[ImoLUG] Client PPTP dietro ad un Cisco877-k9

Riccardo Dal Fiume dalfiume.r@gmail.com
Lun 6 Dic 2010 18:03:52 CET


Ho fatto qualche prova, ho cambiato da pppoe a pppoa e ho tolto alcune
cose che non servivano.
Ho provato a connettermi SENZA il firewall settato tramite il wizard e
CON. Ovviamente CON il firewall settato non va nulla metre sembra
funzionare senza problemi SENZA firewall settato.

Questa  la configurazione con cui funziona.


Building configuration...

Current configuration : 9180 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname fw-cisco877-sede3
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$bjy7$LCEnQC/Un3ZdsR30YscsL.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone PCTime 1
!
crypto pki trustpoint TP-self-signed-2504755254
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2504755254
 revocation-check none
 rsakeypair TP-self-signed-2504755254
!
!
crypto pki certificate chain TP-self-signed-2504755254
 certificate self-signed 01
  ...
  	quit
no dot11 syslog
no ip source-route
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.151 192.168.10.254
ip dhcp excluded-address 192.168.11.1 192.168.11.99
ip dhcp excluded-address 192.168.11.151 192.168.11.254
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
ip dhcp pool ccp-pool2
   import all
   network 192.168.10.0 255.255.255.0
   domain-name dalfiume.local
   dns-server 192.168.10.1
   default-router 192.168.10.1
!
ip dhcp pool ccp-pool3
   import all
   network 192.168.11.0 255.255.255.0
   domain-name dalfiumeclienti.it
   dns-server 192.168.11.1
   default-router 192.168.11.1
!
!
no ip bootp server
ip domain name dalfiume.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 ...
username riccardo secret 5 ...
username poggio secret 5 ...
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 description OFFICINA-SEDE3
 switchport access vlan 2
 ntp disable
!
interface FastEthernet1
 description CLIENTI-SEDE3
 switchport access vlan 3
 ntp disable
!
interface FastEthernet2
 description CONFIGURAZIONE-DEFAULT
 ntp disable
!
interface FastEthernet3
 description TRUNK
 switchport mode trunk
 ntp disable
!
interface Vlan1
 description CONFIGURAZIONE-DEFAULT$ETH-SW-LAUNCH$$INTF-INFO-HWIC
4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.248
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface Vlan2
 description OFFICINA-SEDE3$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan3
 description CLIENTI-SEDE3$FW_INSIDE$
 ip address 192.168.11.1 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname aliceadsl
 ppp chap password 7 0207085208030E255F42
 ppp pap sent-username aliceadsl password 7 082040470A1C04130107
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 2 interface Dialer1 overload
!
logging trap debugging
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.11.0 0.0.0.255
access-list 6 remark CCP_ACL Category=2
access-list 6 permit 192.168.10.0 0.0.0.255
access-list 6 permit 192.168.11.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 deny   ip 192.168.11.0 0.0.0.255 any
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 100 deny   tcp any host 10.10.10.1 eq telnet
access-list 100 deny   tcp any host 10.10.10.1 eq 22
access-list 100 deny   tcp any host 10.10.10.1 eq www
access-list 100 deny   tcp any host 10.10.10.1 eq 443
access-list 100 deny   tcp any host 10.10.10.1 eq cmd
access-list 100 deny   udp any host 10.10.10.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 deny   ip 192.168.11.0 0.0.0.255 any
access-list 102 deny   ip 10.10.10.0 0.0.0.7 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 remark Permetti PPTP
access-list 102 permit tcp 192.168.10.0 0.0.0.255 any eq 1723
access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq 22
access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq 443
access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq cmd
access-list 102 deny   tcp any host 192.168.10.1 eq telnet
access-list 102 deny   tcp any host 192.168.10.1 eq 22
access-list 102 deny   tcp any host 192.168.10.1 eq www
access-list 102 deny   tcp any host 192.168.10.1 eq 443
access-list 102 deny   tcp any host 192.168.10.1 eq cmd
access-list 102 deny   udp any host 192.168.10.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 deny   ip 192.168.10.0 0.0.0.255 any
access-list 103 deny   ip 10.10.10.0 0.0.0.7 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
dialer-list 2 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 101 in
 authorization exec local_author
 login authentication local_authen
 length 0
 transport input ssh
 transport output ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end


Maggiori informazioni sulla lista ImoLUG