[ gogi100 @ 30.07.2015. 14:01 ] @
dakle, konfigurisem cisco router 1921. treba da povezem dve mreze 192.168.200.0/24 i 192.168.0.0/24. na eksternom gigabitethernet0/0 sam kreirao inbound access-list tako da racunari iz mreze 192.168.0.0/24 bez problema pristupaju serverima u mrezi 192.168.200.0/24. medjutim racunari iz mreze 192.168.200.0/24 ne mogu pristupati serverima u mrezi 192.168.0.0/24. kad ova access lista nije postavljena sve radi u oba smera. medjutim ja hocu da ogranicim saobracaj na odredjene protokole. konfiguracija rutera je Building configuration... Current configuration : 9974 bytes ! ! Last configuration change at 13:53:55 Prague Thu Jul 30 2015 by administrator version 15.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname servers-r ! boot-start-marker boot-end-marker ! ! logging buffered 51200 warnings enable secret 5 $1$zUjL$rAvZbXspCYjotGe/jL48T1 enable password 7 097C4F1A0A1218000F4D557878 ! no aaa new-model clock timezone Prague 1 0 clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00 ! no ipv6 cef ! ! ! ! ! ip domain name d.l ip name-server 192.168.0.20 ip name-server 192.168.0.24 ip cef multilink bundle-name authenticated ! ! crypto pki trustpoint TP-self-signed-2259530887 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2259530887 revocation-check none rsakeypair TP-self-signed-2259530887 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name [email protected] revocation-check crl ! ! crypto pki certificate chain TP-self-signed-2259530887 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32323539 35333038 3837301E 170D3135 30373038 31333139 31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32353935 33303838 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B259 D0C431C4 B525F2EE 1D9BF630 C149CE34 786795EC B6355D65 A8EF7B3D C65EEAC8 729155F5 5BC853AE 976AC249 B40FFED6 59CF457F 0F4FA191 2080218C 4380C255 33DAEF9C E103307A 69477BC6 5A740E2C D944326B 461DC373 2F1F6CE2 F1B8C22E A5010323 815804D3 7C3BAFB2 62BC7842 C8D0D506 0FB9CA8B 0F49236E AE8B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14A5124D 5912F9BC C4109E65 E49489B7 24AC8345 22301D06 03551D0E 04160414 A5124D59 12F9BCC4 109E65E4 9489B724 AC834522 300D0609 2A864886 F70D0101 05050003 81810033 1A9BEBA8 0736025C 5740E525 0A45910B 406A0CFA F2ADE31F 76D92B73 40EBBF98 F2E261C0 247D6BD9 94D3AE79 313D7AE4 0CA635B3 A62205B4 67F9CD78 6CD47554 F5F184BD C88BB35C C01E44AD E8491DF7 0A46F0AF 39867593 6F21B2D3 E8B5B787 D430E64B F3F7A7D3 C2D54690 E31E2B35 E77E55D8 02E035B1 0965616F 00AC1A quit crypto pki certificate chain test_trustpoint_config_created_for_sdm license udi pid CISCO1921/K9 sn FCZ163293TE ! ! object-group network DC_0.20 host 192.168.0.20 host 192.168.0.24 ! object-group service SPSQL_server description sql server for sharepoint tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 1433 tcp eq 445 tcp eq 2383 tcp eq www tcp eq 5357 ! object-group network SQL_0.34 host 192.168.0.34 ! object-group network SQL_servers host 192.168.200.14 host 192.168.200.34 host 192.168.200.16 ! object-group service WDS_server tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 5040 tcp eq 443 tcp eq 445 tcp eq 1032 tcp eq 1039 tcp eq 1089 tcp eq www tcp eq 5357 ! object-group network backup_server host 192.168.0.152 host 192.168.0.32 range 192.168.0.29 192.168.0.30 ! object-group service backup_servers tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 9876 tcp eq 445 tcp eq 2301 tcp eq 2381 tcp eq 3260 ! object-group service domain_controller udp eq ntp tcp eq 135 udp eq netbios-ns udp eq netbios-dgm tcp eq 139 tcp eq 636 tcp-udp eq 389 tcp-udp eq 445 tcp-udp eq 464 tcp eq 5722 tcp eq smtp tcp-udp eq domain tcp-udp eq 88 tcp eq 3268 tcp eq 3269 tcp range 49152 56535 tcp eq 3389 tcp eq 5357 ! object-group network domain_controllers host 192.168.200.20 host 192.168.200.24 ! object-group service dri-net_server tcp eq 135 tcp eq 139 tcp eq 3306 tcp eq 445 tcp range 1048 1050 tcp eq domain tcp eq 3289 ! object-group service finansije_server tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 445 tcp eq www tcp eq 5357 ! object-group service paragraflex_server tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 445 tcp eq 5357 tcp eq 6190 ! object-group service sharepoint_application_service tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 2103 tcp eq 2105 tcp eq 2107 tcp eq 1801 tcp eq smtp tcp eq 4361 tcp eq 8080 tcp eq 4860 tcp eq 445 tcp eq 1053 tcp eq 5357 tcp range www 82 ! object-group service sharepoint_web_application tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 2103 tcp eq 2105 tcp eq 2107 tcp eq 1801 tcp eq 8080 tcp eq 445 tcp eq 1044 tcp eq 1060 tcp eq 1074 tcp range 1025 1028 tcp eq 1102 tcp eq www ! object-group network sharepoint_web_servers range 192.168.200.36 192.168.200.37 host 192.168.200.13 host 192.168.200.17 ! object-group service terminal_server tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 1947 tcp eq 445 tcp eq 5357 ! object-group service virtual_server_services tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 2179 tcp eq 445 tcp eq 2301 tcp eq 2381 icmp echo icmp echo-reply ! object-group network virtual_servers host 192.168.200.11 host 192.168.200.25 host 192.168.200.41 ! object-group network wsus_servers host 192.168.200.12 host 192.168.200.27 host 192.168.200.15 ! object-group service wsus_services tcp eq 135 tcp eq 139 tcp eq 3389 tcp eq 445 tcp eq www tcp eq 5357 tcp eq 8531 tcp eq 443 tcp eq 8530 icmp echo icmp echo-reply ! username administrator privilege 15 password 7 01230717481C091D250D1F5B4A ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description $ETH-WAN$ ip address 192.168.0.253 255.255.255.0 ip access-group domain_controller in ip mask-reply ip nat outside ip virtual-reassembly in duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 description $ETH-LAN$ ip address 192.168.200.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! ip forward-protocol nd ! ip http server ip http access-class 1 ip http authentication local ip http secure-server ! ip route 192.168.50.0 255.255.255.0 192.168.0.10 permanent ! ip access-list extended allow_all remark CCP_ACL Category=1 permit tcp any host 192.168.0.26 eq 6190 permit tcp any host 192.168.0.28 eq 3389 log permit tcp any host 192.168.0.33 eq 3389 log permit icmp any host 192.168.0.20 permit ip any any log ip access-list extended client_domain_controller remark CCP_ACL Category=16 permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq telnet permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq 22 permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq www permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq 443 permit tcp 192.168.200.0 0.0.0.255 host 192.168.200.254 eq cmd deny tcp any host 192.168.200.254 eq telnet deny tcp any host 192.168.200.254 eq 22 deny tcp any host 192.168.200.254 eq www deny tcp any host 192.168.200.254 eq 443 deny tcp any host 192.168.200.254 eq cmd deny udp any host 192.168.200.254 eq snmp permit tcp host 192.168.200.20 any range 49152 56535 established log permit udp host 192.168.200.20 any range 49152 56535 log permit tcp host 192.168.200.41 any eq 3389 permit udp host 192.168.200.20 any eq domain log permit tcp host 192.168.200.20 any eq domain established log permit ip any any ip access-list extended domain_controller remark CCP_ACL Category=1 permit tcp host 192.168.0.61 host 192.168.0.253 eq telnet permit tcp host 192.168.0.61 host 192.168.0.253 eq www permit tcp host 192.168.0.61 host 192.168.0.253 eq 443 permit udp host 192.168.0.24 eq domain any permit udp host 192.168.0.20 eq domain any permit object-group terminal_server any host 192.168.200.22 log permit object-group dri-net_server any host 192.168.200.31 log permit object-group paragraflex_server any host 192.168.200.26 log remark SPSQL_server permit object-group SPSQL_server any object-group SQL_servers log permit object-group backup_servers any object-group backup_server log permit object-group virtual_server_services any object-group virtual_servers log permit object-group WDS_server any host 192.168.200.28 log remark wsus servers permit object-group wsus_services any object-group wsus_servers log permit object-group sharepoint_web_application any object-group sharepoint_web_servers log permit object-group finansije_server any host 192.168.200.23 log remark sharepoint_application_server permit object-group sharepoint_application_service any host 192.168.200.33 log remark active_directory permit object-group domain_controller any object-group domain_controllers log remark ping na sharepoint permit icmp host 192.168.0.33 any log permit tcp host 192.168.0.40 eq www any log deny udp any host 192.168.0.253 eq snmp deny tcp any host 192.168.0.253 eq cmd deny tcp any host 192.168.0.253 eq 22 deny ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255 log ip access-list extended insideinterface_out remark CCP_ACL Category=1 permit ip any host 192.168.200.17 ip access-list extended sql remark CCP_ACL Category=1 permit ip any host 192.168.0.34 permit tcp any host 192.168.0.34 permit ip any host 192.168.0.61 deny ip any any ! access-list 1 permit 192.168.0.61 access-list 1 remark Auto generated by SDM Management Access feature access-list 1 remark CCP_ACL Category=1 access-list 1 permit 192.168.200.0 0.0.0.255 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark CCP_ACL Category=1 access-list 100 permit ip 192.168.200.0 0.0.0.255 any access-list 100 permit ip host 192.168.0.61 any ! ! ! control-plane ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 100 in exec-timeout 40 0 privilege level 15 password 7 097C4F1A0A1218000F4D557878 login local transport input telnet ssh ! scheduler allocate 20000 1000 ! end |