• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

Best possible script needed for Cisco 2621 to work with Watchguard Firebox 1000

Newbie to Cisco Question:
I'm having trouble with computers connected to the eth0/0 interface getting out to the internet.  I would like to reconfigure the router since I'm adding a watchguard firebox 1000 firewall appliance.  I will connect the firebox to the router's eth0/0 port.  The existing configuration of the router interfaces (below), will need to be changed, but I'm not sure how and where.

Currently, here's the config on eth0/0:

interface FastEthernet0/0
 description ARAA LAN
 ip address 66.x.x.x 255.255.255.248 secondary
 ip address 192.168.25.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto

_____________________________

Here's the cisco router's serial configs:

interface Serial0/0
 description T1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 service-module t1 timeslots 1-24
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Virtual T1
 ip address 66.x.x.x 255.255.255.252
 ip access-group 130 in
 no ip directed-broadcast
 ip nat outside
 no ip mroute-cache
 no arp frame-relay
 frame-relay interface-dlci 212

_____________________________

And the rest of the script that needs to be cleaned up.  I don't see a need for any ACL's since in theory the firewall should take care of it all, however, if there are some safeguards that need to be in this configuration, I'm all ears:

ip nat inside source list 1 interface Serial0/0.1 overload
ip nat inside source static 192.168.25.7 66.x.x.200
ip nat inside source static 192.168.25.32 66.x.x.201
ip classless
ip route 0.0.0.0 0.0.0.0 66.x.x.x
ip route 192.168.16.0 255.255.255.0 192.168.25.2
no ip http server
ip http port 12337
!
access-list 1 permit 192.168.25.0 0.0.0.255
access-list 1 permit 192.168.33.0 0.0.0.255
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 20 deny   192.168.33.0 0.0.0.255
access-list 20 permit 192.168.25.0 0.0.0.255
access-list 20 permit 192.168.16.0 0.0.0.255
access-list 30 deny   192.168.25.0 0.0.0.255
access-list 30 permit 192.168.33.0 0.0.0.255
access-list 30 deny   192.168.16.0 0.0.0.255
banner login ^C
banner login ^C

^C
banner motd ^C
------------------------------------------
     UNAUTHORIZED USE IS PROHIBITED
------------------------------------------

^C
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password blahblah
 login
!
no scheduler allocate
end

__________________________

I know this answer could be somewhat time consuming, so I'm making it a high point value to get it right.  Thanks, compinfo
0
compinfo
Asked:
compinfo
  • 18
  • 12
1 Solution
 
lrmooreCommented:
>I don't see a need for any ACL's since in theory the firewall should take care of it
not necessarily. A good security stragey calls for "defense in depth" or mulitiple layers of security. Setting up a good screening access list keeps the firewall from having to work so hard.

Firewall's outside address should be in the same 66.x.x.x subnet. Let the firewall do all the NAT.

Suggestion: make the secondary the primary and get rid of the secondary:

Interface fast 0/0
 ip address 66.x.x.x 255.255.255.248
 no ip nat inside
Interface Serial 0/0.1
 no ip nat outside
 no ip access-group 130 in
 ip access-group screening_acl in


no ip nat inside source list 1 interface Serial0/0.1 overload
no ip nat inside source static 192.168.25.7 66.x.x.200
no ip nat inside source static 192.168.25.32 66.x.x.201

ip access-list extended screening_acl
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq 3052
 deny   tcp any any eq 1433
 deny   udp any any eq 1434
 permit icmp any any echo-reply
 permit icmp any any echo
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
 permit udp any eq domain any
 permit tcp any any established
 permit ip any host <ip address of FW used for NAT>
 deny   ip any any log
!

0
 
lrmooreCommented:
Good reference, see Cisco Router Guides:
http://www.nsa.gov/snac/index.html
0
 
compinfoAuthor Commented:
Thanks, I have some follow up questions:

1.  Are your settings above in place of, or in addition to, what is currently there for each interface?

2.  Since you propose taking the  66.x.x.x IP Address off of the Interface Serial 0/0.1, won't that mess with our ISP access?  My assumptions here:  

a.  Interface Serial 0/0.1 is the csu/dsu connection directly to the T1
b.  Our ISP put it there for communications directly to the Interface
c.  Why should I even have a 0/0.1 interface?

3.  I also have an additional interface eth 0/1, that I didn't put on my first post.  It needs to be able to access an external server via http and ftp:

interface FastEthernet 0/1
ip address 66.x.x.134 255.255.255.248 secondary
ip address 192.168.33.254 255.255.255.0
ip access-group 101 in
no ip directed-broadcast
ip nat inside
ip nat inside
duplex auto
speed auto

**************************

There you have it!  Thanks in advance.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
1. just showing the changes to what you have.
2. Not proposing that at all. Refer to #1
 a. The serial 0/0 is the one directly connected to the CSU/DSU/T1. Serial 0/0.1 is a virtual interface for the frame-relay PVC
 b. Common setup for any frame-relay connection
 c. see above. It is the most common way to setup a frame-relay interface

3. OK, assuming that the firewall will be connected to Fast 0/0, and this Fast 0/1 will not have an external firewall, you should keep the nat inside, but remove the secondary addressing unless you have internal systems that have the public address on them.

If you still have to nat from the Fast 0/1 interface to the outside, keep these lines:
ip nat inside source list 1 interface Serial0/0.1 overload
access-list 1 permit 192.168.33.0 0.0.0.255

Q: where is the 192.168.16.0 subnet? Off of Fast 0/0, or Fast 0/1 ?
You're not giving me the whole picture here...

0
 
compinfoAuthor Commented:
Thanks.  Sorry for not giving the whole picture, I didn't know how much was too much! ;)

The 192.168.16.0 subnet is being handled by a Windows 2000 Small Business Server acting as the proxy (also directly off the Fast 0/0).  Fast0/0 to the Window Server's external ethernet (192.169.25.2).

This server has 2 ethernet cards, one for the (internal) 192.168.16.x network and one for the (external) 192.168.25.x network.  I want to disable the proxy business from the windows server and have the firebox run dhcp to the current 192.168.16.x network.

HTH...
0
 
compinfoAuthor Commented:
And, I forgot to add this, which was at the top of the router confir script:

ip subnet-zero
ip name-server 64.x.x.22
ip name-server 64.x.x.14
ip dhcp exclude-address 192.168.25.1 192.168.25.99
ip dhcp exclude-address 192.168.25.200 192.168.25.255
!
ip dhcp pool AdminLAN
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 64.x.x.22 64.x.x.14
lease 3

*************
I don't want the router to handle any DHCP, but I'm not sure what to delete, etc.
0
 
compinfoAuthor Commented:
And, I forgot to add this, which was at the top of the router confir script:

ip subnet-zero
ip name-server 64.x.x.22
ip name-server 64.x.x.14
ip dhcp exclude-address 192.168.25.1 192.168.25.99
ip dhcp exclude-address 192.168.25.200 192.168.25.255
!
ip dhcp pool AdminLAN
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 64.x.x.22 64.x.x.14
lease 3

*************
I don't want the router to handle any DHCP, but I'm not sure what to delete, etc.
0
 
lrmooreCommented:
If you don't want it to do dhcp, delete the pool:

no ip dhcp pool AdminLAN
!
and these are now not needed either:
!
no ip dhcp exclude-address 192.168.25.1 192.168.25.99
no ip dhcp exclude-address 192.168.25.200 192.168.25.255
!

Your firwall should handle all the NAT from the 192.168.16.x and 192.168.25.x networks.
You won't need this route statement, either:

no ip route 192.168.16.0 255.255.255.0 192.168.25.2

That should just about wrap it up.
0
 
compinfoAuthor Commented:
Things didn't work, I'm upping the points to 1000 becuase I seriously need this up and going in the next week:

1.  no ip nat inside source list 1 interface Serial0/0.1 overload - gave me:  "dynamic mapping in use, cannot remove"

1.5. no ip dhcp pool AdminLAN - gave me:  "AdminLAN not in the database"
 

2.  no ip dhcp exclude-address 192.168.25.1 192.168.25.99 - gave me: "Invalid input detected at '-' in 'exclude-address'.

3.  I am continually getting bombarded with messages regarding "blocking" attempts and whatnot from implementing the screening_acl.  (but I can deal with that!)

4.  I tested the firewall, and for a split second, I was able to access the internet, then, access to the internet stopped.  I bypassed the firewall by connecting my laptop directly to the router (made sure I was on the same ip scheme, etc.) and sure enough, STILL no access to the internet.  I was able to ping eth0/0, but nothing on the outside.  So, something in the configuration of the router is stopping access....

Here's the configuration as I created it from your suggestions above:

_________________________

Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname blahblah
!
enable secret 5 blahencrypted
enable password blah
!
!
!
!
!
ip subnet-zero
ip name-server 64.x.x.22
ip name-server 64.x.x.14
ip dhcp excluded-address 192.168.25.1 192.168.25.99
ip dhcp excluded-address 192.168.25.200 192.168.25.255
!
 --More--
ip dhcp pool adminLAN
   network 192.168.25.0 255.255.255.0
   default-router 192.168.25.1
   dns-server 64.x.x.22 64.x.x.14
   lease 3
!
!
!
!
interface FastEthernet0/0
 description adminLAN
 ip address 66.x.x.36 255.255.255.248
 no ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial0/0
 description T1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 service-module t1 timeslots 1-24
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Virtual T1
 ip address 66.x.x.142 255.255.255.252
 ip access-group screening_acl in
 no ip directed-broadcast
 no ip mroute-cache
 no arp frame-relay
 frame-relay interface-dlci 212
!
interface FastEthernet0/1
 description The  network
 ip address 66.x.x.134 255.255.255.248 secondary
 ip address 192.168.33.254 255.255.255.0
 ip access-group 101 in
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 1 interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.x.x.141
no ip http server
ip http port 12337
!
!
ip access-list extended screening_acl
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq 3052
 deny   tcp any any eq 1433
 deny   udp any any eq 1434
 permit icmp any any echo-reply
 permit icmp any any echo
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
 permit udp any eq domain any
 permit tcp any any established
 permit ip any host 66.x.x.37
 deny   ip any any log
access-list 1 permit 192.168.25.0 0.0.0.255
access-list 1 permit 192.168.33.0 0.0.0.255
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 20 deny   192.168.33.0 0.0.0.255
access-list 20 permit 192.168.25.0 0.0.0.255
access-list 20 permit 192.168.16.0 0.0.0.255
access-list 30 deny   192.168.25.0 0.0.0.255
access-list 30 permit 192.168.33.0 0.0.0.255
access-list 30 deny   192.168.16.0 0.0.0.255
banner login ^C


<blah>



^C
banner motd ^C
------------------------------------------
     UNAUTHORIZED USE IS PROHIBITED
------------------------------------------

^C
!
line con 0
 transport input none
line aux 0

-__________________


 
0
 
compinfoAuthor Commented:
It won't let me up it to 1000 points, but I'll see if the ee folks can help me do it... :)
0
 
lrmooreCommented:
>AdminLAN not in the database
Case sensitive. Try
!
no ip dhcp pool adminLAN
!

>dynamic mapping in use, cannot remove
Try this command first:
router#clear ip nat trans *

Then go to config mode:
no ip nat inside source list 1 interface Serial0/0.1 overload

What Ip address are you going to assign to the firewall?


Since you don't have an access-list 101, need to remove the acl from the interface:
!
interface FastEthernet0/1
 no ip access-group 101 in
!

Did your ISP assign you two separate subnets? It could be a routing issue.
66.xx.xx.32 / 255.255.255.248
66.xx.xx.128 / 255.255.255.248

>connecting my laptop directly to the router
Did you use a crossover cable to direct-connect?


If you want to nat between fast 0/1 and the Internet, add this back:
!
int ser 0/0.1
 ip nat outside
!
 
0
 
compinfoAuthor Commented:
Thanks,

1.  What IP Address for the firewall:  66.xxx.xxx.37/29) (And the IP Address for eth0/0 is 66.xxx.xxx.36/29)

2.  Did your ISP assign you two separate subnets?  Yes, I have:  66.xxx.9.x, and 66.xxx.117.x, and 66.xxx.113.x.  

3.  Did you use a crossover cable to direct-connect?  Yes

____
0
 
compinfoAuthor Commented:
Also, how/when do I need to add the exclamation points?
0
 
lrmooreCommented:
Exclamation points are just dividers/spacers, you don't actually add them. If you do a "show config" you'll see them, but in a config it just means Ignore what follows, i.e.
! this is a comment
!
0
 
compinfoAuthor Commented:
For some reason, eth fa0/1 isn't able to get out to the internet anymore!  Here's what it looks like:

interface FastEthernet0/1
 description The FIDS network
 ip address 66.147.9.134 255.255.255.248 secondary
 ip address 192.168.33.254 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto

_____________

Plus, I have the following in the script:

ip nat inside source list 1 interface Serial0/0.1 overload
ip classless

(even after doing this:  clear ip nat trans * at the router# prompt, I'm still getting the error and it won't let me get rid of the ip nat inside source...)

access-list 1 permit 192.168.33.0 0.0.0.255 is still there too.

_____________

Everything else is working fine with the firewall so far!

0
 
lrmooreCommented:
Progress, then--that's good!
Did you add "ip nat outside" back on the Serial 0/0.1 interface?

0
 
compinfoAuthor Commented:
Yes, here's the scripts:

interface Serial0/0
 description T1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 service-module t1 timeslots 1-24
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Virtual T1
 ip address 66.xxx.xxx.142 255.255.255.252
 ip access-group screening_acl in
no ip directed-broadcast
 ip nat outside
 no ip mroute-cache
 no arp frame-relay
 frame-relay interface-dlci 212
____________________

What should I do next?
0
 
lrmooreCommented:
These are still there?
ip nat inside source list 1 interface Serial0/0.1 overload
access-list 1 permit 192.168.33.0 0.0.0.255

How about posting you complete config as it is now.
0
 
compinfoAuthor Commented:
OK, current configuration:
____________________________

Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname blahman
!
enable secret 5 blah encrypted
enable password blah
!
!
!
!
!
ip subnet-zero
ip name-server 64.xx.x.22
ip name-server 64.xx.x.14
ip dhcp excluded-address 192.168.25.1 192.168.25.99
ip dhcp excluded-address 192.168.25.200 192.168.25.255
!
!
!
!
interface FastEthernet0/0
 description ARAA LAN
 ip address 66.xxx.xxx.36 255.255.255.248
 no ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial0/0
 description T1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 service-module t1 timeslots 1-24
 no arp frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description Virtual T1
 ip address 66.xxx.xxx.142 255.255.255.252
 ip access-group screening_acl in
ip nat outside
 no ip mroute-cache
 no arp frame-relay
 frame-relay interface-dlci 212
!
interface FastEthernet0/1
 description The FIDS network
 ip address 66.xxx.xxx.134 255.255.255.248 secondary
 ip address 192.168.33.254 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 1 interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.xxx.xxx.141
no ip http server
ip http port 12337
!
!
ip access-list extended screening_acl
deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq 3052
 deny   tcp any any eq 1433
 deny   udp any any eq 1434
 permit icmp any any echo-reply
 permit icmp any any echo
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
 permit udp any eq domain any
 permit tcp any any established
 permit ip any host 66.xxx.xxx.37
 deny   ip any any log
access-list 1 permit 192.168.25.0 0.0.0.255
access-list 1 permit 192.168.33.0 0.0.0.255
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 20 deny   192.168.33.0 0.0.0.255
access-list 20 permit 192.168.25.0 0.0.0.255
access-list 20 permit 192.168.16.0 0.0.0.255
access-list 30 deny   192.168.25.0 0.0.0.255
access-list 30 permit 192.168.33.0 0.0.0.255
access-list 30 deny   192.168.16.0 0.0.0.255
banner login ^C


<blah>



^C
banner motd ^C
------------------------------------------
     UNAUTHORIZED USE IS PROHIBITED
------------------------------------------

^C
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password blahblah
 login
!
end
____________________________
0
 
lrmooreCommented:
SO, everything off FA 0/0 and the firewall is working?
Clients behind Fast 0/1 on subnet 192.168.33.x are not working?

Do you have any clients with a 66.x.x.x ip address attached to int fast 0/1? If not, I'd like to try removing the secondary address:

interface FastEthernet0/1
no ip address 66.xxx.xxx.134 255.255.255.248 secondary
ip address 192.168.33.254 255.255.255.0
!
no ip nat inside source list 1 interface Serial0/0.1 overload
!
ip nat pool net-128 66.x.x.x.129 66.x.x.x.133 prefix-length 29
ip nat inside soure list 101 pool net-128 overload

access-list 101 permit ip 192.168.33.0 0.0.0.255 any

This will give you a way to see the effect to make sure you're hitting the acl with "sho ip access-list 101" and you can see the hit count. This is a good troubleshooting tool..




0
 
compinfoAuthor Commented:
1.  Yes everything behind fa0/0 is working.
2.  The only thing that one client/server on fa0/1 does is send an html file via ftp to an external webhost/site, so it just needs direct access out.  No other clients on this network need the internet.
3.  I'm not sure if any clients or the server need this 66.x.x.x ip address, let me try this suggestion...
0
 
compinfoAuthor Commented:
Well, no dice.  I have added the above mentioned items.  I do know that I will need that secondary ip address on fa0/1.  

I haven't seen any indications from the troubleshooting tool, what am I looking for and where?  I am seeing this sort of stuff alot:

*Mar  2 21:42:37.424: %SEC-6-IPACCESSLOGP: list screening_acl denied udp 192.35.
82.50(123) -> 66.xxx.xxx.129(123), 5 packets
0
 
lrmooreCommented:
udp port 123 is network time protocol. Any XP clients?
Do you have a system on the LAN that is assigned the 66.x.x.129 IP address?

You can add a line to the inbound acl:
permit udp any any eq 123

192.35.82.50 = dns.cit.cornell.edu

If you do a router#show ip access-list 101
do you see any (hits)

Look at the results of:
router#sho ip nat trans

You can remove the inbound acl and see if everything works. If so, then we know it's an acl issue, not a NAT issue.

Q: Check the default gateway of the PC on the Fast 0/1 LAN that is having problems. Is the gateway the router's IP address, or something else? Is the subnet mask correct?

Some NAT troubleshooting help:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:NAT&s=Verification_and_Troubleshooting#Troubleshooting_Steps





0
 
compinfoAuthor Commented:
I get this:

Extended IP access list 101
    permit ip 192.168.33.0 0.0.0.255 any (290 matches)

when I type:  show ip access-list 101

****

0
 
compinfoAuthor Commented:
I think I see the problem, here's where the screening_acl is denying what I need to go through:

*Mar  3 16:04:30.164: %SEC-6-IPACCESSLOGP: list screening_acl denied tcp 217.162
.196.86(3770) -> 66.xxx.xxx.128(445), 2 packets
*Mar  3 16:04:59.872: %SEC-6-IPACCESSLOGP: list screening_acl denied tcp 217.162
.196.86(3784) -> 66.xxx.xxx.135(445), 2 packets
*Mar  3 16:05:21.220: %SEC-6-IPACCESSLOGP: list screening_acl denied tcp 216.210
.237.218(3661) -> 66.xxx.xxx.32(445), 1 packet

*********************

This is actually my computer (192.168.33.210) using FTP to get to an external website.  Funny thing is, I'm able to login to the ftp site, but it won't process any commands (like 'ls' or 'mkdir').  I get the ftp error:  425 Can't build data connection: No route to host.  Looks like ftp is trying to send information back and it's being caught by one of the screening_acl filters, but which one?
0
 
compinfoAuthor Commented:
I was able to verify by taking the screening_acl off of the s0/0.1 interface, and it works perfectly.  All that is left is to identify which line in that acl is doing the blocking...

Thanks, once this is done, we'll call this great ticket COMPLETE! :)
0
 
lrmooreCommented:
Are you using active or passive mode FTP? Try using passive mode with the existing acl..
0
 
compinfoAuthor Commented:
Sorry so long to comment, been out for awhile.  Passive mode isn't an option on this server, unfortunately, it's a proprietary system.  Any other way?  
0
 
lrmooreCommented:
G'day, compinfo
It has been 36 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0
 
compinfoAuthor Commented:
lrmoore,  thanks again for your help, sorry it took SO long.  I have one more question I hope you can help me with:

http://www.experts-exchange.com/Hardware/Routers/Q_20635617.html
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 18
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now