2018-03-25 04:26 PM - 最終編集日: 2019-03-27 04:51 AM 、編集者: ciscomoderator
機器 "C841M-4X-JSEC/K9"を利用し、一部サーバーをDMZに公開したいと考えております。
LAN側Vlan1、DMZ側Vlan100としてゾーンを分け、添付configの設定で試しております。
なお、問題は、DMZ側の接続機器がいない場合、LAN側vlan1接続のPCがLANからWANに出ていけない事です。
下記のようにNAT overloadをVlan100にしているためと想定してますが、解決策が分からず苦慮してます。
ip nat inside source list 23 interface Vlan100 overload
何か情報があれば、ご教授頂ければ幸いです。
2018-03-28 09:04 PM
Loopback インターフェースを作成し、Loopback0 overloadとする事で解消。
参考まで、下記にConfigあげておきます。
!
! Last configuration change at 20:44:30 GMT Wed Mar 28 2018 by dfjpadm
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HOST-C841M
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
aaa session-id common
ethernet lmi ce
clock timezone GMT 9 0
!
crypto pki trustpoint TP-self-signed-1216916834
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1216916834
revocation-check none
rsakeypair TP-self-signed-1216916834
!
!
crypto pki certificate chain TP-self-signed-1216916834
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
~
D40817ED 2E5B4C60 DDE3FDED A7E1E633 E36275D0 4168A2B5 2CAD1E97 306A95EB
523B332A 94832698 4293F0AC DD6D36
quit
!
!
!
!
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool ccp-pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
lease 0 2
!
!
!
no ip domain lookup
ip domain name mydomain.local
ip name-server <IPS DNS1>
ip name-server <IPS DNS2>
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
license udi pid C841M-4X-JSEC/K9 sn FGLXXXX
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network dmz2wan-allow_dst_net
any
!
object-group network dmz2wan-allow_src_net
any
!
object-group service dmz2wan-allow_svc
ip
!
object-group network lan2dmz_dst_net
any
!
object-group network lan2dmz_src_net
192.168.10.0 255.255.255.0
!
object-group service lan2dmz_svc
ip
!
object-group network lan2wan-allallow_dst_net
any
!
object-group network lan2wan-allallow_src_net
192.168.10.0 255.255.255.0
any
!
object-group service lan2wan-allallow_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.10.0 255.255.255.0
!
object-group network vpn_remote_subnets
any
!
object-group network wan2dmz-allow_dst_net
XXX.XXX.XXX.104 255.255.255.248
!
object-group network wan2dmz-allow_src_net
any
!
object-group service wan2dmz-allow_svc
ip
!
username <ID> privilege 15 secret 5 <password>
!
redundancy
!
!
!
!
no cdp run
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-all lan2wan-allallow
match access-group name lan2wan-allallow_acl
class-map type inspect match-all lan2dmz
match access-group name lan2dmz_acl
class-map type inspect match-any wan2dmz-allow_app
match protocol tftp
match protocol secure-ftp
match protocol ssh
match protocol icmp
match protocol http
class-map type inspect match-all dmz2wan-allow
match access-group name dmz2wan-allow_acl
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
class-map type inspect match-all wan2dmz-allow
match access-group name wan2dmz-allow_acl
match class-map wan2dmz-allow_app
!
policy-map type inspect LAN-WAN-POLICY
class type inspect lan2wan-allallow
inspect
class type inspect Web
inspect
class type inspect Others
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect LAN-DMZ-POLICY
class type inspect lan2dmz
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect dmz2wan-allow
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect wan2dmz-allow
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security LAN-DMZ source LAN destination DMZ
service-policy type inspect LAN-DMZ-POLICY
!
!
crypto isakmp policy 1
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address XXX.XXX.XXX.106 255.255.255.248
!
interface GigabitEthernet0/0
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
switchport access vlan 100
no ip address
!
interface GigabitEthernet0/3
switchport access vlan 100
no ip address
!
interface GigabitEthernet0/4
description PrimaryWANDesc_
no ip address
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/5
no ip address
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Vlan1
description $ETH_LAN$
ip address 192.168.10.1 255.255.255.0
ip mtu 1454
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1414
load-interval 30
!
interface Vlan100
ip address XXX.XXX.XXX.105 255.255.255.248
ip mtu 1454
zone-member security DMZ
ip tcp adjust-mss 1414
!
interface Dialer1
description PrimaryWANDesc__GigabitEthernet0/4
mtu 1454
ip unnumbered Vlan100
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security WAN
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer-group 1
ppp mtu adaptive
ppp authentication chap callin
ppp chap hostname <PPPoE Connect ID>
ppp chap password 0 <PPPoE Connect Password>
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 23 interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended dmz2wan-allow_acl
permit object-group dmz2wan-allow_svc object-group dmz2wan-allow_src_net object-group dmz2wan-allow_dst_net
ip access-list extended lan2dmz_acl
permit object-group lan2dmz_svc object-group lan2dmz_src_net object-group lan2dmz_dst_net
ip access-list extended lan2wan-allallow_acl
permit object-group lan2wan-allallow_svc object-group lan2wan-allallow_src_net object-group lan2wan-allallow_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended wan2dmz-allow_acl
permit object-group wan2dmz-allow_svc object-group wan2dmz-allow_src_net object-group wan2dmz-allow_dst_net
!
dialer-list 1 protocol ip permit
!
!
access-list 23 permit 192.168.10.0 0.0.0.255
!
!
!
banner exec C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
banner login C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
!
line con 0
login authentication local_access
no modem enable
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
end
エキスパートの回答、ステップバイステップガイド、最新のトピックなどお気に入りのアイデアを見つけたら、あとで参照できるように保存しましょう。
コミュニティは初めてですか?これらのヒントを活用してスタートしましょう。 コミュニティの活用方法 新メンバーガイド