cuseeme timeout 3600 ip inspect name DEFAULT100 ftp timeout 3600 ip inspect name DEFAULT100 rcmd timeout 3600 ip inspect name DEFAULT100 realaudio timeout 3600 ip inspect name DEFAULT100 smtp timeout 3600 ip inspect name DEFAULT100 tftp timeout 30 ip inspect name DEFAULT100 udp timeout 15 ip inspect name DEFAULT100 tcp timeout 3600 ip inspect name DEFAULT100 h323 timeout 3600 ip inspect name DEFAULT101 cuseeme ip inspect name DEFAULT101 ftp ip inspect name DEFAULT101 h323 ip inspect name DEFAULT101 netshow ip inspect name DEFAULT101 rcmd ip inspect name DEFAULT101 realaudio ip inspect name DEFAULT101 rtsp ip inspect name DEFAULT101 smtp ip inspect name DEFAULT101 sqlnet ip inspect name DEFAULT101 streamworks ip inspect name DEFAULT101 tftp ip inspect name DEFAULT101 tcp ip inspect name DEFAULT101 udp ip inspect name DEFAULT101 vdolive ip inspect name DEFAULT101 icmp ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly no ip mroute-cache ! interface BRI0 no ip address shutdown ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode annexb-ur2 hold-queue 224 in pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated ip access-group 103 in ip nat outside ip inspect DEFAULT101 out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ************ ppp chap password *********** ppp pap sent-username ********** password ***************** ppp ipcp dns request ppp ipcp wins request ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip http server no ip http secure-server ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 10.10.10.2 6346 interface Dialer1 6346 ! <<<ΕΔΩ>>> ip nat inside source static udp 10.10.10.2 6346 interface Dialer1 6346 ip nat inside source static tcp 10.10.10.2 4662 interface Dialer1 4662 ip nat inside source static udp 10.10.10.2 4672 interface Dialer1 4672 ip nat inside source static tcp 10.10.10.2 6881 interface Dialer1 6881 ip nat inside source static tcp 10.10.10.2 6882 interface Dialer1 6882 ip nat inside source static tcp 10.10.10.2 6883 interface Dialer1 6883 ip nat inside source static tcp 10.10.10.2 6884 interface Dialer1 6884 ip nat inside source static tcp 10.10.10.2 6885 interface Dialer1 6885 ip nat inside source static tcp 10.10.10.2 6886 interface Dialer1 6886 ip nat inside source static tcp 10.10.10.2 6887 interface Dialer1 6887 ip nat inside source static tcp 10.10.10.2 6888 interface Dialer1 6888 ip nat inside source static tcp 10.10.10.2 6889 interface Dialer1 6889 ! ! access-list 23 permit 10.10.10.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any unreachable access-list 101 permit udp any eq bootps any eq bootpc access-list 101 permit udp any eq bootps any eq bootps access-list 101 permit udp any eq domain any access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq 10000 access-list 101 permit tcp any any eq 1723 access-list 101 permit tcp any any eq 139 access-list 101 permit udp any any eq netbios-ns access-list 101 permit udp any any eq netbios-dgm access-list 101 permit gre any any access-list 101 deny ip any any access-list 102 permit ip 10.10.10.0 0.0.0.255 any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip 10.10.10.0 0.0.0.255 any access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log access-list 103 permit tcp any any eq 6346 ! <<<ΕΔΩ>>> access-list 103 permit udp any any eq 6346 access-list 103 permit tcp any any eq 4662 access-list 103 permit udp any any eq 4672 access-list 103 permit tcp any any eq 6881 access-list 103 permit tcp any any eq 6882 access-list 103 permit tcp any any eq 6883 access-list 103 permit tcp any any eq 6884 access-list 103 permit tcp any any eq 6885 access-list 103 permit tcp any any eq 6886 access-list 103 permit tcp any any eq 6887 access-list 103 permit tcp any any eq 6888 access-list 103 permit tcp any any eq 6889 access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit tcp any any eq 6346 ! <<<ΚΙ ΕΔΩ>>> access-list 111 permit udp any any eq 6346 access-list 111 permit tcp any any eq 4662 access-list 111 permit udp any any eq 4672 access-list 111 permit tcp any any eq 6881 access-list 111 permit tcp any any eq 6882 access-list 111 permit tcp any any eq 6883 access-list 111 permit tcp any any eq 6884 access-list 111 permit tcp any any eq 6885 access-list 111 permit tcp any any eq 6886 access-list 111 permit tcp any any eq 6887 access-list 111 permit tcp any any eq 6888 access-list 111 permit tcp any any eq 6889 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any log dialer-list 1 protocol ip permit ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 ! end
Εμφάνιση 1-15 από 28
-
14-11-04, 06:19 Cisco 836: .cfg files & port forwarding #1
-
14-11-04, 11:41 #2
Η γραμμή
Κώδικας:access-list 103 deny ip any any log
Επίσης οι παρακάτω γραμμές
Κώδικας:access-list 103 permit tcp any any eq 6881 access-list 103 permit tcp any any eq 6882 access-list 103 permit tcp any any eq 6883 access-list 103 permit tcp any any eq 6884 access-list 103 permit tcp any any eq 6885 access-list 103 permit tcp any any eq 6886 access-list 103 permit tcp any any eq 6887 access-list 103 permit tcp any any eq 6888 access-list 103 permit tcp any any eq 6889
Κώδικας:access-list 103 permit tcp any any range 6881 6889
Κώδικας:access-list 103 deny ip any any log
Το ίδιο μπορεί να γίνει και στην acl 111.
-
17-11-04, 11:03 #3
Σ' ευχαριστώ Chataso. Έχω δοκιμάσει τη αλλαγή, που σωστά μου ανέφερες, αλλά ακόμα δεν έχω δει διαφορά. Δηλαδή, περνούν ώρες με μηδενικό κατέβασμα.
-
17-11-04, 15:16 #4
Δηλαδή κατεβάζεις κανονικά για λίγο και μετά σταματάει?
Logs σου βγάζει ο router?
Για ξανακάνε post το config...
-
17-11-04, 16:20 #5
γεια χαρα. εχω το ακολουθο προβλημα. εχω χασει το CD και στα manual δεν βλεπω τον τροπο να κανω configure το firewall. πως μπορω να κατεβασω στο pc το cfg file? και μετα πως πρεπει να το πειραζω για να ανοιγω ports?
-
19-11-04, 00:44 #6
Είμαι σε απόγνωση με το ρημάδι.
Ιδού Chataso το config μου! Σ' ευχαριστώ!
Κώδικας:!version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname ********** ! boot-start-marker boot-end-marker ! no logging buffered enable secret ********** ! username ********** password ********** no aaa new-model ip subnet-zero ! ! ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool CLIENT import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 lease 0 2 ! ! ip name-server 195.170.0.1 ip name-server 195.170.2.2 ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip inspect name DEFAULT100 cuseeme timeout 3600 ip inspect name DEFAULT100 ftp timeout 3600 ip inspect name DEFAULT100 rcmd timeout 3600 ip inspect name DEFAULT100 realaudio timeout 3600 ip inspect name DEFAULT100 smtp timeout 3600 ip inspect name DEFAULT100 tftp timeout 30 ip inspect name DEFAULT100 udp timeout 15 ip inspect name DEFAULT100 tcp timeout 3600 ip inspect name DEFAULT100 h323 timeout 3600 ip inspect name DEFAULT101 cuseeme ip inspect name DEFAULT101 ftp ip inspect name DEFAULT101 h323 ip inspect name DEFAULT101 netshow ip inspect name DEFAULT101 rcmd ip inspect name DEFAULT101 realaudio ip inspect name DEFAULT101 rtsp ip inspect name DEFAULT101 smtp ip inspect name DEFAULT101 sqlnet ip inspect name DEFAULT101 streamworks ip inspect name DEFAULT101 tftp ip inspect name DEFAULT101 tcp ip inspect name DEFAULT101 udp ip inspect name DEFAULT101 vdolive ip inspect name DEFAULT101 icmp ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly no ip mroute-cache ! interface BRI0 no ip address shutdown ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode annexb-ur2 hold-queue 224 in pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated ip access-group 103 in ip nat outside ip inspect DEFAULT101 out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ********** ppp chap password ********** ppp pap sent-username ********** password ********** ppp ipcp dns request ppp ipcp wins request ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip http server no ip http secure-server ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 10.10.10.2 6346 interface Dialer1 6346 ip nat inside source static udp 10.10.10.2 6346 interface Dialer1 6346 ip nat inside source static tcp 10.10.10.2 4662 interface Dialer1 4662 ip nat inside source static udp 10.10.10.2 4672 interface Dialer1 4672 ip nat inside source static tcp 10.10.10.2 6881 interface Dialer1 6881 ip nat inside source static tcp 10.10.10.2 6882 interface Dialer1 6882 ip nat inside source static tcp 10.10.10.2 6883 interface Dialer1 6883 ip nat inside source static tcp 10.10.10.2 6884 interface Dialer1 6884 ip nat inside source static tcp 10.10.10.2 6885 interface Dialer1 6885 ip nat inside source static tcp 10.10.10.2 6886 interface Dialer1 6886 ip nat inside source static tcp 10.10.10.2 6887 interface Dialer1 6887 ip nat inside source static tcp 10.10.10.2 6888 interface Dialer1 6888 ip nat inside source static tcp 10.10.10.2 6889 interface Dialer1 6889 ! ! access-list 23 permit 10.10.10.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any unreachable access-list 101 permit udp any eq bootps any eq bootpc access-list 101 permit udp any eq bootps any eq bootps access-list 101 permit udp any eq domain any access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq 10000 access-list 101 permit tcp any any eq 1723 access-list 101 permit tcp any any eq 139 access-list 101 permit udp any any eq netbios-ns access-list 101 permit udp any any eq netbios-dgm access-list 101 permit gre any any access-list 101 deny ip any any access-list 102 permit ip 10.10.10.0 0.0.0.255 any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip 10.10.10.0 0.0.0.255 any access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 permit tcp any any eq 6346 access-list 103 permit udp any any eq 6346 access-list 103 permit tcp any any eq 4662 access-list 103 permit udp any any eq 4672 access-list 103 permit tcp any any eq 6881 6889 access-list 103 deny ip any any log access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit tcp any any eq 6346 access-list 111 permit udp any any eq 6346 access-list 111 permit tcp any any eq 4662 access-list 111 permit udp any any eq 4672 access-list 111 permit tcp any any eq 6881 6889 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any log dialer-list 1 protocol ip permit ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 ! end
-
21-11-04, 22:39 #7
Λόγω του οτι δεν μπορεσα να δημιουργήσω καινούριο θέμα (μου έβγαζε ενα error) σας παραθέτω παρακάτω το ερώτημα μου:
Χέρετε.
Εχω το εξής πρόβλημα:
Βρισκόμαστε στη Σέρρες και στο νετ καφέ που εργάζομαι έχουμε jetspeed 500 με έκδοση 9χχχχ (χαμος)
DSL 1024 otenet.
Δούλευαν όλα τέλεια για πολύ καιρό αλλα τώρα τελαυταία συγκεκριμένα στο παιχνίδι Call of Duty το ping μου δεν ανεβάινει πάνω απο τα 200 με αποτέλεσμα να μή μπορεί να μπεί σε κανένα online game.
Εκτός αυτού το jetspeed ανα τακτά διαστήματα κολλάει και δεν μπαίνει σε καμια σελίδα όλο το μαγαζι και το πρόβλημα λύτετε με reset του modem.
Σκεφτήκαμε να αγοράσουμε ενα καινούριο μηχάνημα όπως το Cisco 837 το οποίο μου άρεσε πάρα πολύ.
Θα ήθελα τη γνώμη σας πάνω σε αυτό το μηχάνημα ή αν προτείνετε κάποιο άλλο της εταιρίας αυτής (καθ ότι εμπιστεύομαι τα cisco και πάντα ακούω καλά λόγια γι αυτά)
Ευχαριστώ
-
23-11-04, 01:13 #8
lacbil,
Η γραμμή:
Κώδικας:access-list 103 permit tcp any any eq 6881 6889
Κώδικας:access-list 103 permit tcp any any range 6881 6889
Από που το "τραβάς" το configuration του router και πως το αλλάζεις?
Πάντως το configuration που μου έχεις γράψεις αποκλείεται να είναι το "ενεργό" configuration του router γιατί δεν θα μπορούσε με τίποτα να περιλαμβάνει την παραπάνω λάθος εντολή.
ΥΓ: Τα inspection rules "myfw" & "DEFAULT100" δεν χρειάζονται αφού δεν βλέπω να τα χρησιμοποιείς σε κάποιο interface.
-
23-11-04, 01:24 #9
Καλησπέρα! Το παραπάνω, προκειμένου να το σηκώσω στο παρόν thread, το τράβηξα με την εξής εντολή
Κώδικας:copy startup tftp
Πάντως, δεν το έχω σηκώσει μεΚώδικας:copy tftp flash
Ευχαριστώ πάντως για το range!
-
23-11-04, 01:43 #10
Αν μπορείς να μπεις με telnet (ή console) στον router, δώσε ένα "show run" και κάντο paste εδώ να δούμε το "ενεργό" config.
Επίσης πρέπει να έχεις υπόψιν ότι από την στιγμή που αρχίζεις να πειράζεις το config του router μέσω του CLI, τα GUI απαγορεύονται γιατί θα μπλέξεις τα μπούτια σου.
ΥΓ: Ούτε η "access-list 111" βλέπω να χρησιμοποιείται κάπου.
-
26-11-04, 00:49 #11
Παιδιά το κάτωθι εστί το ενεργό!
Κώδικας:! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname ********* ! boot-start-marker boot-end-marker ! no logging buffered enable secret ********* ! username ********* password ********* no aaa new-model ip subnet-zero ! ! ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool CLIENT import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 lease 0 2 ! ! ip name-server 195.170.0.1 ip name-server 195.170.2.2 ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip inspect name DEFAULT100 cuseeme timeout 3600 ip inspect name DEFAULT100 ftp timeout 3600 ip inspect name DEFAULT100 rcmd timeout 3600 ip inspect name DEFAULT100 realaudio timeout 3600 ip inspect name DEFAULT100 smtp timeout 3600 ip inspect name DEFAULT100 tftp timeout 30 ip inspect name DEFAULT100 udp timeout 15 ip inspect name DEFAULT100 tcp timeout 3600 ip inspect name DEFAULT100 h323 timeout 3600 ip inspect name DEFAULT101 cuseeme ip inspect name DEFAULT101 ftp ip inspect name DEFAULT101 h323 ip inspect name DEFAULT101 netshow ip inspect name DEFAULT101 rcmd ip inspect name DEFAULT101 realaudio ip inspect name DEFAULT101 rtsp ip inspect name DEFAULT101 smtp ip inspect name DEFAULT101 sqlnet ip inspect name DEFAULT101 streamworks ip inspect name DEFAULT101 tftp ip inspect name DEFAULT101 tcp ip inspect name DEFAULT101 udp ip inspect name DEFAULT101 vdolive ip inspect name DEFAULT101 icmp ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly no ip mroute-cache ! interface BRI0 no ip address shutdown ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode annexb-ur2 hold-queue 224 in pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated ip access-group 103 in ip nat outside ip inspect DEFAULT101 out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ********* ppp chap password ********* ppp pap sent-username ********* password ********* ppp ipcp dns request ppp ipcp wins request ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip http server no ip http secure-server ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 10.10.10.2 6889 interface Dialer1 6889 ip nat inside source static tcp 10.10.10.2 6888 interface Dialer1 6888 ip nat inside source static tcp 10.10.10.2 6887 interface Dialer1 6887 ip nat inside source static tcp 10.10.10.2 6886 interface Dialer1 6886 ip nat inside source static tcp 10.10.10.2 6885 interface Dialer1 6885 ip nat inside source static tcp 10.10.10.2 6884 interface Dialer1 6884 ip nat inside source static tcp 10.10.10.2 6883 interface Dialer1 6883 ip nat inside source static tcp 10.10.10.2 6882 interface Dialer1 6882 ip nat inside source static tcp 10.10.10.2 6881 interface Dialer1 6881 ip nat inside source static udp 10.10.10.2 4672 interface Dialer1 4672 ip nat inside source static tcp 10.10.10.2 4662 interface Dialer1 4662 ip nat inside source static udp 10.10.10.2 6346 interface Dialer1 6346 ip nat inside source static tcp 10.10.10.2 6346 interface Dialer1 6346 ! ! access-list 23 permit 10.10.10.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any unreachable access-list 101 permit udp any eq bootps any eq bootpc access-list 101 permit udp any eq bootps any eq bootps access-list 101 permit udp any eq domain any access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq 10000 access-list 101 permit tcp any any eq 1723 access-list 101 permit tcp any any eq 139 access-list 101 permit udp any any eq netbios-ns access-list 101 permit udp any any eq netbios-dgm access-list 101 permit gre any any access-list 101 deny ip any any access-list 102 permit ip 10.10.10.0 0.0.0.255 any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip 10.10.10.0 0.0.0.255 any access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 permit tcp any any eq 6346 access-list 103 permit udp any any eq 6346 access-list 103 permit tcp any any eq 4662 access-list 103 permit udp any any eq 4672 access-list 103 permit tcp any any range 6881 6889 access-list 103 deny ip any any log access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit tcp any any eq 6346 access-list 111 permit udp any any eq 6346 access-list 111 permit tcp any any eq 4662 access-list 111 permit udp any any eq 4672 access-list 111 permit tcp any any range 6881 6889 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any log dialer-list 1 protocol ip permit ! control-plane ! ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 ! end
ΥΓ: Ούτε η "access-list 111" βλέπω να χρησιμοποιείται κάπου.
-
26-11-04, 14:11 #12
Apό ότι βλέπω μερικά inspection rules και λίστες δεν χρησιμοποιούνται, οπότε μπορείς να τα σβήσεις δίνοντας τις παρακάτω εντολές μέσα από "conf t":
Κώδικας:no ip inspect name myfw no ip inspect name DEFAULT100 no access-list 101 no access-list 111
-
26-11-04, 14:58 #13
Συγνώμη που σε παιδεύω και σε ευχαριστώ για την "υποστήριξη".
Το πρόβλημα είναι ότι, παρ' όλες τις "αναβαθμίσεις" στο παραπάνω run, ακόμα το routerάκι "κόβει" 4662 ή 688x packets, τα downloads φτάνουν το πολύ τα 3kBps (συνολικά) και τα αντίστοιχα p2p clients μου βγάζουν μηνύματα "ΠΙΘΑΝΩΣ ΕΝΕΡΓΟΠΟΙΗΜΕΝΟ FIREWALL". (εμφανίζεται και με απενεργοποιημένο το Softwarικό firewall!)
-
26-11-04, 15:05 #14
Να σου πω..
Θές να σου στειλω το δικό μου, που παιζει jet με emule, και να εισαι ΟΚ?
Και γνώμη μου.. ξέχνα τα firewall rules που φτιάχνει το SDM κτλ..
Δεν χρειάζονται.. ή τουλάχιστον όχι για οικιακή χρήση.
Αν ειναι τοσο σοβαρό να βάλεις firewall, βάλε ενα PIX..<? while (!$success) { $try++; } ?>
-
26-11-04, 15:12 #15Αρχικό μήνυμα από lacbil
Παρόμοια Θέματα
-
Cisco 876 Port Forwarding Help
Από ScArY_ στο φόρουμ Cisco ADSL modems και routersΜηνύματα: 37Τελευταίο Μήνυμα: 09-07-12, 01:06 -
.cfg files
Από sysmangr στο φόρουμ ADSLΜηνύματα: 3Τελευταίο Μήνυμα: 21-05-07, 01:47 -
Cisco 836 DC++ Port forwarding
Από Infrared στο φόρουμ Cisco ADSL modems και routersΜηνύματα: 0Τελευταίο Μήνυμα: 22-04-05, 00:34 -
Cisco 836 & Logging
Από denial στο φόρουμ Cisco ADSL modems και routersΜηνύματα: 12Τελευταίο Μήνυμα: 03-11-04, 20:30 -
Port Forwarding σε cisco SOHO 97
Από Neo στο φόρουμ Cisco ADSL modems και routersΜηνύματα: 0Τελευταίο Μήνυμα: 22-05-04, 20:03
Bookmarks