Jump to content

не работают правила на ICMP в Cisco 3620

Yaten
 Share

Recommended Posts

Yaten

Yaten

Posted
Posted

А всетаки они (правила) и правда не работают на icmp.... вот конфиг. и с компа подключающегося через VPN пингуется все что за Virtual-temlate 1

 

eth 0/0 смотрит на клиентов

eth 1/0 смотрит на NAT 192.168.1.1 , а НАТ в интернет.

 

конфиг:

 

Building configuration...

 

Current configuration : 2366 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5

enable password

!

aaa new-model

!

!

aaa authentication ppp default group radius

aaa authorization exec default local

aaa authorization network default group radius

aaa accounting network default start-stop group radius

aaa session-id common

ip subnet-zero

no ip rcmd domain-lookup

ip rcmd rsh-enable

ip rcmd remote-host admin 172.16.0.2 admin enable

!

!

ip cef

!

ip audit po max-events 1000

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

!

!

!

!

!

!

!

!

!

!

!

!

username admin privilege 8 password 0

!

!

!

!

!

!

interface Ethernet0/0

ip address 172.16.0.1 255.255.0.0

half-duplex

no cdp enable

!

interface Ethernet1/0

ip address 192.168.1.3 255.255.255.0

ip route-cache flow

half-duplex

no cdp enable

!

interface Virtual-Template1

ip address 172.17.0.1 255.255.0.0

ip access-group 109 in

ip access-group 110 out

ip route-cache flow

ip tcp header-compression

ip mroute-cache

no peer default ip address

ppp authentication ms-chap-v2

!

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

!

ip radius source-interface Ethernet0/0

access-list 105 dynamic test1 permit ip any any

access-list 106 dynamic test2 permit ip any any

access-list 107 permit icmp any host 172.16.0.1

access-list 107 permit tcp any any eq domain

access-list 107 permit udp any any eq domain

access-list 107 permit ip host 172.16.0.2 host 172.16.0.1

access-list 107 permit tcp any host 172.16.0.1 eq 1723

access-list 107 permit gre any any

access-list 107 deny ip any any

access-list 108 permit icmp host 172.16.0.1 any

access-list 108 permit tcp any eq domain any

access-list 108 permit tcp any eq domain any

access-list 108 permit ip host 172.16.0.1 host 172.16.0.2

access-list 108 permit tcp host 172.16.0.1 eq 1723 any

access-list 108 permit gre any any

access-list 108 deny ip any any

access-list 109 deny ip any any

access-list 110 deny ip any any

no cdp run

!

radius-server host 172.16.0.2 auth-port 1812 acct-port 1813

radius-server key

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password

!

!

end

Nailer

Nailer

Posted
Posted
А всетаки они (правила) и правда не работают на icmp.... вот конфиг. и с компа подключающегося через VPN пингуется все что за Virtual-temlate 1

 

eth 0/0 смотрит на клиентов

eth 1/0 смотрит на NAT 192.168.1.1 , а НАТ в интернет.

 

конфиг:

 

Building configuration...

 

Current configuration : 2366 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5

enable password

!

aaa new-model

!

!

aaa authentication ppp default group radius

aaa authorization exec default local

aaa authorization network default group radius

aaa accounting network default start-stop group radius

aaa session-id common

ip subnet-zero

no ip rcmd domain-lookup

ip rcmd rsh-enable

ip rcmd remote-host admin 172.16.0.2 admin enable

!

!

ip cef

!

ip audit po max-events 1000

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

!

!

!

!

!

!

!

!

!

!

!

!

username admin privilege 8 password 0

!

!

!

!

!

!

interface Ethernet0/0

ip address 172.16.0.1 255.255.0.0

half-duplex

no cdp enable

!

interface Ethernet1/0

ip address 192.168.1.3 255.255.255.0

ip route-cache flow

half-duplex

no cdp enable

!

interface Virtual-Template1

ip address 172.17.0.1 255.255.0.0

ip access-group 109 in

ip access-group 110 out

ip route-cache flow

ip tcp header-compression

ip mroute-cache

no peer default ip address

ppp authentication ms-chap-v2

!

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

!

ip radius source-interface Ethernet0/0

access-list 105 dynamic test1 permit ip any any

access-list 106 dynamic test2 permit ip any any

access-list 107 permit icmp any host 172.16.0.1

access-list 107 permit tcp any any eq domain

access-list 107 permit udp any any eq domain

access-list 107 permit ip host 172.16.0.2 host 172.16.0.1

access-list 107 permit tcp any host 172.16.0.1 eq 1723

access-list 107 permit gre any any

access-list 107 deny ip any any

access-list 108 permit icmp host 172.16.0.1 any

access-list 108 permit tcp any eq domain any

access-list 108 permit tcp any eq domain any

access-list 108 permit ip host 172.16.0.1 host 172.16.0.2

access-list 108 permit tcp host 172.16.0.1 eq 1723 any

access-list 108 permit gre any any

access-list 108 deny ip any any

access-list 109 deny ip any any

access-list 110 deny ip any any

no cdp run

!

radius-server host 172.16.0.2 auth-port 1812 acct-port 1813

radius-server key

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password

!

!

end

А при чем тут icmp?

Yaten

Yaten

Posted
  • Author
Posted
А при чем тут icmp?
а при том что

 

interface Virtual-Template1

ip address 172.17.0.1 255.255.0.0

ip access-group 109 in

ip access-group 110 out

и

 

access-list 109 deny ip any any

access-list 110 deny ip any any

т.е. запрещены все, а пинги бегают. кроме пигнов, ничего не бегает. tcp, udp и все остальные (надеюсь что остальные, не проверял) заблокированны.

zander

zander

Posted
Posted

cisco(config)#access-list 199 deny ?

<0-255> An IP protocol number

ahp Authentication Header Protocol

eigrp Cisco's EIGRP routing protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

igrp Cisco's IGRP routing protocol

ip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

ospf OSPF routing protocol

pcp Payload Compression Protocol

pim Protocol Independent Multicast

tcp Transmission Control Protocol

udp User Datagram Protocol

 

------

 

cat /etc/protocols | grep icmp

icmp 1 ICMP # internet control message protocol

 

cat /etc/protocols | grep ip

ip 0 IP # internet protocol, pseudo protocol number

 

 

----

 

наверно надо дописать

access-list 109 deny icmp any any

access-list 110 deny icmp any any

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...
На сайте используются файлы cookie и сервисы аналитики для корректной работы форума и улучшения качества обслуживания. Продолжая использовать сайт, вы соглашаетесь с использованием файлов cookie и с Политикой конфиденциальности.