URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 23905
[ Назад ]
Исходное сообщение
"Cisco NAT и Firewall"
Отправлено Евгений , 27-Июн-12 15:30 
Всех приветствую. Писал ранее по поводу блокирования любых запросов на маршрутизатор. С предыдущим вопросом разобрался, но теперь возникла другая проблема, не могу пробросить порты на серый ИП. Циска вроде как пробрасывает порт, но прохождение до серой сети, походу, блокирует Firewal... Скидываю конфиг. Версия прошивки 15.0.
=====================================================================================


ip source-route
ip gratuitous-arps
!        
!        
ip dhcp excluded-address 10.10.10.1 10.10.10.49
!        
ip dhcp pool ccp-pool1
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 8.8.8.8
!        
!        
ip cef    
ip domain name domain.local
ip name-server 8.8.8.8
!        
!        
license udi pid CISCO861W-GN-E-K9 sn FCZ1545C5YG
!        
!        
username daltin privilege 15 secret 5 $1$UcDY$lIE4DaKWrVUHFkDCHpDmk1
username rood privilege 15 password 7 105C0F0F030319065C557D727D7F6265
!        
!        
ip finger
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!        
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
match protocol tcp
match protocol http
match protocol https
match protocol udp
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
match protocol tcp
match protocol http
match protocol https
match protocol udp
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
match protocol tcp
match protocol http
match protocol https

match protocol udp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol icmp
match protocol imap
match protocol pop3
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol https
match protocol tcp
match protocol udp
match protocol http
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
!        
!        
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
  pass    
class type inspect ccp-icmp-access
  pass    
class class-default
  pass    
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  pass    
class type inspect ccp-protocol-http
  pass    
class type inspect ccp-insp-traffic
  pass    
class class-default

  pass    
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
  pass    
class class-default
  pass    
!        
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!        
!        
!        
!        
!        
!        
!        
interface FastEthernet0
!        
interface FastEthernet1
!        
interface FastEthernet2
!        
interface FastEthernet3
!        
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 82.144.205.2 255.255.255.128
ip mask-reply
ip directed-broadcast
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
!        
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
ip mask-reply
ip directed-broadcast
ip flow ingress

arp timeout 0
!        
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!        
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip mask-reply
ip directed-broadcast
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!        
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!        
ip nat pool NAT_POOL 10.10.10.1 10.10.10.30 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 82.144.205.2 37777 10.10.10.4 37777 extendable
ip route 0.0.0.0 0.0.0.0 82.144.205.1
!        
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!        
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip any any
no cdp run
          
!        
control-plane
!        
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
          
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image

Содержание
Сообщения в этом обсуждении
"Cisco NAT и Firewall"
Отправлено Seva , 27-Июн-12 17:18 
какой такой firewall?
"Cisco NAT и Firewall"
Отправлено Евгений , 27-Июн-12 18:17 
> какой такой firewall?

zone security, не знаю как его еще именовать... походу из-за него не работает.