?
Solved

Cisco 2621 Router Configuration Limiting Inbound Connections

Posted on 2003-02-18
12
Medium Priority
?
517 Views
Last Modified: 2010-04-17
I have a Cisco 2621 router connected to a T1. I'm trying to achieve the following objectives and can't figure this out. The objectives are:

1. I want to allow incoming SMTP, POP3, WWW, Terminal Server, VNC, pcAnywhere and DNS. There is only one mail server with the same IP address and approximately 30 websites. The terminal server is only on one machine with VNC running on the web server. I have 3 DNS addresses. All these addresses are real-world IP addresses. The real world addresses use the subnet mask of 255.255.255.192 (64 IP's total).
2. Everything else inbound I want to block and log to an SNMP Server running on a 10.1.3.250 IP Address.
3. All internal computers are 10.1.3.1 to 10.1.3.255 with the gateway presently 10.1.3.1. I want all traffic allowed from the inbound to the outbound.

Thanks for your help, John

0
Comment
Question by:jcmarx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7979426
G'day jcmarx

Can you post your existing config? Also output of "show ver" so we know what feature set you have available to you?
It should be pretty simple to meet your objectives

Cheers!
0
 

Author Comment

by:jcmarx
ID: 7980946
Here's a copy of the current configuratiojn. Show version is afterwards.

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "c2600-05.focusent.com"
!
logging buffered 16384 debugging
enable secret PASSWORDGOESHERE
!
ip subnet-zero
!
no ip domain-lookup
ip domain-name c2600-05.focusent.com
ip dhcp excluded-address 10.1.3.1 10.1.3.10
!
ip dhcp pool fe-corporate
   network 10.1.3.0 255.255.255.0
   dns-server 12.107.167.2 12.107.167.3
   domain-name focusent.com
   default-router 10.1.3.1
   lease 7
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
interface FastEthernet0/0
 description Connected to Internal Network
 ip address 12.107.167.1 255.255.255.192
 ip directed-broadcast
 speed 100
 full-duplex
!
interface Serial0/0
 description Connection to the Internet
 bandwidth 768
 ip address 12.124.116.122 255.255.255.252
 ip directed-broadcast
 ip nat outside
 encapsulation ppp
 service-module t1 timeslots 1-12
 service-module t1 remote-alarm-enable
!
interface FastEthernet0/1
 description Internal Network with NAT (Network Address Translation)
 ip address 10.1.3.1 255.255.255.0
 ip directed-broadcast
 ip nat inside
 speed 100
 full-duplex
!
ip nat pool ovrld 12.107.167.13 12.107.167.13 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
logging 12.107.167.50
access-list 7 permit 10.1.3.0 0.0.0.255
access-list 12 permit 12.107.167.0 0.0.0.62
!
snmp-server engineID local 00000009020000019613EA00
snmp-server community fe RO
snmp-server location 05 - Valparaiso, Indiana
snmp-server contact John C. Marx (jmarx@focusent.com)
snmp-server enable traps tty
snmp-server enable traps envmon fan shutdown temperature voltage
!
dial-peer cor custom
!
banner login ^
05 - Focus Enterprises, Inc.
Restricted Access
^
!
line con 0
 exec-timeout 0 0
line aux 0
 exec-timeout 5 0
 password PASSWORDGOESHERE
 login
line vty 0 4
 access-class 12 in
 exec-timeout 5 0
 password PASSWORDGOESHERE
 login
 transport preferred none
!
scheduler allocate 4000 1000
end

---

c2600-05.focusent.com#show ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JK8O3S-M), Version 12.2(13), RELEASE SOFTWARE (fc
1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 19-Nov-02 22:48 by pwade
Image text-base: 0x8000808C, data-base: 0x815E0154

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

c2600-05.focusent.com uptime is 5 minutes
System returned to ROM by power-on
System image file is "flash:c2600-jk8o3s-mz.122-13.bin"

cisco 2621 (MPC860) processor (revision 0x102) with 60416K/5120K bytes of memory
.
Processor board ID JAB041305DM (1060631896)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7983205
1. Setup inbound acl:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdacls.htm

access-list extended  outside_in
 permit udp any eq 53 any
 permit tcp any eq 80 any
  -or-
 permit tcp <www1> eq 80 any
 permit tcp <www2> eq 80 any

 permit tcp any host <dns> eq 53
 permit tcp any host <www> eq 80
 permit tcp any host <email> eq 25
 permit tcp host <pop3host> eq 110 any
 permit tcp any host <VNChost> eq 5800
 permit tcp any host <TermServhost> eq 3389
 permit ip any any established
 deny ip any any log

2. See last line of acl with "log" keyword.
Setup logging:
service timestamp log datetime
logg buff 4096
logg trap 6

3. Use your firewall feature set for outbound connections from your natt'd network:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htm
Look at the CBAC features with IP INSPECT, and/or the reflexive access-lists
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 7983212
Sorry, I hit submit too soon.

>access-list extended  outside_in
should be:
ip access-list extended  outside_in

and apply it to the Serial interface:
 interface serial 0/0
  ip access-group outside_in in

0
 
LVL 7

Expert Comment

by:pedrow
ID: 7984301
and please, please, please :

snmp-server community <pick a new community string :)> RO 7

the RO 7 means only hosts from access-list 7 can read your router with snmp.

Right now I can snmpwalk your router from here :(

Maybe acl7 isn't what you want, but use something to restrict who/where you can do this from :)

i also have a couple of questions/comments on lrmoore's acl:

! ?!?
 permit tcp any eq 80 any
dunno why you'd want this if you've got tcp established

permit tcp host <pop3host> eq 110 any
same thing...what you would want is the mailserver that's listening on 110 (pop3) to be able to receive connections from outside. Sourced from 110 would be inside clients popping off outside mailservers. so:

permit tcp any host <pop3host> eq 110

and VNC - instead of this:
permit tcp any host <VNChost> eq 5800

I think this might be more appropriate:
permit tcp any host <VNChost> range 5900 5910

vnc hosts can listen on a range of ports, depending on the 'terminal number' and starts at 5900. So vnchost:0 would be 5900, vnchost:1 would be 5901
The range is dependent on how many vnc terminals you want to listen.

Instead of:
permit ip any any established

it should be:
permit tcp any any established



You might also wanna tune the acl's in the decending order to correspond with your traffic volume.
i.e. if most of the traffic on the routers is generated by internal users/hosts downloading stuff, move the tcp established rule closer to the top. that way as the router evaluates traffic and goes down the acl, line by line, it will quit evaluating and start forwarding sooner :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7985221
pedrow, I'm glad that you've got my back. I had this answered once, then lost everything I wrote. Came back later to write it again.
Everything was just for illustration
You are perfectly correct in that the 'established' keyword would make the first line moot.

However, without more specific details in the question regarding which direction pop3 is permitted, I would restrict it to those specified outside hosts only, not assuming that the only POP3 activity would be from the outside to the internal POP3 server, but rather some internal clients may use an external pop3 server, hence this example to limit to specific hosts only:
!
permit tcp host <pop3host> eq 110 any
!
VNC - using a browser interface uses port 5800+ by default. Using VNC viewer uses 5900+, so we're both right on that point.

Of course the acls would need to be refined, more than once.

Here's a good reference for securing your router. Follow the Cisco Router Guides link:
http://nsa1.www.conxion.com/
0
 
LVL 7

Expert Comment

by:pedrow
ID: 7985407
thanks lrmoore...i never use the vnc java thingy :)

0
 

Author Comment

by:jcmarx
ID: 7986867
I think I'm getting quite close. If I use the command "ip access-list extended outside_in" in the serial interface everything initially appears to work. DNS though isn't. We use external DNS servers if the server isn't found on ours. I've listed those servers as well and also added UDP in addition to the TCP with no success. Any ideas? John

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "c2600-05.focusent.com"
!
logging buffered 16384 debugging
enable secret 5 PASSWORDGOESHERE
!
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name c2600-05.focusent.com
ip dhcp excluded-address 10.1.3.1 10.1.3.10
!
ip dhcp pool fe-corporate
   network 10.1.3.0 255.255.255.0
   dns-server 12.107.167.2 12.107.167.3
   domain-name focusent.com
   default-router 10.1.3.1
   lease 7
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description Connected to Internal Network
 ip address 12.107.167.1 255.255.255.192
 ip directed-broadcast
 speed 100
 full-duplex
!
interface Serial0/0
 description Connection to the Internet
 bandwidth 768
 ip address 12.124.116.122 255.255.255.252
 ip directed-broadcast
 ip nat outside
 encapsulation ppp
 service-module t1 timeslots 1-12
 service-module t1 remote-alarm-enable
' *************************************************
' If the statement below is used websites appear but a ton of DNS errors show and can't browse if external is using us as the DNS server
' *************************************************
 ip access-list extended outside_in
!
interface FastEthernet0/1
 description Internal Network with NAT (Network Address Translation)
 ip address 10.1.3.1 255.255.255.0
 ip directed-broadcast
 ip nat inside
 speed 100
 full-duplex
!
ip nat pool ovrld 12.107.167.13 12.107.167.13 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
!
ip access-list extended outside_in
 permit tcp any host 4.2.2.1 eq domain
 permit udp any host 4.2.2.1 eq domain
 permit tcp any host 4.2.2.2 eq domain
 permit udp any host 4.2.2.2 eq domain
 permit tcp any host 4.2.2.3 eq domain
 permit udp any host 4.2.2.3 eq domain
 permit tcp any host 12.107.167.2 eq domain
 permit udp any host 12.107.167.2 eq domain
 permit tcp any host 12.107.167.3 eq domain
 permit udp any host 12.107.167.3 eq domain
 permit tcp any host 12.107.167.4 eq domain
 permit udp any host 12.107.167.4 eq domain
 permit tcp 0.0.0.0 12.107.167.20 eq www any
 permit tcp 0.0.0.0 12.107.167.21 eq www any
 permit tcp 0.0.0.0 12.107.167.22 eq www any
 permit tcp 0.0.0.0 12.107.167.23 eq www any
 permit tcp 0.0.0.0 12.107.167.24 eq www any
 permit tcp 0.0.0.0 12.107.167.25 eq www any
 permit tcp 0.0.0.0 12.107.167.26 eq www any
 permit tcp 0.0.0.0 12.107.167.27 eq www any
 permit tcp 0.0.0.0 12.107.167.28 eq www any
 permit tcp 0.0.0.0 12.107.167.29 eq www any
 permit tcp 0.0.0.0 12.107.167.30 eq www any
 permit tcp 0.0.0.0 12.107.167.31 eq www any
 permit tcp 0.0.0.0 12.107.167.32 eq www any
 permit tcp 0.0.0.0 12.107.167.33 eq www any
 permit tcp 0.0.0.0 12.107.167.34 eq www any
 permit tcp 0.0.0.0 12.107.167.35 eq www any
 permit tcp 0.0.0.0 12.107.167.36 eq www any
 permit tcp 0.0.0.0 12.107.167.37 eq www any
 permit tcp 0.0.0.0 12.107.167.38 eq www any
 permit tcp 0.0.0.0 12.107.167.39 eq www any
 permit tcp 0.0.0.0 12.107.167.40 eq www any
 permit tcp 0.0.0.0 12.107.167.41 eq www any
 permit tcp 0.0.0.0 12.107.167.42 eq www any
 permit tcp 0.0.0.0 12.107.167.43 eq www any
 permit tcp 0.0.0.0 12.107.167.44 eq www any
 permit tcp 0.0.0.0 12.107.167.45 eq www any
 permit tcp 0.0.0.0 12.107.167.46 eq www any
 permit tcp 0.0.0.0 12.107.167.47 eq www any
 permit tcp 0.0.0.0 12.107.167.48 eq www any
 permit tcp 0.0.0.0 12.107.167.49 eq www any
 permit tcp any host 12.107.167.9 eq smtp
 permit tcp host 12.107.167.9 eq pop3 any
 permit tcp any host 12.107.167.2 range 5900 5910
 permit tcp any host 12.107.167.50 range 5900 5910
 permit tcp any host 12.107.167.50 eq 3389
 permit tcp any any established
 deny   ip any any log
logging 12.107.167.50
access-list 7 permit 10.1.3.0 0.0.0.255
access-list 12 permit 12.107.167.0 0.0.0.62
!
snmp-server engineID local 00000009020000019613EA00
snmp-server location 05 - Valparaiso, Indiana
snmp-server contact John C. Marx (jmarx@focusent.com)
no snmp-server community fe RO 7
no snmp-server community fe-private RW 7
snmp-server enable traps tty
snmp-server enable traps envmon fan shutdown temperature voltage
!
dial-peer cor custom
!
!
!
!
banner login ^C
05 - Focus Enterprises, Inc.
Restricted Access
^C
!
line con 0
 exec-timeout 0 0
line aux 0
 exec-timeout 5 0
 password 7 PASSWORDGOESHERE
 login
line vty 0 4
 access-class 12 in
 exec-timeout 5 0
 password 7 PASSWORDGOESHERE
 login
 transport preferred none
!
scheduler allocate 4000 1000
end

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7988108
add this near the top of the acl:
permit udp any any eq 53


Use "show ip access-list" and look at the (hit counts). Watch them for a while, and re-arrange the most-hit lines to the top of the list, and least-hit further down - except of course the last line "deny ip any any log"...
0
 
LVL 7

Expert Comment

by:pedrow
ID: 7990291
actually, wouldn't the *source* port for incoming dns replies be 53?

so:
permit udp host <external dns host ip address> eq 53 any

The tcp permit shouldn't be necessary because of tcp established

:)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 800 total points
ID: 7996469
yep. dagnabit. Thanks pedrow. Too much multitasking...
0
 

Author Comment

by:jcmarx
ID: 8016009
They were two great answers. Is there a way to give points to each? This greatly helped our network security and now all I have to do is test the darn thing to see if it really helps. If you can't give points to two people then this option we need to see if it can be added. Thanks!!! John
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question