URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 10204
[ Назад ]

Исходное сообщение
"Проброс DNS>PIX515E"

Отправлено Free4uvak , 30-Мрт-06 11:46 
Подскажите уважаемые гуру, где моя ошибка... сам пока новичок в деле освоения циски, цель из ДМЗ пробросить мастер ДНС сервер наружу...(220.150.110.30) Критика и толковые советы приветствуются....
Есть 1760 маршрутизатор с shdl (220.150.53.53) модулем и ethernet порт(192.153.69.2)
На нем говорю:
ip nat inside source static 220.150.110.30 192.153.69.100

На пиксе сказано:
access-list DNS permit tcp any host 192.153.69.100
access-list DNS permit udp any host 192.153.69.100 log
access-list DNS permit icmp any host 192.153.69.100
access-list DNS permit ip any host 192.153.69.100
access-list DNS permit icmp host 192.153.69.2 host 192.153.69.100 log
ip address outside 192.153.69.10 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.31 255.255.255.255 inside
pdm location nameserver 255.255.255.255 dmz
pdm location 192.153.69.2 255.255.255.255 outside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.153.69.12 255.255.255.255 dmz
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 192.153.69.110
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (dmz,outside) 192.153.69.100 nameserver netmask 255.255.255.255 0 0
access-group DNS in interface outside
access-group inside_acl in interface inside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 192.153.69.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
Пинг с 1760 на 192.153.69.100 не идет - хотя с других хостов пингую.... не пойму где напортачил....


Содержание

Сообщения в этом обсуждении
"Проброс DNS>PIX515E"
Отправлено sh_ , 30-Мрт-06 12:23 
Я так понимаю, что у тебя
internet---C1700---PIX---DMZ

На маршрутизаторе
no ip nat inside source static 220.150.110.30 192.153.69.100
ip nat inside source static 192.153.69.100 220.150.110.30

на пиксе

no static (dmz,outside) 192.153.69.100 nameserver netmask 255.255.255.255 0 0
static (dmz,outside) nameserver 192.153.69.100


"Проброс DNS>PIX515E"
Отправлено Free4uvak , 30-Мрт-06 12:32 
>Я так понимаю, что у тебя
>internet---C1700---PIX---DMZ
>
>На маршрутизаторе
>no ip nat inside source static 220.150.110.30 192.153.69.100
>ip nat inside source static 192.153.69.100 220.150.110.30
>
>на пиксе
>
>no static (dmz,outside) 192.153.69.100 nameserver netmask 255.255.255.255 0 0
>static (dmz,outside) nameserver 192.153.69.100
Да по поводу подключения абсолютно верно...
сейчас попробую....спасибо за подсказку..



"Проброс DNS>PIX515E"
Отправлено Free4uvak , 30-Мрт-06 13:00 
Не помогло :( ....блин ведь делал как на сайте cisco.com написано, где ошибся фиг знает

"Проброс DNS>PIX515E"
Отправлено sh_ , 30-Мрт-06 13:12 
Сначала clear ip nat tr * на cisco и clear xlate на pix.

Если не поможет - покажи полные конфиги и того и другого...


"Проброс DNS>PIX515E"
Отправлено Free4uvak , 30-Мрт-06 13:51 
>Сначала clear ip nat tr * на cisco и clear xlate на
>pix.
>
>Если не поможет - покажи полные конфиги и того и другого...
-------1760-------------

version 12.3
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname Cisco1760

aaa new-model

aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero

ip dhcp pool crwstest
   origin ipcp

ip audit notify log
ip audit po max-events 100
ip address-pool local
no ftp-server write-enable

interface ATM0/0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO

interface ATM0/0.1 point-to-point
ip address 192.168.3.2 255.255.255.252
ip nat inside
pvc 1/184
  oam-pvc manage
  encapsulation aal5snap

interface ATM0/0.2 point-to-point
ip address 220.150.53.53 255.255.255.255
ip access-group IDS_atm0/0.2_in_1 in
ip nat outside
pvc 1/134
  oam-pvc manage
  encapsulation aal5snap

interface FastEthernet0/0
ip address 192.153.69.2 255.255.255.0
ip accounting output-packets
ip nat inside
speed auto
half-duplex
no cdp enable
hold-queue 32 in
hold-queue 100 out

ip local pool Dialup 192.168.255.2 192.168.255.254
ip nat inside source list 11 interface ATM0/0.2 overload
ip nat inside source static tcp 192.168.1.5 3455 220.150.53.53 3455 extendable
ip nat inside source static tcp 192.168.1.16 4444 220.150.53.53 4444 extendabl
e
ip nat inside source static 192.153.69.100 220.150.110.30
ip classless
ip route 0.0.0.0 0.0.0.0  220.150.53.52
ip route 10.10.2.0 255.255.255.252 192.168.3.1
ip route 172.16.2.0 255.255.255.252 192.168.3.1
ip route 172.16.10.0 255.255.255.252 172.16.10.1
ip route 172.16.12.0 255.255.255.252 192.168.3.1
ip route 172.16.13.0 255.255.255.252 192.168.3.1
ip route 190.153.0.0 255.255.0.0 192.153.69.15
ip route 190.153.53.0 255.255.255.0 192.168.3.1
ip route 190.153.70.0 255.255.255.0 192.168.3.1
ip route 192.168.0.0 255.255.255.0 192.153.69.10
ip route 192.168.1.0 255.255.255.0 192.153.69.15
ip route 192.168.2.0 255.255.255.0 192.168.3.1
ip route 192.168.3.4 255.255.255.252 192.168.3.1
ip route 192.168.3.8 255.255.255.252 192.168.3.1
ip route 192.168.3.12 255.255.255.252 192.168.3.1
ip route 192.168.3.16 255.255.255.252 192.168.3.1
ip route 192.168.3.20 255.255.255.252 192.168.3.1
ip route 192.168.3.24 255.255.255.252 192.168.3.1
ip route 192.168.3.28 255.255.255.252 192.168.3.1
ip route 192.168.3.32 255.255.255.252 192.168.3.1
ip route 192.168.3.36 255.255.255.252 192.168.3.1
ip route 192.168.5.0 255.255.255.252 192.168.3.1
ip route 192.168.6.0 255.255.255.252 192.168.3.1
ip route 192.168.10.0 255.255.255.0 192.153.69.15
ip route 192.168.12.0 255.255.255.0 192.168.3.1
ip route 192.168.13.0 255.255.255.0 192.168.3.1
ip route 192.168.126.0 255.255.255.0 192.153.69.15
ip route 220.150.110.30 255.255.255.255 192.153.69.10
no ip http server
no ip http secure-server
ip access-list extended IDS_atm0/0.2_in_1
permit ip host 192.168.1.24 any
permit ip any any
access-list 1 permit any
access-list 11 permit any
no cdp run
radius-server authorization permit missing Service-Type
line con 0
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0

-------------PIX----------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname gluks
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 nameserver
access-list acl_out permit icmp any any log
access-list acl_out permit icmp any host 192.153.69.8 log
access-list inside_acl permit tcp host 192.168.1.31 any log
access-list inside_acl permit udp host 192.168.1.31 any log
access-list inside_acl permit icmp any any log
access-list dmz_acl permit icmp any any log
access-list DNS remark Allow DNS host to WAN
access-list DNS permit tcp any host 192.153.69.100
access-list DNS permit udp any host 192.153.69.100 log
access-list DNS permit icmp any host 192.153.69.100
access-list DNS permit ip any host 192.153.69.100
access-list DNS permit icmp host 192.153.69.2 host 192.153.69.100 log
pager lines 80
logging on
logging timestamp
logging console debugging
logging buffered errors
logging trap debugging
logging facility 23
logging host inside 192.168.1.31
icmp permit any outside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.153.69.10 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.31 255.255.255.255 inside
pdm location nameserver 255.255.255.255 dmz
pdm location 192.153.69.2 255.255.255.255 outside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.153.69.12 255.255.255.255 dmz
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 192.153.69.110
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (dmz,outside) 192.153.69.100 nameserver netmask 255.255.255.255 0 0
access-group DNS in interface outside
access-group inside_acl in interface inside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 192.153.69.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 192.168.1.6 source inside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.1.31 255.255.255.255 inside
ssh timeout 5
console timeout 10


Вот конфиги...


"Проброс DNS>PIX515E"
Отправлено Alien , 30-Мрт-06 14:13 
попробуйте
static (DMZ,outside) 192.153.69.100 nameserver netmask 255.255.255.255 dns
- будет работать rewrite

"Проброс DNS>PIX515E"
Отправлено Free4uvak , 30-Мрт-06 14:19 
>попробуйте
>static (DMZ,outside) 192.153.69.100 nameserver netmask 255.255.255.255 dns
>- будет работать rewrite
Спасибо попробую...



"Проброс DNS>PIX515E"
Отправлено Free4uvak , 30-Мрт-06 14:39 
>>попробуйте
>>static (DMZ,outside) 192.153.69.100 nameserver netmask 255.255.255.255 dns
>>- будет работать rewrite
>Спасибо попробую...
Не работает....:), но все равно спасибо..
На лог-сервере проскакивает периодически такая вот фигня - где запрещает ума не приложу, я же ведь даже явно сказал МОЖНО...
192.168.1.254: <188>Mar 30 2006 16:51:26: %PIX-4-106023: Deny icmp src outside:192.153.69.2 dst inside:192.153.69.110 (type 5, code 1) by access-group "DNS"

192.168.1.254: <187>Mar 30 2006 16:51:26: %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.153.69.110/1035 dst outside:213.135.113.180/53
Отбой это же на inside ломится - крыша у меня едет просто :)....


"Проброс DNS>PIX515E"
Отправлено sh_ , 30-Мрт-06 15:12 
А что показывает deb pac outside dst 192.153.69.100 и deb pac inside dst 192.153.69.100

"Проброс DNS>PIX515E"
Отправлено Free4uvak , 30-Мрт-06 15:41 
>А что показывает deb pac outside dst 192.153.69.100 и deb pac inside
>dst 192.153.69.100  -
Видно что пакеты идут
192.168.1.254: <190>Mar 30 2006 17:48:26: %PIX-6-302016: Teardown UDP connection 1632 for outside:216.221.160.10/36640 to dmz:192.168.0.2/53 duration 0:02:01 bytes 47