 Проход через PIX внутрь сети,  kirill_i, 28-Апр-05, 18:28 [смотреть все]Господа помогите!
Имеется PIX 501, на outside выставлен реальный ip 195.218.x.x (маска 255.255.255.252), на inside 192.168.0.0 (маска 255.255.255.0).
Настроен PAT (все выходят через один адрес но по разным портам).Задача, пробить снаружи дыру (только с одного адреса), чтобы проходить на сервер 192.168.0.10. по ssh
Чего делать?
ACL на outside открыл для наружнего адреса.
Не могу понять нужно ли настраивать outside nat и если нужно то как...
Подскажите? |
- Проход через PIX внутрь сети, EDSKA, 23:55 , 28-Апр-05 (1)
access-list 101 permit tcp any host 192.168.0.10 eq ssh
// ACL prikrepliajemij na outside interface, razresaet ssh obrasenije na 192.168.0.10
static (inside,outside) tcp 195.218.x.x ssh 192.168.0.10 ssh netmask 255.255.255.255 0 0
// Vikidivaem porti ssh’a IPishnika 192.168.0.10 (inside interface) naruzu.
access-group 101 in interface outside
// Ispolzujem ACL Nr. 101 na OUTSIDE interface
- Проход через PIX внутрь сети, kirill_i, 11:28 , 29-Апр-05 (2)
Не помогает :(, не проходим мы ssh когда делаем конект на 195.218.236.178
Вот тестовая конфигурация...
Может чего забыли?
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name local
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list 110 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in permit tcp any host 192.168.0.8 eq ssh
access-list outside_access_in permit ip 195.218.159.0 255.255.255.0 any
pager lines 36
logging on
logging buffered debugging
icmp permit 195.218.159.0 255.255.255.0 outside
icmp permit host 195.218.236.177 outside
icmp deny any outside
icmp permit 192.168.0.0 255.255.255.0 inside
icmp deny any inside
mtu outside 1500
mtu inside 1500
ip address outside 195.218.236.178 255.255.255.252
ip address inside 192.168.0.254 255.255.255.0
ip audit name out_del attack action alarm drop reset
ip audit name out_inf info action alarm
ip audit info action alarm
ip audit attack action alarm drop reset
pdm location 195.218.159.0 255.255.255.0 outside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 195.218.159.4 255.255.255.255 inside
pdm location 195.218.159.4 255.255.255.255 outside
pdm location 192.168.0.8 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp 195.218.236.178 ssh 192.168.0.8 ssh netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.218.236.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 130.149.17.21 source outside prefer
ntp server 193.67.79.202 source outside
http server enable
http 195.218.159.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt noproxyarp outside
auth-prompt prompt Login:
auth-prompt accept Passw:
auth-prompt reject The END! Thanks!
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd address 192.168.0.32-192.168.0.58 inside
dhcpd dns 192.168.0.2 212.44.131.6
dhcpd wins 192.168.0.8
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local
dhcpd option 150 ip 192.168.0.254
dhcpd enable inside
terminal width 80
- Проход через PIX внутрь сети, sh_, 11:33 , 29-Апр-05 (3)
no access-list outside_access_in permit ip 195.218.159.0 255.255.255.0 any
access-list outside_access_in permit ip any 195.218.159.0 255.255.255.0
- Проход через PIX внутрь сети, kirill_i, 11:40 , 29-Апр-05 (4)
>no access-list outside_access_in permit ip 195.218.159.0 255.255.255.0 any
>access-list outside_access_in permit ip any 195.218.159.0 255.255.255.0 Нет, так совсем не катит. Адрес на outside 195.218.236.178, а сетка 195.218.159.0 - эта та сеть из которой разрешено идти на данный firewall
Поэтому данное правило на мой взгляд не имет смысла ..а илия не прав?
- Проход через PIX внутрь сети, EDSKA, 11:55 , 29-Апр-05 (5)
U tebia zadaca bila ssh na 192.168.0.10
a ti probrosil na: 192.168.0.8 !!!!static (inside,outside) tcp 195.218.236.178 ssh 192.168.0.8 ssh netmask 255.255.255.255 0 0 Dobav ese
access-list outside_access_in permit ssh any host 195.218.236.178 eq ssh I ti smotri idut li packeti po tvojemu ACL ili net ...
show access-list
hitcnt dolzen uvelicivatsia ...
- Проход через PIX внутрь сети, kirill_i, 14:05 , 29-Апр-05 (6)
Неа, все равное не пашет, каунтеры обновляются в линии 3 (когда пытаюсь зайти туда ssh), хотя почему в строке 3, а не 1?Вобщем в чем засада совсем не понимаю.... все как по книжкам....
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit tcp 195.218.159.0 255.255.255.0 eq ssh host 195.218.236.178 eq ssh (hitcnt=0)
access-list outside_access_in line 2 permit tcp any host 192.168.0.8 eq ssh (hitcnt=0)
access-list outside_access_in line 3 permit ip 195.218.159.0 255.255.255.0 host 195.218.236.178 (hitcnt=2)
access-list outside_access_in line 4 permit ip 195.218.159.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0)
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name local
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list 110 permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in permit tcp 195.218.159.0 255.255.255.0 eq ssh host 195.218.236.178 eq ssh
access-list outside_access_in permit tcp any host 192.168.0.8 eq ssh
access-list outside_access_in permit ip 195.218.159.0 255.255.255.0 host 195.218.236.178
access-list outside_access_in permit ip 195.218.159.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 36
logging on
logging buffered debugging
icmp permit 195.218.159.0 255.255.255.0 outside
icmp permit host 195.218.236.177 outside
icmp deny any outside
icmp permit 192.168.0.0 255.255.255.0 inside
icmp deny any inside
mtu outside 1500
mtu inside 1500
ip address outside 195.218.236.178 255.255.255.252
ip address inside 192.168.0.254 255.255.255.0
ip audit name out_del attack action alarm drop reset
ip audit name out_inf info action alarm
ip audit info action alarm
ip audit attack action alarm drop reset
pdm location 195.218.159.0 255.255.255.0 outside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 195.218.159.4 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp 195.218.236.178 ssh 192.168.0.8 ssh netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.218.236.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:00:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 130.149.17.21 source outside prefer
ntp server 193.67.79.202 source outside
http server enable
http 195.218.159.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt noproxyarp outside
auth-prompt prompt Novasoft_Login:
auth-prompt accept Novasoft_Passw:
auth-prompt reject The END! Thanks!
telnet 195.218.159.4 255.255.255.255 outside
telnet timeout 5
ssh 195.218.159.4 255.255.255.255 outside
ssh timeout 5
console timeout 5
dhcpd address 192.168.0.32-192.168.0.58 inside
dhcpd dns 192.168.0.2 212.44.131.6
dhcpd wins 192.168.0.8
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local
dhcpd option 150 ip 192.168.0.254
dhcpd enable inside
terminal width 80
Cryptochecksum:1b2988213856d21193223ab71a50815d
: end
- Проход через PIX внутрь сети, EDSKA, 14:19 , 29-Апр-05 (7)
>Вобщем в чем засада совсем не понимаю.... все как по книжкам....
>
>
>access-list outside_access_in; 4 elements
>access-list outside_access_in line 1 permit tcp 195.218.159.0 255.255.255.0 eq ssh host 195.218.236.178
>eq ssh (hitcnt=0)
>access-list outside_access_in line 2 permit tcp any host 192.168.0.8 eq ssh (hitcnt=0)
>
>access-list outside_access_in line 3 permit ip 195.218.159.0 255.255.255.0 host 195.218.236.178 (hitcnt=2)
>access-list outside_access_in line 4 permit ip 195.218.159.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) Ja ocen izveniajus no v pervom otvete dopustil osibku v access-liste ... Access-list imejut osobennost srabotav pervomu ostalnije acl'i ne rassmatrivajutsia ... Delaj tak :
1.
no access-list 110 permit ip 192.168.0.0 255.255.255.0 any
no access-list outside_access_in permit tcp 195.218.159.0 255.255.255.0 eq ssh host 195.218.236.178 eq ssh
no access-list outside_access_in permit tcp any host 192.168.0.8 eq ssh
no access-list outside_access_in permit ip 195.218.159.0 255.255.255.0 no host 195.218.236.178
no access-list outside_access_in permit ip 195.218.159.0 255.255.255.0 192.168.0.0 255.255.255.0
no access-group outside_access_in in interface outside 2.
access-list 100 permit tcp 192.168.0.0 255.255.255.0 any // razresaesh hodit kompam v internet
access-list 101 permit tcp any host 195.218.236.178 eq 22 // razresaesh obrasenija k vneshmenu IP na 22 port (port ssh) access-group 101 in interface outside // prikrepliajesh pravilo k 195.218.236.178
access-group 100 in interface inside // k 192.168.0.254 Ispolnuj 100 i 101 kak imena access-listov ... Eto tocno rabotaet ja proverial na rabote ...
- Подключение к Pix на outside, bmonk, 14:52 , 14-Фев-08 (8)
Помогите пожалуйста, не могу настроить доступ через SSh на интерфейс outside.
напишите пример конфига в которов будут описаны все команды касающиеся SSH
заранее огромное спасибопривиденная выше схема у меня не работает
|
Версия для распечатки
