Solved

Cisco 1721 Router Access

Posted on 2004-09-13
9
398 Views
Last Modified: 2012-08-13
Hi,
  I am not a Cisco guru and as such I have a problem with forwarding outside access to an internal network behind a firewall, I am happy to allow all traffic and then stop it using the Firewall, in particular I am interested in hosting a Gameserver (Day Of Defeat),Mail,FTP and Web.

Below is my current Show run config :-

sh ru
Building configuration...

Current configuration : 2425 bytes
!
! Last configuration change at 15:34:58 UTC Sat Sep 4 2004
! NVRAM config last updated at 15:36:06 UTC Sat Sep 4 2004
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_001
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$KAdG$81efhP0y4mo/5Hp4LhAbj0
enable password
!
username  secret 5 $1$XCxP$/cj3e9t0rUypKmS28dWJh0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login mal local none
aaa session-id common
ip subnet-zero
!
!
ip name-server 213.208.106.212
ip name-server 213.208.106.213
!
ip cef
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
 encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM1
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 speed auto
!
interface Dialer0
 ip address negotiated
 ip accounting output-packets
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname gotadsl.co.uk/login-ml
 ppp chap password 0
 ppp multilink
 ppp multilink fragment disable
!
ip nat inside source list 7 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 7 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp any host 192.168.0.254 eq www
access-list 101 permit tcp any host 192.168.0.254 eq telnet
access-list 101 permit tcp any host 192.168.0.254 eq smtp
access-list 101 permit tcp any host 192.168.0.254 eq pop3
access-list 101 permit tcp any host 192.168.0.254 gt 1023
access-list 101 permit udp any host 192.168.0.254 gt 1023
access-list 101 deny   tcp host 127.0.0.1 any
access-list 102 permit tcp any host 192.168.0.254 eq www
access-list 102 permit tcp any host 192.168.0.254 eq telnet
access-list 102 permit tcp any host 192.168.0.254 eq smtp
access-list 102 permit tcp any host 192.168.0.254 eq pop3
access-list 102 permit tcp any host 192.168.0.254 gt 1023
access-list 102 permit udp any host 192.168.0.254 gt 1023
dialer-list 1 protocol ip permit
!
!
line con 0
 password
line aux 0
line vty 0 4
!
!
end

any help would be appreciated (I know I have ACL's but don't know how or were to apply them)

Thanks

Mal
0
Comment
Question by:Mal_H
  • 5
  • 4
9 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 12043054
You need to setup NAT statements to forward the outside traffic to your internal servers based on port.

ip nat inside source static tcp 192.168.0.254 80 interface dialer0 80 <---for web server
ip nat inside source static tcp 192.168.0.254 25 interface dialer0 25 <---for mail server
ip nat inside source static tcp 192.168.0.254 21 interface dialer0 21 <---for FTP server
ip nat inside source static tcp 192.168.0.254 20 interface dialer0 20 <---for FTP server

Setup the other statement for Day of Defeat, you'll need to know the port numbers the game uses to forward correctly but use the same format.  You can not forward a range so you'll need one statement per port.

You can not use the inside address (192.168.0.254) in your access-list statements.  You'll need to use the outside address or use the keyword any instead.

Once modified, you can apply inbound on your dialer0 interface:

interface dialer0
ip access-group 101 in
0
 

Author Comment

by:Mal_H
ID: 12043562
Hi,
   thanks for the quick reply as I said Cisco is above me as far as I am concerned. In the above do I replace or remove the ACL's, where exactly do the above statements go in the list is it after "ip nat inside source list 7 interface Dialer0 overload" does the access-group 101 in go imediately after "interface Dialer0" and finally does the "192.168.0.254" get relaced by my external addrress in the ACL lists.

Thanks again and sorry for being so thick !!

I did work the rest out but got lost after that.

thanks

Mal
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12043662
You need to remove the access-list "no access-list 101" and re-add the statements but using the any keyword.  I would just use the any keyword since you have a dynamically assigned IP address.

The above statements are added in configuration terminal mode, prompt should be router(config)#

router>en
Password:
router#conf term
router(config)#ip nat inside source...

ip access-group 101 in is applied on interface dialer0.

router>en
Password:
router#conf term
router(config)#interface dialer0
router(config-if)#ip access-group 101 in
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12043680
By the way, applying your access-list as is will break your internet access.  You need to also add the following lines to permit return traffic from inside.

access-list 101 permit udp any eq 53 any          <--- Allow return DNS replies
access-list 101 permit tcp any any established   <--- Allow established TCP sessions from the inside network
access-list 101 permit icmp any any echo-reply  <--- Allow icmp replies back into your network
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Mal_H
ID: 12049533
Hi,
  some of that seems to have worked I have put in the Day Of Defeat settings but it isn't quite right as it does not go online my new config is below can you see anything wrong ?

Thanks again

Mal



!
hostname Router_001
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$KAdG$81efhP0y4mo/5Hp4LhAbj0
enable password
!
username mal secret 5 $1$XCxP$/cj3e9t0rUypKmS28dWJh0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login mal local none
aaa session-id common
ip subnet-zero
!
!
ip name-server 213.208.106.212
ip name-server 213.208.106.213
!
ip cef
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
 encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM1
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 speed auto
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 ip accounting output-packets
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname gotadsl.co.uk/login-ml
 ppp chap password 0
 ppp multilink
 ppp multilink fragment disable
!
ip nat inside source list 7 interface Dialer0 overload
ip nat inside source static udp 192.168.0.254 27015 interface Dialer0 27015
ip nat inside source static udp 192.168.0.254 27014 interface Dialer0 27014
ip nat inside source static udp 192.168.0.254 27013 interface Dialer0 27013
ip nat inside source static udp 192.168.0.254 27012 interface Dialer0 27012
ip nat inside source static udp 192.168.0.254 27011 interface Dialer0 27011
ip nat inside source static udp 192.168.0.254 27010 interface Dialer0 27010
ip nat inside source static udp 192.168.0.254 27009 interface Dialer0 27009
ip nat inside source static udp 192.168.0.254 27008 interface Dialer0 27008
ip nat inside source static udp 192.168.0.254 27007 interface Dialer0 27007
ip nat inside source static udp 192.168.0.254 27006 interface Dialer0 27006
ip nat inside source static udp 192.168.0.254 27005 interface Dialer0 27005
ip nat inside source static udp 192.168.0.254 27004 interface Dialer0 27004
ip nat inside source static udp 192.168.0.254 27003 interface Dialer0 27003
ip nat inside source static udp 192.168.0.254 27002 interface Dialer0 27002
ip nat inside source static udp 192.168.0.254 27001 interface Dialer0 27001
ip nat inside source static udp 192.168.0.254 27000 interface Dialer0 27000
ip nat inside source static udp 192.168.0.254 1200 interface Dialer0 1200
ip nat inside source static tcp 192.168.0.254 27039 interface Dialer0 27039
ip nat inside source static tcp 192.168.0.254 27038 interface Dialer0 27038
ip nat inside source static tcp 192.168.0.254 27037 interface Dialer0 27037
ip nat inside source static tcp 192.168.0.254 27036 interface Dialer0 27036
ip nat inside source static tcp 192.168.0.254 27035 interface Dialer0 27035
ip nat inside source static tcp 192.168.0.254 27034 interface Dialer0 27034
ip nat inside source static tcp 192.168.0.254 27033 interface Dialer0 27033
ip nat inside source static tcp 192.168.0.254 27032 interface Dialer0 27032
ip nat inside source static tcp 192.168.0.254 27031 interface Dialer0 27031
ip nat inside source static tcp 192.168.0.254 27030 interface Dialer0 27030
ip nat inside source static tcp 192.168.0.254 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.254 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.254 21 interface Dialer0 21
ip nat inside source static tcp 192.168.0.254 20 interface Dialer0 20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 7 permit 192.168.0.0 0.0.0.255
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 62.3.222.59 eq www
access-list 101 permit tcp any host 62.3.222.59 eq telnet
access-list 101 permit tcp any host 62.3.222.59 eq smtp
access-list 101 permit tcp any host 62.3.222.59 eq pop3
access-list 101 permit tcp any host 62.3.222.59 eq 27039
access-list 101 permit tcp any host 62.3.222.59 eq 27038
access-list 101 permit tcp any host 62.3.222.59 eq 27037
access-list 101 permit tcp any host 62.3.222.59 eq 27036
access-list 101 permit tcp any host 62.3.222.59 eq 27035
access-list 101 permit tcp any host 62.3.222.59 eq 27034
access-list 101 permit tcp any host 62.3.222.59 eq 27033
access-list 101 permit tcp any host 62.3.222.59 eq 27032
access-list 101 permit tcp any host 62.3.222.59 eq 27031
access-list 101 permit tcp any host 62.3.222.59 eq 27030
access-list 101 permit udp any host 62.3.222.59 eq 1200
access-list 101 permit udp any host 62.3.222.59 eq 27000
access-list 101 permit udp any host 62.3.222.59 eq 27001
access-list 101 permit udp any host 62.3.222.59 eq 27002
access-list 101 permit udp any host 62.3.222.59 eq 27003
access-list 101 permit udp any host 62.3.222.59 eq 27004
access-list 101 permit udp any host 62.3.222.59 eq 27005
access-list 101 permit udp any host 62.3.222.59 eq 27006
access-list 101 permit udp any host 62.3.222.59 eq 27007
access-list 101 permit udp any host 62.3.222.59 eq 27008
access-list 101 permit udp any host 62.3.222.59 eq 27009
access-list 101 permit udp any host 62.3.222.59 eq 27010
access-list 101 permit udp any host 62.3.222.59 eq 27011
access-list 101 permit udp any host 62.3.222.59 eq 27012
access-list 101 permit udp any host 62.3.222.59 eq 27013
access-list 101 permit udp any host 62.3.222.59 eq 27014
access-list 101 permit udp any host 62.3.222.59 eq 27015
access-list 101 permit udp any eq 1200 any
access-list 101 permit udp any eq 27000 any
access-list 101 permit udp any eq 27001 any
access-list 101 permit udp any eq 27002 any
access-list 101 permit udp any eq 27003 any
access-list 101 permit udp any eq 27004 any
access-list 101 permit udp any eq 27005 any
access-list 101 permit udp any eq 27006 any
access-list 101 permit udp any eq 27007 any
access-list 101 permit udp any eq 27008 any
access-list 101 permit udp any eq 27009 any
access-list 101 permit udp any eq 27010 any
access-list 101 permit udp any eq 27011 any
access-list 101 permit udp any eq 2701 any
access-list 101 permit udp any eq 27012 any
access-list 101 permit udp any eq 27013 any
access-list 101 permit udp any eq 27014 any
access-list 101 permit udp any eq 27015 any
access-list 101 permit tcp any eq 27030 any
access-list 101 permit tcp any eq 27031 any
access-list 101 permit tcp any eq 27032 any
access-list 101 permit tcp any eq 27033 any
access-list 101 permit tcp any eq 27034 any
access-list 101 permit tcp any eq 27035 any
access-list 101 permit tcp any eq 27036 any
access-list 101 permit tcp any eq 27037 any
access-list 101 permit tcp any eq 27038 any
access-list 101 permit tcp any eq 27039 any
dialer-list 1 protocol ip permit
!
!
line con 0
 password brittany
line aux 0
line vty 0 4
!
!
end

Its big now as well.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12053310
These lines are unnecessary:

access-list 101 permit tcp any eq 27030 any
access-list 101 permit tcp any eq 27031 any
access-list 101 permit tcp any eq 27032 any
access-list 101 permit tcp any eq 27033 any
access-list 101 permit tcp any eq 27034 any
access-list 101 permit tcp any eq 27035 any
access-list 101 permit tcp any eq 27036 any
access-list 101 permit tcp any eq 27037 any
access-list 101 permit tcp any eq 27038 any
access-list 101 permit tcp any eq 27039 any

The line "access-list 101 permit tcp any any established" takes care of the return TCP traffic.

You are probably having problems going online with day of defeat because it may use any number of dynamic ports.  You may want to open a large range of ports in your access-list or invest in a firewall product to take care of packet filtering.
0
 

Author Comment

by:Mal_H
ID: 12055019
Hi,
  I have a watchguard firewall and I have opened it up so all should go through the ports for DOD are the ones advised by steam as it doesn't use dynamic. Do I need an ACL for the outgoing  as well as the incoming ?

When I do a sh ip nat translation the DOD ports have --- --- on the outside local and the outside global and when I call up my web page (www.howarth-home.couk) it is not accessed.

The table is below :-




Router_001#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
tcp 62.3.222.59:35639  192.168.0.1:35639  207.46.106.67:1863 207.46.106.67:1863
tcp 62.3.222.59:29466  192.168.0.1:29466  213.208.106.212:53 213.208.106.212:53
tcp 62.3.222.59:29467  192.168.0.1:29467  213.208.106.212:53 213.208.106.212:53
tcp 62.3.222.59:29474  192.168.0.1:29474  213.208.106.212:53 213.208.106.212:53
tcp 62.3.222.59:29475  192.168.0.1:29475  213.208.106.212:53 213.208.106.212:53
tcp 62.3.222.59:29017  192.168.0.1:29017  64.14.122.242:80   64.14.122.242:80
udp 62.3.222.59:1200   192.168.0.254:1200 ---                ---
udp 62.3.222.59:29472  192.168.0.1:29472  207.173.177.11:27010 207.173.177.11:27010
udp 62.3.222.59:29472  192.168.0.1:29472  207.173.177.12:27010 207.173.177.12:27010
tcp 62.3.222.59:35763  192.168.0.1:35763  64.14.122.242:80   64.14.122.242:80
tcp 62.3.222.59:25     192.168.0.254:25   130.94.6.246:13887 130.94.6.246:13887
tcp 62.3.222.59:20     192.168.0.254:20   ---                ---
tcp 62.3.222.59:21     192.168.0.254:21   ---                ---
tcp 62.3.222.59:25     192.168.0.254:25   ---                ---
tcp 62.3.222.59:80     192.168.0.254:80   ---                ---
udp 62.3.222.59:27000  192.168.0.254:27000 ---               ---
udp 62.3.222.59:27001  192.168.0.254:27001 ---               ---
udp 62.3.222.59:27002  192.168.0.254:27002 ---               ---
udp 62.3.222.59:27003  192.168.0.254:27003 ---               ---
udp 62.3.222.59:27004  192.168.0.254:27004 ---               ---
 Inside global      Inside local       Outside local      Outside global
udp 62.3.222.59:27005  192.168.0.254:27005 ---               ---
udp 62.3.222.59:27006  192.168.0.254:27006 ---               ---
udp 62.3.222.59:27007  192.168.0.254:27007 ---               ---
udp 62.3.222.59:27008  192.168.0.254:27008 ---               ---
udp 62.3.222.59:27009  192.168.0.254:27009 ---               ---
udp 62.3.222.59:27010  192.168.0.254:27010 ---               ---
udp 62.3.222.59:27011  192.168.0.254:27011 ---               ---
udp 62.3.222.59:27012  192.168.0.254:27012 ---               ---
udp 62.3.222.59:27013  192.168.0.254:27013 ---               ---
udp 62.3.222.59:27014  192.168.0.254:27014 ---               ---
udp 62.3.222.59:27015  192.168.0.254:27015 ---               ---
tcp 62.3.222.59:27030  192.168.0.254:27030 ---               ---
tcp 62.3.222.59:27031  192.168.0.254:27031 ---               ---
tcp 62.3.222.59:27032  192.168.0.254:27032 ---               ---
tcp 62.3.222.59:27033  192.168.0.254:27033 ---               ---
tcp 62.3.222.59:27034  192.168.0.254:27034 ---               ---
tcp 62.3.222.59:27035  192.168.0.254:27035 ---               ---
tcp 62.3.222.59:27036  192.168.0.254:27036 ---               ---
tcp 62.3.222.59:27037  192.168.0.254:27037 ---               ---
tcp 62.3.222.59:27038  192.168.0.254:27038 ---               ---
tcp 62.3.222.59:27039  192.168.0.254:27039 ---               ---
tcp 62.3.222.59:25     192.168.0.254:25   64.28.8.130:22858  64.28.8.130:22858
Pro Inside global      Inside local       Outside local      Outside global
tcp 62.3.222.59:29013  192.168.0.1:29013  212.42.10.133:6668 212.42.10.133:6668
tcp 62.3.222.59:29001  192.168.0.1:29001  207.46.107.162:1863 207.46.107.162:1863

If we crack this and you are local I need to buy you several beers.

Thanks again

Mal
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12055114
Your NAT translations are correct.  You won't see anything in outside local and outside global unless a translation has been performed (someone accesses from the outside).  If you have a Firewall, I would remove the access-list as the router does not need to be performing packet filtering as the Firewall will handle that function.

interface dialer0
no ip access-group 101 in

Can you connect to your web server internally? http://192.168.0.254
0
 

Author Comment

by:Mal_H
ID: 12100563
Hi,
  thanks for all your help once I understood that certain commands had to be in order thhings fell into place I just have the web server to suss once that is done I will save the config and all sould be ok.

Thanks again

Mal
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now