14. februar 2009 - 14:08Der er
10 kommentarer og 1 løsning
Configuration af Cisco Router
Jeg har problemer med at få min Cisco 861W router til at køre som den skal...
Jeg modtager fint IP på WAN-siden (fa4 interfacet) og kan pinge ud, men jeg har ikke noget internet på LAN-siden?
Her er min nuværende konfiguration:
Using 3474 out of 262136 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 51200 logging console critical ! no aaa new-model ! crypto pki trustpoint TP-self-signed-2356917569 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2356917569 revocation-check none rsakeypair TP-self-signed-2356917569 ! ! crypto pki certificate chain TP-self-signed-2356917569 certificate self-signed 01 nvram:IOS-Self-Sig#A.cer no ip source-route ! ip dhcp pool sdm-pool1 import all network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 ! ! ip cef no ip bootp server ip name-server 194.239.134.83 ip name-server 193.162.153.164 ! ! ! ! archive log config hidekeys ! ! ip tcp synwait-time 10 ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$$ES_WAN$ mac-address 001b.63bd.58bc ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto ! interface wlan-ap0 description Service module interface to manage the embedded AP no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface Vlan1 description $FW_INSIDE$ ip address 10.0.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ! ip nat inside source static tcp 10.0.0.5 25 interface FastEthernet4 25 ip nat inside source static tcp 10.0.0.5 80 interface FastEthernet4 80 ip nat inside source static tcp 10.0.0.5 21 interface FastEthernet4 21 ip nat inside source static tcp 10.0.0.5 110 interface FastEthernet4 110 ip nat inside source static tcp 10.0.0.5 3389 interface FastEthernet4 3389 ip nat inside source static tcp 10.0.0.5 995 interface FastEthernet4 995 ip nat inside source static tcp 10.0.0.5 8080 interface FastEthernet4 8080 ip nat inside source static tcp 10.0.0.5 3306 interface FastEthernet4 3306 ip nat inside source static tcp 10.0.0.5 3307 interface FastEthernet4 3307 ip nat inside source static tcp 10.0.0.5 26 interface FastEthernet4 26 ip nat inside source static tcp 10.0.0.5 3390 interface FastEthernet4 3390 ip nat inside source static tcp 10.0.0.5 443 interface FastEthernet4 443 ip nat inside source static tcp 10.0.0.5 20 interface FastEthernet4 20 ! logging trap debugging access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any no cdp run
! control-plane ! ! line con 0 login local no modem enable line aux 0 login local line 2 no activation-character no exec transport preferred none transport input all line vty 0 login local line vty 1 4 login ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
Nu kan jeg i hvert fald godt komme på nettet, hvis jeg angiver statiske dns-servere på pcérne... men hvis jeg sætter den til at hente det hele fra dhcp-serveren så sætter den dns til at være 10.0.0.1 og så er der ingen forbindelse?
her er konfigurationen som den ser ud lige nu hvis det var det du mente...
Building configuration...
Current configuration : 4988 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 51200 logging console critical ! no aaa new-model ! crypto pki trustpoint TP-self-signed-2356917569 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2356917569 revocation-check none rsakeypair TP-self-signed-2356917569 ! ! crypto pki certificate chain TP-self-signed-2356917569 certificate self-signed 01 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32333536 39313735 3639301E 170D3039 30323134 31373234 32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33353639 31373536 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AE54 E3DBFC95 2FFBC0C6 2EEEF295 E4573FB2 44524CF6 D76FD7A4 38F9723D ACF99D28 A41CE482 3ADAB528 1DB13BE5 27460794 6733D102 603CBA7E 13725BE5 E509EC1F F955A2CE 6847335B 2B7FC00B 2FDB416B CFF4D619 7A64DAD8 D63BFC5F C7B04E30 484EA73A 43FD9A70 8FBDAD33 7CE7EC6F C1876D9F EDFE16F1 5717FD2D 682D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 FAA02EA6 2489934E A8D21D52 1B39752D F5BA4D58 301D0603 551D0E04 160414FA A02EA624 89934EA8 D21D521B 39752DF5 BA4D5830 0D06092A 864886F7 0D010104 05000381 810071EA C0F50CD2 B60ED717 3D363651 E9F46671 BE538C8A 18FA52BD FBF47483 E77072D5 7DDDB31D D360E7D0 F25DC29F 4486C205 6033381E 01497B17 81CC5F49 419E4C5D A3A3B236 A103CE48 E5F080D6 D3752603 6AFC6AA2 043CC3D5 2592E694 3A213B9D C4CE2FE5 52CEA25A DAB261E8 D701E012 1177CB9D 2CA89A9A B2A5EF9F B463 quit no ip source-route ! ip dhcp pool sdm-pool1 import all network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 194.239.134.83 193.162.153.164 ! ! ip cef no ip bootp server ip name-server 194.239.134.83 ip name-server 193.162.153.164 ! ! ! ! ! ! ! archive log config hidekeys ! ! ip tcp synwait-time 10 ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$$ES_WAN$ mac-address 001b.63bd.58bc ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto ! interface wlan-ap0 description Service module interface to manage the embedded AP no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface Vlan1 description $FW_INSIDE$ ip address 10.0.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ! ip nat inside source static tcp 10.0.0.5 25 interface FastEthernet4 25 ip nat inside source static tcp 10.0.0.5 80 interface FastEthernet4 80 ip nat inside source static tcp 10.0.0.5 21 interface FastEthernet4 21 ip nat inside source static tcp 10.0.0.5 110 interface FastEthernet4 110 ip nat inside source static tcp 10.0.0.5 3389 interface FastEthernet4 3389 ip nat inside source static tcp 10.0.0.5 995 interface FastEthernet4 995 ip nat inside source static tcp 10.0.0.5 8080 interface FastEthernet4 8080 ip nat inside source static tcp 10.0.0.5 3306 interface FastEthernet4 3306 ip nat inside source static tcp 10.0.0.5 3307 interface FastEthernet4 3307 ip nat inside source static tcp 10.0.0.5 26 interface FastEthernet4 26 ip nat inside source static tcp 10.0.0.5 3390 interface FastEthernet4 3390 ip nat inside source static tcp 10.0.0.5 443 interface FastEthernet4 443 ip nat inside source static tcp 10.0.0.5 20 interface FastEthernet4 20 ip nat inside source list nat interface FastEthernet4 overload ! ip access-list extended nat permit ip 10.0.0.0 0.255.255.255 any ! logging trap debugging access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any no cdp run
! control-plane ! ! line con 0 login local no modem enable line aux 0 login local line 2 no activation-character no exec transport preferred none transport input all line vty 0 login local line vty 1 4 login ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
Nu har jeg nemlig så konfigureret firewallen på routeren gennem Cisco CP og valgt "low" som sikkerhed...
Men når jeg gemmer det den vælger at konfigurere, så modtager fa4 for det første ikke nogen ip - og så fandt jeg ud af, at hvis jeg fjerner linjen: zone-member security out-zone fra fa4, så modtager den en ip... men jeg kan alligevel slet ikke komme på nettet...?
Er der noget simpelt standard man kan konfigurer firewallen til?
Den nye konfiguration med firewall (som er betydelig større end den gamle) ser sådan her ud...
Building configuration...
Current configuration : 10723 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 51200 logging console critical ! no aaa new-model ! crypto pki trustpoint TP-self-signed-2356917569 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2356917569 revocation-check none rsakeypair TP-self-signed-2356917569 ! ! crypto pki certificate chain TP-self-signed-2356917569 certificate self-signed 01 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32333536 39313735 3639301E 170D3039 30323134 31383239 31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33353639 31373536 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AE54 E3DBFC95 2FFBC0C6 2EEEF295 E4573FB2 44524CF6 D76FD7A4 38F9723D ACF99D28 A41CE482 3ADAB528 1DB13BE5 27460794 6733D102 603CBA7E 13725BE5 E509EC1F F955A2CE 6847335B 2B7FC00B 2FDB416B CFF4D619 7A64DAD8 D63BFC5F C7B04E30 484EA73A 43FD9A70 8FBDAD33 7CE7EC6F C1876D9F EDFE16F1 5717FD2D 682D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 FAA02EA6 2489934E A8D21D52 1B39752D F5BA4D58 301D0603 551D0E04 160414FA A02EA624 89934EA8 D21D521B 39752DF5 BA4D5830 0D06092A 864886F7 0D010104 05000381 810046CF 66315A0C 0E43ED34 A402BBBA E2488EFE F9EC4BFA E2C247CA ECD3CA6E A3F4D15B 55D45F43 5ADDA202 1D988CDC 75053571 AE2278D1 3502F420 E9C8DE46 4BF9EC46 9E181226 16E848D5 B8670DB8 9042467F 4EFB6C2A 32BB6A98 D0F4E1C8 B27E2204 281BEE8E AEF4ECE3 1528FADD 7E81267C 373EDB8C 78E48855 8D5040C8 8963 quit no ip source-route ip port-map user-protocol--2 port tcp 8080 ip port-map user-protocol--3 port tcp 3307 ip port-map user-protocol--1 port tcp 3389 ip port-map user-protocol--6 port tcp 20 ip port-map user-protocol--4 port tcp 26 ip port-map user-protocol--5 port tcp 3390 ip dhcp excluded-address 10.0.0.1 10.0.0.5 ! ip dhcp pool sdm-pool1 import all network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 194.239.134.83 193.162.153.164 ! ! ip cef no ip bootp server ip name-server 194.239.134.83 ip name-server 193.162.153.164 ! ! ! ! ! ! ! archive log config hidekeys ! ! ip tcp synwait-time 10 ! class-map type inspect match-all sdm-nat-user-protocol--6-1 match access-group 114 match protocol user-protocol--6 class-map type inspect match-all sdm-nat-user-protocol--5-1 match access-group 112 match protocol user-protocol--5 class-map type inspect match-all sdm-nat-user-protocol--4-1 match access-group 111 match protocol user-protocol--4 class-map type inspect match-all sdm-nat-user-protocol--3-1 match access-group 110 match protocol user-protocol--3 class-map type inspect match-all sdm-nat-user-protocol--2-1 match access-group 108 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-1 match access-group 103 match protocol http class-map type inspect match-all sdm-nat-user-protocol--1-1 match access-group 106 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-smtp-1 match access-group 102 match protocol smtp class-map type inspect match-any CCP-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-all sdm-nat-pop3s-1 match access-group 107 match protocol pop3s class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all sdm-nat-pop3-1 match access-group 105 match protocol pop3 class-map type inspect match-all ccp-invalid-src match access-group 101 class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all sdm-nat-mysql-1 match access-group 109 match protocol mysql class-map type inspect match-all sdm-nat-https-1 match access-group 113 match protocol https class-map type inspect match-all ccp-protocol-http match protocol http class-map type inspect match-all sdm-nat-ftp-1 match access-group 104 match protocol ftp ! ! policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access inspect class class-default pass policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-smtp-1 inspect class type inspect sdm-nat-http-1 inspect class type inspect sdm-nat-ftp-1 inspect class type inspect sdm-nat-pop3-1 inspect class type inspect sdm-nat-user-protocol--1-1 inspect class type inspect sdm-nat-pop3s-1 inspect class type inspect sdm-nat-user-protocol--2-1 inspect class type inspect sdm-nat-mysql-1 inspect class type inspect sdm-nat-user-protocol--3-1 inspect class type inspect sdm-nat-user-protocol--4-1 inspect class type inspect sdm-nat-user-protocol--5-1 inspect class type inspect sdm-nat-https-1 inspect class type inspect sdm-nat-user-protocol--6-1 inspect class class-default drop policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-insp-traffic inspect class type inspect CCP-Voice-permit inspect class class-default pass policy-map type inspect ccp-permit class class-default drop ! zone security out-zone zone security in-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ mac-address 001b.63bd.58bc ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto ! interface wlan-ap0 description Service module interface to manage the embedded AP no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface Vlan1 description $FW_INSIDE$ ip address 10.0.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ! ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ! ip nat inside source static tcp 10.0.0.5 25 interface FastEthernet4 25 ip nat inside source static tcp 10.0.0.5 80 interface FastEthernet4 80 ip nat inside source static tcp 10.0.0.5 21 interface FastEthernet4 21 ip nat inside source static tcp 10.0.0.5 110 interface FastEthernet4 110 ip nat inside source static tcp 10.0.0.5 3389 interface FastEthernet4 3389 ip nat inside source static tcp 10.0.0.5 995 interface FastEthernet4 995 ip nat inside source static tcp 10.0.0.5 8080 interface FastEthernet4 8080 ip nat inside source static tcp 10.0.0.5 3306 interface FastEthernet4 3306 ip nat inside source static tcp 10.0.0.5 3307 interface FastEthernet4 3307 ip nat inside source static tcp 10.0.0.5 26 interface FastEthernet4 26 ip nat inside source static tcp 10.0.0.5 3390 interface FastEthernet4 3390 ip nat inside source static tcp 10.0.0.5 443 interface FastEthernet4 443 ip nat inside source static tcp 10.0.0.5 20 interface FastEthernet4 20 ip nat inside source list nat interface FastEthernet4 overload ! ip access-list extended nat permit ip 10.0.0.0 0.255.255.255 any ! logging trap debugging access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark CCP_ACL Category=128 access-list 101 permit ip host 255.255.255.255 any access-list 101 permit ip 127.0.0.0 0.255.255.255 any access-list 102 remark CCP_ACL Category=0 access-list 102 permit ip any host 10.0.0.5 access-list 103 remark CCP_ACL Category=0 access-list 103 permit ip any host 10.0.0.5 access-list 104 remark CCP_ACL Category=0 access-list 104 permit ip any host 10.0.0.5 access-list 105 remark CCP_ACL Category=0 access-list 105 permit ip any host 10.0.0.5 access-list 106 remark CCP_ACL Category=0 access-list 106 permit ip any host 10.0.0.5 access-list 107 remark CCP_ACL Category=0 access-list 107 permit ip any host 10.0.0.5 access-list 108 remark CCP_ACL Category=0 access-list 108 permit ip any host 10.0.0.5 access-list 109 remark CCP_ACL Category=0 access-list 109 permit ip any host 10.0.0.5 access-list 110 remark CCP_ACL Category=0 access-list 110 permit ip any host 10.0.0.5 access-list 111 remark CCP_ACL Category=0 access-list 111 permit ip any host 10.0.0.5 access-list 112 remark CCP_ACL Category=0 access-list 112 permit ip any host 10.0.0.5 access-list 113 remark CCP_ACL Category=0 access-list 113 permit ip any host 10.0.0.5 access-list 114 remark CCP_ACL Category=0 access-list 114 permit ip any host 10.0.0.5 no cdp run
! control-plane ! ! line con 0 login local no modem enable line aux 0 login local line 2 no activation-character no exec transport preferred none transport input all line vty 0 login local line vty 1 4 login ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.
Det er blevet kaldt ”det største it-nedbrud i historien” og omkostningerne kan nemt løbe op i syv milliarder kroner: Men hvem skal betale for Crowdstrikes fejl?
