Solucionado: Configuração básica C1161X-8P sem NAT

Translator · ‎09-27-2021

Oi, estou preso e gostaria de ajuda.

Meu config está ligado. Atualmente os acls são

lista de acesso ip InsideToOutside_acl estendida
10 permitir ip qualquer
lista de acesso ip OutsideToInside_acl estendida
10 permitir ip qualquer

se eu mudar OutsideToInside_acl ser

10 permissão tcp qualquer eq 3389

Acho que o RDP pode ser usado para se conectar da Internet aos computadores LAN, mas o tráfego de LAN para a Internet (ou mais provavelmente o tráfego de retorno) pára.

Como posso consertar isso?

Translator · ‎09-27-2021

Olá

Tente o seguinte:

no policy-map type inspect avc Web_app_policy
no class-map type inspect match-all InsideToOutside

interface GigabitEthernet0/0/0
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/0/1
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/1/0
no ip access-group InsideToOutside_acl in

access-list 110 remark RDP
access-list 110 permit tcp any any eq 3389
access-list 110 permit udp any any eq 3389

class-map type inspect match-any InsideToOutside < you may have to remove the old class map before adding this
match protocol icmp
match protocol dns
match protocol http
match protocol https
match access-group 110

class-map type inspect match-any OutsideToInside
no match access-group name OutsideToInside_acl
match access-group 110

Ver solução na publicação original

Translator · ‎09-27-2021

ip lista de acesso estendida InsideToOutside_acl
10 permitir ip qualquer
lista de acesso ip estendida OutsideToInside_acl
10 permitir ip qualquer

quando você tem esse config tudo funciona? ( acima ainda permitir 3389 parte da porta de qualquer direito ?) você é capaz de conectar 3389?

Translator · ‎09-27-2021

Olá

Tente o seguinte:

no policy-map type inspect avc Web_app_policy
no class-map type inspect match-all InsideToOutside

interface GigabitEthernet0/0/0
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/0/1
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/1/0
no ip access-group InsideToOutside_acl in

access-list 110 remark RDP
access-list 110 permit tcp any any eq 3389
access-list 110 permit udp any any eq 3389

class-map type inspect match-any InsideToOutside < you may have to remove the old class map before adding this
match protocol icmp
match protocol dns
match protocol http
match protocol https
match access-group 110

class-map type inspect match-any OutsideToInside
no match access-group name OutsideToInside_acl
match access-group 110

Translator · ‎09-27-2021

Oi @paul motorista

Obrigado, isso é exatamente o que eu precisava para voltar aos trilhos. Acho que estava misturando duas formas de gerenciamento de acesso a pacotes.

Uma pequena modificação é necessária. Eu gostaria de limitar o tráfego chegando em 3389, mas eu não quero limitar o tráfego saindo.

Eu entendo que este comando está limitando quais pacotes podem sair?

tipo de mapa de classe inspecionar correspondência-qualquer InsideToOutside
descrição InsideToOutside
protocolo de correspondência icmp
dns protocolo de correspondência
protocolo de correspondência http
protocolo de correspondência https
jogo acesso grupo 110

Como permitir que todo o tráfego saia das máquinas de usuário?

Relação

Assinalar

Translator · ‎09-27-2021

Olá

Eu não li todos os outros posts, mas firewalls baseados em zonas e listas de acesso aplicadas às interfaces de membros da região não funcionam bem juntos.

Faça as alterações marcadas em negrito,isso permite toda a saída de tráfego e apenas rdp 3389 de entrada. Dito isso, você não tem nenhum NAT configurado, é de propósito?

Current configuration : 23172 bytes
!
! Last configuration change at 17:36:35 UTC Thu Jul 1 2021 by admin
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname netlab
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login a-eap-authen-local local
aaa authorization exec default local
aaa authorization network a-eap-author-grp local
!
aaa login success-track-conf-time 1
!
aaa session-id common
clock timezone UTC 10 0
clock summer-time UTC recurring 1 Sun Oct 1:00 1 Sun Apr 1:00
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
no ip domain lookup
ip domain name sece.company.com
ip dhcp excluded-address xxx.xxx.68.0 xxx.xxx.68.29
ip dhcp excluded-address xxx.xxx.68.50 xxx.xxx.68.255
!
ip dhcp pool VLAN68Pool
network xxx.xxx.68.0 255.255.255.0
default-router xxx.xxx.68.254
dns-server xxx.xxx.68.254 8.8.8.8
lease 7
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint quovadis.root
enrollment terminal pem
revocation-check none
!
crypto pki trustpoint quovadis.inter
enrollment terminal pem
serial-number none
fqdn netlab.sece.rmit.edu.au
ip-address none
subject-name C=xxxx
subject-alt-name netlab.company.com
chain-validation continue quovadis.inter2
revocation-check none
rsakeypair netlab.company.com 2048
!
crypto pki trustpoint quovadis.inter2
enrollment terminal pem
chain-validation continue quovadis.root
revocation-check none
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
quit
crypto pki certificate chain quovadis.root
certificate ca 445734245B81899B35F2CEB82B3B5BA726F07528
30820560 30820348 A0030201 02021444 5734245B 81899B35 F2CEB82B 3B5BA726
quit
crypto pki certificate chain quovadis.inter
certificate 234A05CD947BCE0C6C755EE05B1447CEA6DD3E68
3082071C 30820504 A0030201 02021423 4A05CD94 7BCE0C6C 755EE05B 1447CEA6
quit
certificate ca 2D2C802018B7907C4D2D79DF7FB1BD872727CC93
308206AB 30820493 A0030201 0202142D 2C802018 B7907C4D 2D79DF7F B1BD8727
quit
crypto pki certificate chain quovadis.inter2
certificate ca 2D2C802018B7907C4D2D79DF7FB1BD872727CC93
308206AB 30820493 A0030201 0202142D 2C802018 B7907C4D 2D79DF7F B1BD8727

quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
license feature hseck9
license udi pid C1161X-8P sn F
license boot level securityk9
memory free low-watermark processor 70177
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 xx
username Wb35lMa26ZzB password 0 xx
!
redundancy
mode none
!
crypto ikev2 proposal netlab.company
encryption aes-cbc-256
integrity sha256
group 14
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
class-map type inspect match-all InsideToOutside
description InsideToOutside
match access-group name InsideToOutside_acl
class-map type inspect match-all OutsideToInside
description OutsideToInside
match access-group name OutsideToInside_acl
!
policy-map type inspect avc Web_app_policy
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect InsideToOutside
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect OutsideToInside
--> pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
description WAN GE 0/0/0
ip address xxx.xxx.253.10 255.255.255.240
--> no ip access-group OutsideToInside_acl in
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN GE 0/0/1
no ip address
--> no ip access-group OutsideToInside_acl in
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/1/0
description VLAN68Port0
switchport mode access
--> no ip access-group InsideToOutside_acl in
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
description VLAN68
ip address xxx.xxx.68.254 255.255.255.0
--> no ip access-group InsideToOutside_acl in
zone-member security INSIDE
!
interface Vlan2
no ip address
zone-member security INSIDE
!
ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
ip http timeout-policy idle 600 life 600 requests 25
ip route 0.0.0.0 0.0.0.0 xxx.xxx.253.13
!
ip access-list extended InsideToOutside_acl
10 permit ip any any
ip access-list extended OutsideToInside_acl
--> permit tcp any any eq 3389
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 60 0
length 0
!
end

Current configuration : 23172 bytes
!
! Last configuration change at 17:36:35 UTC Thu Jul 1 2021 by admin
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname netlab
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login a-eap-authen-local local
aaa authorization exec default local
aaa authorization network a-eap-author-grp local
!
aaa login success-track-conf-time 1
!
aaa session-id common
clock timezone UTC 10 0
clock summer-time UTC recurring 1 Sun Oct 1:00 1 Sun Apr 1:00
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
no ip domain lookup
ip domain name sece.company.com
ip dhcp excluded-address xxx.xxx.68.0 xxx.xxx.68.29
ip dhcp excluded-address xxx.xxx.68.50 xxx.xxx.68.255
!
ip dhcp pool VLAN68Pool
network xxx.xxx.68.0 255.255.255.0
default-router xxx.xxx.68.254
dns-server xxx.xxx.68.254 8.8.8.8
lease 7
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint quovadis.root
enrollment terminal pem
revocation-check none
!
crypto pki trustpoint quovadis.inter
enrollment terminal pem
serial-number none
fqdn netlab.sece.rmit.edu.au
ip-address none
subject-name C=xxxx
subject-alt-name netlab.company.com
chain-validation continue quovadis.inter2
revocation-check none
rsakeypair netlab.company.com 2048
!
crypto pki trustpoint quovadis.inter2
enrollment terminal pem
chain-validation continue quovadis.root
revocation-check none
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
quit
crypto pki certificate chain quovadis.root
certificate ca 445734245B81899B35F2CEB82B3B5BA726F07528
30820560 30820348 A0030201 02021444 5734245B 81899B35 F2CEB82B 3B5BA726
quit
crypto pki certificate chain quovadis.inter
certificate 234A05CD947BCE0C6C755EE05B1447CEA6DD3E68
3082071C 30820504 A0030201 02021423 4A05CD94 7BCE0C6C 755EE05B 1447CEA6
quit
certificate ca 2D2C802018B7907C4D2D79DF7FB1BD872727CC93
308206AB 30820493 A0030201 0202142D 2C802018 B7907C4D 2D79DF7F B1BD8727
quit
crypto pki certificate chain quovadis.inter2
certificate ca 2D2C802018B7907C4D2D79DF7FB1BD872727CC93
308206AB 30820493 A0030201 0202142D 2C802018 B7907C4D 2D79DF7F B1BD8727

quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
license feature hseck9
license udi pid C1161X-8P sn F
license boot level securityk9
memory free low-watermark processor 70177
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 xx
username Wb35lMa26ZzB password 0 xx
!
redundancy
mode none
!
crypto ikev2 proposal netlab.company
encryption aes-cbc-256
integrity sha256
group 14
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
class-map type inspect match-all InsideToOutside
description InsideToOutside
match access-group name InsideToOutside_acl
class-map type inspect match-all OutsideToInside
description OutsideToInside
match access-group name OutsideToInside_acl
!
policy-map type inspect avc Web_app_policy
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect InsideToOutside
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect OutsideToInside
--> pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
description WAN GE 0/0/0
ip address xxx.xxx.253.10 255.255.255.240
--> no ip access-group OutsideToInside_acl in
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN GE 0/0/1
no ip address
--> no ip access-group OutsideToInside_acl in
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/1/0
description VLAN68Port0
switchport mode access
--> no ip access-group InsideToOutside_acl in
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
description VLAN68
ip address xxx.xxx.68.254 255.255.255.0
--> no ip access-group InsideToOutside_acl in
zone-member security INSIDE
!
interface Vlan2
no ip address
zone-member security INSIDE
!
ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
ip http timeout-policy idle 600 life 600 requests 25
ip route 0.0.0.0 0.0.0.0 xxx.xxx.253.13
!
ip access-list extended InsideToOutside_acl
10 permit ip any any
ip access-list extended OutsideToInside_acl
--> permit tcp any any eq 3389
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 60 0
length 0
!
end

Translator · ‎09-27-2021

Pavãos @Georg

Obrigado por sua resposta. Segui seu guia e não consigo mais me conectar de fora para dentro usando RDP. Verifiquei cuidadosamente minhas edições.

Eu não uso NAT, porque eu tenho uma classe pública C atrás do dispositivo que eu uso. Esta é uma implementação histórica.

Gostaria de pedir alguns pontos esclarecendo para tentar resolver o problema.

1. a linha --> passar

Estou assumindo que eu simplesmente digitar passe e bater retorno

2. a linha permite tcp qualquer eq 3389

isso deve ter um número na frente?

por exemplo, a outra declaração tem

10 permitir ip qualquer

Obrigado

Relação

Mark Gregory

Translator · ‎09-27-2021

Olá

Na verdade, passe é apenas uma linha.

Para a lista de acesso você não precisa de um número de sequência, já que ele só tem uma linha de qualquer maneira...

Configuração básica C1161X-8P sem NAT

Quick links