Cisco 851 et L2TP Passthrough - Réseaux - Réseaux grand public / SoHo
MarshPosté le 18-03-2007 à 13:08:05
Bonjour,
Nous avons un routeur Cisco 851 derrière lequel nous hébergeons des services Web (HTTP et HTTPS), email (SMTP) et VPN (PPTP, L2TP).
N'y connaissans pas grand chose en CLI Cisco, j'ai utilisé le SDM pour ouvrir les ports nécessaires. J'ai pu ouvrir les ports Web, Mail et PPTP et ils sont fonctionnels. Cependant, bien que je pense avoir fait le nécessaire pour le protocol L2TP, la connexion n'est pas initiée et le serveur recevant les requetes L2TP ne reçoit aucun packet. Pouvez-vous valider ma configuration.
IP du Cisco : 192.168.0.254 Serveur Web, Mail, VPN : 192.168.0.253
J'ai ouvert et redirigé les ports suivants :
ip nat inside source list 1 interface Dialer0 overload ip nat inside source static udp 192.168.0.253 4500 interface Dialer0 4500 ip nat inside source static udp 192.168.0.253 500 interface Dialer0 500 ip nat inside source static udp 192.168.0.253 1701 interface Dialer0 1701 ip nat inside source static tcp 192.168.0.253 1723 interface Dialer0 1723 ip nat inside source static tcp 192.168.0.253 25 interface Dialer0 25 ip nat inside source static tcp 192.168.0.253 443 interface Dialer0 443 ip nat inside source static tcp 192.168.0.253 80 interface Dialer0 80
Et le Firewall a les règles suivantes
access-list 101 remark HTTP access-list 101 permit tcp any any eq www access-list 101 remark HTTPS access-list 101 permit tcp any any eq 443 access-list 101 remark SMTP access-list 101 permit tcp any any eq smtp access-list 101 remark PPTP access-list 101 permit tcp any any eq 1723 access-list 101 remark L2TP access-list 101 permit udp any any eq 1701 access-list 101 remark IKE access-list 101 permit udp any any eq isakmp access-list 101 remark IPSec NAT-T access-list 101 permit udp any any eq non500-isakmp access-list 101 remark GRE access-list 101 permit gre any any
Merci
FICHIER DE CONFIGURATION COMPLET
Building configuration...
Current configuration : 7101 bytes ! ! Last configuration change at 13:30:08 PCTime Sun Mar 18 2007 by admin ! NVRAM config last updated at 09:24:00 PCTime Tue Dec 26 2006 by cisco ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname fr-par-wan1 ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model ! resource policy ! clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 ip subnet-zero no ip source-route ! ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip tcp synwait-time 10 no ip bootp server ip domain name domaine.local ip name-server 194.2.0.20 ip name-server 194.2.0.50 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-361402317 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-361402317 revocation-check none rsakeypair TP-self-signed-361402317 ! ! crypto pki certificate chain TP-self-signed-361402317 certificate self-signed 01
quit username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxx ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxx ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static udp 192.168.0.253 4500 interface Dialer0 4500 ip nat inside source static udp 192.168.0.253 500 interface Dialer0 500 ip nat inside source static udp 192.168.0.253 1701 interface Dialer0 1701 ip nat inside source static tcp 192.168.0.253 1723 interface Dialer0 1723 ip nat inside source static tcp 192.168.0.253 25 interface Dialer0 25 ip nat inside source static tcp 192.168.0.253 443 interface Dialer0 443 ip nat inside source static tcp 192.168.0.253 80 interface Dialer0 80 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp host 194.2.0.50 eq domain any access-list 101 permit udp host 194.2.0.20 eq domain any access-list 101 remark HTTP access-list 101 permit tcp any any eq www access-list 101 remark HTTPS access-list 101 permit tcp any any eq 443 access-list 101 remark SMTP access-list 101 permit tcp any any eq smtp access-list 101 remark PPTP access-list 101 permit tcp any any eq 1723 access-list 101 remark L2TP access-list 101 permit udp any any eq 1701 access-list 101 remark IKE access-list 101 permit udp any any eq isakmp access-list 101 remark IPSec NAT-T access-list 101 permit udp any any eq non500-isakmp access-list 101 remark GRE access-list 101 permit gre any any access-list 101 deny ip 192.168.0.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any dialer-list 1 protocol ip permit no cdp run ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
Marsh Posté le 18-03-2007 à 13:08:05
Bonjour,
Nous avons un routeur Cisco 851 derrière lequel nous hébergeons des services Web (HTTP et HTTPS), email (SMTP) et VPN (PPTP, L2TP).
N'y connaissans pas grand chose en CLI Cisco, j'ai utilisé le SDM pour ouvrir les ports nécessaires.
J'ai pu ouvrir les ports Web, Mail et PPTP et ils sont fonctionnels. Cependant, bien que je pense avoir fait le nécessaire pour le protocol L2TP, la connexion n'est pas initiée et le serveur recevant les requetes L2TP ne reçoit aucun packet. Pouvez-vous valider ma configuration.
IP du Cisco : 192.168.0.254
Serveur Web, Mail, VPN : 192.168.0.253
J'ai ouvert et redirigé les ports suivants :
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.0.253 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.0.253 500 interface Dialer0 500
ip nat inside source static udp 192.168.0.253 1701 interface Dialer0 1701
ip nat inside source static tcp 192.168.0.253 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.0.253 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.253 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.253 80 interface Dialer0 80
Et le Firewall a les règles suivantes
access-list 101 remark HTTP
access-list 101 permit tcp any any eq www
access-list 101 remark HTTPS
access-list 101 permit tcp any any eq 443
access-list 101 remark SMTP
access-list 101 permit tcp any any eq smtp
access-list 101 remark PPTP
access-list 101 permit tcp any any eq 1723
access-list 101 remark L2TP
access-list 101 permit udp any any eq 1701
access-list 101 remark IKE
access-list 101 permit udp any any eq isakmp
access-list 101 remark IPSec NAT-T
access-list 101 permit udp any any eq non500-isakmp
access-list 101 remark GRE
access-list 101 permit gre any any
Merci
FICHIER DE CONFIGURATION COMPLET
Building configuration...
Current configuration : 7101 bytes
!
! Last configuration change at 13:30:08 PCTime Sun Mar 18 2007 by admin
! NVRAM config last updated at 09:24:00 PCTime Tue Dec 26 2006 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname fr-par-wan1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name domaine.local
ip name-server 194.2.0.20
ip name-server 194.2.0.50
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-361402317
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-361402317
revocation-check none
rsakeypair TP-self-signed-361402317
!
!
crypto pki certificate chain TP-self-signed-361402317
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxx
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.0.253 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.0.253 500 interface Dialer0 500
ip nat inside source static udp 192.168.0.253 1701 interface Dialer0 1701
ip nat inside source static tcp 192.168.0.253 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.0.253 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.253 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.253 80 interface Dialer0 80
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 194.2.0.50 eq domain any
access-list 101 permit udp host 194.2.0.20 eq domain any
access-list 101 remark HTTP
access-list 101 permit tcp any any eq www
access-list 101 remark HTTPS
access-list 101 permit tcp any any eq 443
access-list 101 remark SMTP
access-list 101 permit tcp any any eq smtp
access-list 101 remark PPTP
access-list 101 permit tcp any any eq 1723
access-list 101 remark L2TP
access-list 101 permit udp any any eq 1701
access-list 101 remark IKE
access-list 101 permit udp any any eq isakmp
access-list 101 remark IPSec NAT-T
access-list 101 permit udp any any eq non500-isakmp
access-list 101 remark GRE
access-list 101 permit gre any any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end