Razni mrežni problemi
CBAC inspection, firewall
ljudi molim vas dajte neku ideju....
CBAC ti je u out smjeru, sto znaci da router originated promet nije podlozan inspekciji. Medjutm trik je u tome da upravo zbog toga (kada koristis CBAC u out smjeru) se ne kreira dinamicki entry u access-listi za povratni promet (autosec_firewall_acl) koju imas u inbound smjeru na interfaceu prema R2, i tvoj router tada odbacjue paket.
Provjeru da li ti access-ista blokira povratni promet mozes napraviti na sljedeci nacin:
ip access-list extended autosec_firewall_acl
promjeni zadnju liniju u:
deny ip any any log
Iniciraj promet i tada ces u logu vidjeti da li ti ta access-lista zaista blokira povratni promet.
Rjesenje problema:
Posto ti sa R1 iniciras promet na R2, linije koje match-iraju povratni promet sa R2 na R1 za ping i telnet su:
permit tcp an eq telnet any
permit icmp any eq echo-reply any
Drugi nacin je da ukljucis router originated promet u cbac:
ip inspect name autosec_inspect icmp router-traffic
ip inspect name autosec_inspect tcp router-traffic
pozz
PS ovo je sada na brzinu odokativno, mozda nisam sve dobro proucio, na poslu mi je guzva. Javi da li si rijesila problem pa se javim kad uhvatim cajta.
hvala na odgovoru, tek sam sad vidjela tvoj post, a radno vrijeme taman zavrsava. lab mi je na poslu, pa kad dodem u ponedjeljak, bacam se na posao.
ubacila sam ove dvije linije
ip inspect name autosec_inspect icmp router-traffic
ip inspect name autosec_inspect tcp router-traffic
i stvar rijesena.
moze lock
hvala i pozzzz
ljudi, molim za objasnjenje. toplogija je prikazana na slici. na routerima je napravljena standardna konfiguracija (ip add, eigrp), i sve je funkcioniralo (pingovi su prolazili, svaki router je imao routing tablicu sa svim subnetovima). na R1 sam sa auto secure-om napravila cbac firewall.
r1:
Current configuration : 3008 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$Z0kJ$3mNXMP.WyM9LbIIRcv6Lm.
enable password 7 13061E010803557878
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip bootp server
no ip domain lookup
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip inspect name autosec_inspect telnet timeout 10
ip inspect name autosec_inspect icmp timeout 10
no ip ips deny-action ips-interface
login block-for 60 attempts 2 within 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username tonina password 7 14141B180F0B7B7977
archive
log config
logging enable
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip proxy-arp
ip inspect autosec_inspect out
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
router eigrp 101
network 10.1.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip classless
!
!
no ip http server
no ip http secure-server
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
permit tcp any any eq telnet
permit eigrp any any
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.^C
alias exec c copy run start
!
line con 0
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 300 0
privilege level 15
logging synchronous
login authentication local_auth
transport input telnet
!
end
.
na switch 1 je pc sa kojeg prolazi ping i telnet na sve dijelove mreze.
dal mi netko moze objasnit zasto sa r1 ne prolazi ni ping ni telnet prema r2?
koliko sam shvatila firewall utječe na podatke koji prolaze kroz router, a ja u ovom slucaju imam ping i telnet koji su generirani s R1, sto znaci da se firewall ne bi trebao odnosti na to, ali ni ping ni telnet ne prolaze. ne vidim di je problem i sta tocno ogranicava ovu komunikaciju?
hvala