Proper ACL config on edge router to improve performance

>$FW_OUTSIDE$
This entry appears to be from SDM GUI interface that comes with security/Firewall features. Do you have the firewall feature set? Do you have the inspect rules set up?

It doesn't support SSH it was just suppose to come as a router with no bundles.  Just lot's of memory (128mbyte and a 240mhz processor) don't have any inspect rules.  my config will be in the next opened question.  I'll open up another question subject "Proper ACL config on edge router to improve performance"  

My config and it currently is configured to utilize the cable side.  I have had so much problems with my t-1 side and I think you are filling me in on why!  I will post the changes below in the next post that I use to send traffic out my T-1
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2005.07.04 14:57:28 =~=~=~=~=~=~=~=~=~=~=~=
Authorized access only
This system is the property of Brian K. Adams & Assoc. Inc.        
Disconnect IMMEDIATELY as you are not an authorized user!

User Access Verification

Username: jbaker
Password:
NY_3725#term len 0
NY_3725#sh run
Building configuration...

Current configuration : 6851 bytes
!
! Last configuration change at 17:24:19 EST Thu Jun 30 2005 by jbaker
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
!
hostname NY_3725
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret *********************
!
username ********* privilege 15 password ********************
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$Outside to TW Cable
 ip address 155.155.155.1 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay
 ip route-cache flow
!
interface Serial0/0.1 point-to-point
 description $FW_OUTSIDE$Outside to T1 Interface
 ip address 12.12.12.1 255.255.255.224
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 500 IETF  
!
interface FastEthernet0/1
 description $FW_INSIDE$$ETH-LAN$Stub LAN to PIX515E
 ip address 192.168.254.237 255.255.255.240
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
ip nat pool HideNAT_T1 12.12.12.10 12.12.12.127 netmask 255.255.255.224
ip nat pool HideNAT_CABLE 155.155.155.2 155.155.155.2 netmask 255.255.255.248
ip nat inside source list 1 pool HideNAT_CABLE overload
ip nat inside source static 192.168.254.238 24.97.211.93
ip nat inside source static tcp 192.168.254.225 80 24.97.211.90 80 extendable
ip nat inside source static tcp 192.168.254.225 25 24.97.211.90 25 extendable
ip nat inside source static tcp 192.168.254.235 443 24.97.211.90 443 extendable
ip nat inside source static tcp 192.168.254.228 515 24.97.211.90 515 extendable
ip nat inside source static 192.168.254.226 24.97.211.92
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
ip http access-class 2
ip http authentication local
!
logging history informational
logging origin-id ip
logging source-interface FastEthernet0/0
logging server-arp
logging 192.168.254.226
access-list 1 remark SDM_ACL Category=18
access-list 1 remark IP NAT inside source list "Hide_NAT ACL"
access-list 1 remark IP Pool NAT (Hide) Stub network
access-list 1 permit 192.168.254.224 0.0.0.15
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 1 remark HTTP Server Management
access-list 2 permit 192.168.254.224 0.0.0.15
access-list 12 remark SDM_ACL Category=16
access-list 12 permit 13.13.13.1
access-list 12 permit 14.14.14.1
access-list 12 remark Elmira-LAN
access-list 12 permit 10.10.1.0 0.0.0.255
access-list 12 deny   any log
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark The following pointing to the stub network at this time.  Havent implemented the ip unnumbered yet.
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq telnet
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq 22
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq www
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq cmd
access-list 100 deny   tcp any host 192.168.254.237 eq telnet
access-list 100 deny   tcp any host 192.168.254.237 eq 22
access-list 100 deny   tcp any host 192.168.254.237 eq www
access-list 100 deny   tcp any host 192.168.254.237 eq 443
access-list 100 deny   tcp any host 192.168.254.237 eq cmd
access-list 100 deny   udp any host 192.168.254.237 eq snmp
access-list 100 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 1 remark VTY 0 4 ACL
access-list 102 permit ip 192.168.254.224 0.0.0.15 any
access-list 103 remark SDM_ACL Category=17
access-list 103 remark Cable outside in ACL
access-list 103 deny   tcp any host 155.155.155.1 eq www log
access-list 103 deny   tcp any host 155.155.155.1 eq 443 log
access-list 103 deny   tcp any host 155.155.155.1 eq cmd log
access-list 103 deny   udp any host 155.155.155.1 eq snmp log
access-list 103 permit icmp 16.16.16.0 0.0.0.255 any log
access-list 103 permit icmp host 13.13.13.1 any
access-list 103 permit icmp host 14.14.14.1 any
access-list 103 permit tcp host 15.15,15.1 any eq lpd log
access-list 103 deny   icmp any any log
access-list 103 deny   udp any any eq ntp log
access-list 103 permit ip any any
access-list 105 remark T1 Outside In
access-list 105 remark SDM_ACL Category=17
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny   icmp any any log
access-list 105 remark T1 outside in
access-list 105 deny   tcp any host 12.12.12.1 eq www log
access-list 105 deny   tcp any host 12.12.12.1 eq 443 log
access-list 105 deny   tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny   udp any any eq ntp log
access-list 105 permit ip any any
no cdp run
banner login ^CAuthorized access only
       
Disconnect IMMEDIATELY as you are not an authorized user! ^C
!
line con 0
 password 7 05184B2E2F4D1A0C09
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 session-timeout 30
 access-class 102 in
 privilege level 15
 login local
 transport input telnet
 transport output telnet
!
scheduler allocate 4000 1000
ntp clock-period 17180446
!
end

NY_3725#exit
apscnjohnnieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
I don't see "ip nat outside" on your T1 subif...

What is your goal with the additional ISP link? Redundency? Failover? Load-sharing?

Let's take one acl at a time....


>interface Serial0/0.1 point-to-point
   ip access-group 105 in

 access-list 105 permit icmp any host <new serial ip> echo  <== nothing dangerous about this
 access-list 105 permit icmp any any unreachable      <== for PMTUD
 access-list 105 permit icmp any any echo-reply        <== for ping replies
 access-list 105 permit icmp any any time-exceeded  <== for traceroute
 access-list 105 permit tcp any any established         <== allow return traffic from outgoing requests
 access-list 105 permit udp any eq 53 any               <== allow DNS name service
 access-list 105 permit tcp host <your ip> host <new serial ip> telnet <== give yourself remote access
 access-list 105 permit tcp host <your ip> host <new serial ip> ssh   <== prefered over telnet
 access-list 105 deny ip any any log                       <== deny everything else and log all attempts

>interface FastEthernet0/0
 ip access-group 103 in <== change to be identical to acl 105.

 access-list 103 permit icmp any host <new serial ip> echo  
 access-list 103 permit icmp any any unreachable      
 access-list 103 permit icmp any any echo-reply        
 access-list 103 permit icmp any any time-exceeded  
 access-list 103 permit tcp any any established        
 access-list 103 permit udp any eq 53 any              
 access-list 103 permit tcp host <your ip> host <new serial ip> telnet
 access-list 103 permit tcp host <your ip> host <new serial ip> ssh  
 access-list 103 deny ip any any log    

I prefer to use multiple identical acls because it is easier to troubleshoot .

>interface FastEthernet0/1
  ip access-group 100 in

Your ACL 100 doesn't make much sense to me.
>access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq telnet
There is no reason to permit a connected subnet to a connected host on the same interface. Unless the packet actually has to go through one interface and out another, it does nothing.
I would not assign any acl to the local lan interface unless there are specific hosts and services that you want to block your users from using..

Couple more items to look at for efficiency...
>ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
Default route should point to the next hop IP rather than the interface, especially if it is an Ethernet interface. Change to:
 ip route 0.0.0.0 0.0.0.0 155.155.155.x

If you want the T1 to work also:

 interface serial 0/0.1
  ip nat outside
 ip route 0.0.0.0 0.0.0.0 12.12.12.x

access-list 3 permit ip 192.168.254.224 0.0.0.25
ip nat inside source list 3 pool HideNAT_T1 overload

//-- these hosts have static NAT xlates for TW cable IP's and must use TW egress
access-list 110 permit ip host 192.168.254.238 any
access-list 110 permit ip host 192.168.254.235 any
access-list 110 permit ip host 192.168.254.236 any
route-map UseTW permit 10
 match ip-address 110
 set ip next-hop 155.155.155.x

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Forgot to apply the route-map to the local lan interface

interface Fast0/1
 ip policy route-map UseTW
apscnjohnnieAuthor Commented:
>>I don't see "ip nat outside" on your T1 subif...
Currently I am pointing traffic out of my Cable interface.

<<What is your goal with the additional ISP link? Redundency? Failover? Load-sharing?
I want to make the T-1 my primary and the cable as a backup.  I have read a lot of information that you have posted regarding utilizing both inputs to do a semi failover.  Still find it easy just to copy and paste some tested config change files to make the swap over happen.

depending on which interface I am routing too I will use the appropriate access-group 103 or 105
I use ACL 103 and apply it to the cable interface
I use ACL 105 and apply it to the serial interface

I am going to make the changes you suggest on the acl's still keeping the cable connected then do an no access-group 103 in and a access-group 103 in to apply to the Fa0/0 interface.

The vendor who I hired put that in there.  I thought it was needed for the stubnet traffic to go out as it was applied to the inside interface in.  I also have a problem where rdns return the ip of the gobal outside IP instead of it's static nat.  But I want to make one change at a time.  Get rid of the double nat using ip ununumbered then change my pix translation rules.

Can I use the ip unnumbered on cable interface as well.  That will make my switchover from t-1 to cable or vise versa much easier  I may not have enough ip's to accomplish that but I will see.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

lrmooreCommented:
>Can I use the ip unnumbered on cable interface as well.
Unfortunately, not. The upstream router must route your subnet through a specified interface in order for you to use unnumberd. No problem with T1 because it is a direct non-broadcast sub-interface. Cable doesn't work that way.
You have little choice but to double-nat for the Cable interface

Since you have the PIX behind it and will be changing it all soon, let's just stick to the outside-->in acls that will be applied to the two ISP interfaces.

If you want the cable as the failover, we can do that easily enough with floating static. Since the PIX will be doing the bulk of the NAT and handle most statics....

interface Serial 0/0.1
 ip address 153.27.11.2 255.255.255.252

interface FastEthernet 0/0
 ip address 155.155.155.61 255.255.255.0
 ip nat outside

interface FastEthernet 0/1
 ip address 12.12.12.1 255.255.255.0
 ip nat inside

//-- this nat config will not come into play unless the routing pushes the packets out the ip nat outside interface
//-- which it will not do unless/until the T1 is down

access-list 10 permit 12.12.12.0 0.0.0.255
ip nat inside source list 10 pool HideNAT_CABLE overload

//-- floating static with extra cost of "100" means this route is only a failover and will only work when the T1
//-- is down
ip route 0.0.0.0 0.0.0.0 153.27.11.1
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100  

Done. Now everything is automagic... Only issue is inbound static xlates for alternate IP's for email...
email is easy, www is another story....


apscnjohnnieAuthor Commented:
I also have a br900 cable modem in the mix on the cable side.  It occupies an ip out of my cable public subnet.  I do not have control over that item.
apscnjohnnieAuthor Commented:
I haven't received the 30 bit subnet from my isp, what happens if i apply the  serial0/0.1 interface instead of going the ip unnumbered route.  I can still use that on the serial0/0.1 in the config you suggested and not cause any reprecussions to the cable side?  It looks like that is the case studying your configs except how does that change the default route?

Would this be correct?
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
lrmooreCommented:
By jove, I think you're getting the hang of this!
There's nothing wrong with doing that. A serial interface does not behave the same as an Ethernet interface, so using the interface ID as the route is OK.
apscnjohnnieAuthor Commented:
Never mind I just got my 30 subnet

We have assigned you x.x.x.188/30.  Please use x.x.x.190/30 to number your interface. Our side will be x.x.x.189/30.  
lrmooreCommented:
Woo hooo!

apscnjohnnieAuthor Commented:
So given my new parameters would this be a correct interface config?

interface FastEthernet0/0
 description Cable Outside
 ip address 155.155.155.1 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay
 ip route-cache flow
!
interface Serial0/0.1 point-to-point
 description T-1 Interface
 ip address x.x.x.190 255.255.255.252
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 500 IETF  
!
interface FastEthernet 0/1
 ip policy route-map UseTW <==========Would I use this
 ip address 12.12.12.1 255.255.255.0 <======or this based on the acl below?
 ip nat inside
 ip route-cache flow
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
ip nat pool HideNAT_CABLE 155.155.155.2 155.155.155.2 netmask 255.255.255.248
ip nat inside source list 10 pool HideNAT_CABLE overload
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.190
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
!
 access-list 103 remark applied to the cable traffic IN interface Fa0/0
 access-list 103 permit icmp any host 155.155.155.1 echo  <== nothing dangerous about this
 access-list 103 permit icmp any any unreachable      <== for PMTUD
 access-list 103 permit icmp any any echo-reply        <== for ping replies
 access-list 103 permit icmp any any time-exceeded  <== for traceroute
 access-list 103 permit tcp any any established         <== allow return traffic from outgoing requests
 access-list 103 permit udp any eq 53 any               <== allow DNS name service
 access-list 103 remark Access from remote host for management to Cable interface Fa0/0
 access-list 103 permit tcp host 13.13.13.1 host 155.155.155.1 telnet <== give yourself remote access
 access-list 103 permit tcp host 14.14.14.1 host 155.155.155.1 ssh   <== prefered over telnet
 access-list 103 deny ip any any log                       <== deny everything else and log all attempts
!
 access-list 105 permit icmp any host x.x.x.190 echo  <== nothing dangerous about this
 access-list 105 permit icmp any any unreachable      <== for PMTUD
 access-list 105 permit icmp any any echo-reply        <== for ping replies
 access-list 105 permit icmp any any time-exceeded  <== for traceroute
 access-list 105 permit tcp any any established         <== allow return traffic from outgoing requests
 access-list 105 permit udp any eq 53 any               <== allow DNS name service
 access-list 105 permit tcp host 13.13.13.1 host x.x.x.190 telnet <== give yourself remote access
 access-list 105 permit tcp host 14.14.14.1 host x.x.x.190 ssh   <== prefered over telnet
 access-list 105 deny ip any any log                       <== deny everything else and log all attempts
!
access-list 110 permit ip host 192.168.254.238 any
access-list 110 permit ip host 192.168.254.235 any
access-list 110 permit ip host 192.168.254.236 any
!
route-map UseTW permit 10
 match ip-address 110
 set ip next-hop 155.155.155.14 <===This would be the cable modem IP??  It's bR900 Cisco cable modem and it does have an ip in the outside interface (Fa0/0) subnet  so for example this is .14
apscnjohnnieAuthor Commented:
Just going to dismiss with all the fake ip's and use the real last octet, since I have already screwed up in my posting.

Here is what I have to work with in my Net documentation that I have created.

I will submit a config file for just the router utilizing this info.

NY WAN/LAN IP Information
Cable Public IP Configuration x.x.x.88/29
Network ID x.x.x.88
Mask 255.255.255.248
Inverse Mask x.x.x.7
Broadcast x.x.x.95
Usable Range x.x.x.89-x.x.x.94
IP address assignment
x.x.x.89 – Cable Modem External
x.x.x.90 – public domain name which uses PAT
PAT
80 – x.x.x.101
25 – x.x.x.101
443 – x.x.x.98
515 – x.x.x.99
x.x.x.91 – Outside Global NAT Pool (overload)
x.x.x.92 – ssh
x.x.x.93 – vpn (client and site to site)
x.x.x.94 – Cisco 3725 FastEthernet0/0 (Outside)

MCI T-1 Corp Edge Router to MCI Edge Router IP Configuration x.x.x.188/30
Network ID x.x.x.188
Mask 255.255.255.252
Inverse Mask 0.0.0.3
Broadcast x.x.x.91
Usable Range x.x.x.89 – x.x.x.90

Stub Network IP Configuration x.x.x.96/27 (This is the publicly assigned ip range from MCI T-1) and will be used on the stubnet between the pix and the edge router.
Network ID x.x.x.96
Mask 255.255.255.240
Inverse Mask 0.0.0.15
Broadcast x.x.x.127
Usable Range x.x.x.-x.x.x.230
Usable Range x.x.x.233 – x.x.x.238
IP address assignment
x.x.x.97 – Edge Router Inside interface IP
x.x.x.98 – https to PIX Inside Host
x.x.x.99 – lpd to PIX Inside Host
x.x.x.100 – SSH to PIX Inside Host (This is an SFTP server) (This inside host also is the syslog server)
x.x.x.101 – http/smtp to PIX DMZ Host &#61671;====I could split these up
x.x.x.102 – reserved
x.x.x.103 – x.x.x.125 Outside Global NAT Pool for the PIX Outside Interface
x.x.x.126 – Outside Global NAT Pool (PAT) (overload if the first16 IP’s fill up)

DMZ Network IP Configuration 192.168.10.0/24
Network ID 192.168.10.0
Mask 255.255.255.0
Inverse Mask 0.0.0.255
Broadcast 192.168.10.254
Usable Range 192.168.10.1 – 192.168.10.254
IP address assignment
192.168.10.2 – DMZWEB
192.168.10.254 – Pix 515E Ethernet2 (DMZ)

Internal Network IP Configuration 10.10.1.0/24
Network ID 10.10.1.0
Mask 255.255.255.0
Inverse Mask 0.0.0.255
Broadcast 10.10.1.255
Usable Range 10.10.1.1 – 10.10.1.254
10.10.1.254 – Pix 515E Ethernet1 (Inside)
apscnjohnnieAuthor Commented:
>Can I use the ip unnumbered on cable interface as well.
Unfortunately, not. The upstream router must route your subnet through a specified interface in order for you to use unnumberd. No problem with T1 because it is a direct non-broadcast sub-interface. Cable doesn't work that way.
You have little choice but to double-nat for the Cable interface

OK you already answered that.  I will build 2 configurations for the PIX so this will be complicated for a failover I suppose.  But if I build my config modification lines in a text pad I can easily apply them.  I have console level access to all interfaces on my WAN via a Raritan Dominion KX solution.

still working on the configs but I am almost finished.
apscnjohnnieAuthor Commented:
With this access-group applied to the outside interface I could not get out or get in to any servers inside.  In my old config I had a line prior to the deny ip any any log that stated permit ip any any I always thought those an add pair since the permit would pretty much negate the usefullness of the deny even if it wasn't implied (or is that only on PIX 6.3 that an automatic deny is applied)

 access-list 105 permit icmp any host <new serial ip> echo  <== nothing dangerous about this
 access-list 105 permit icmp any any unreachable      <== for PMTUD
 access-list 105 permit icmp any any echo-reply        <== for ping replies
 access-list 105 permit icmp any any time-exceeded  <== for traceroute
 access-list 105 permit tcp any any established         <== allow return traffic from outgoing requests
 access-list 105 permit udp any eq 53 any               <== allow DNS name service
 access-list 105 permit tcp host <your ip> host <new serial ip> telnet <== give yourself remote access
 access-list 105 permit tcp host <your ip> host <new serial ip> ssh   <== prefered over telnet
 access-list 105 deny ip any any log                       <== deny everything else and log all attempts

My old acces-group 105
access-list 105 remark T1 outside in
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny   icmp any any log
access-list 105 remark block the following ports on the external interface Fa0/0
access-list 105 deny   tcp any host 12.12.12.1 eq www log
access-list 105 deny   tcp any host 12.12.12.1 eq 443 log
access-list 105 deny   tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny   udp any any eq ntp log
access-list 105 permit ip any any


lrmooreCommented:
>I could not get out or get in to any servers inside.
Sorry about that. Yes, you need explicit acl entries for inbound
Your permit ip any any at the end did take care of that for inbound, but it's not a good thing.
Yes, there is an implicit deny all at the end of every acl, even on pix.
The "established" line should have allowed return traffic.

Given your static statements:
ip nat inside source static 192.168.254.238 24.97.211.93
ip nat inside source static tcp 192.168.254.225 80 24.97.211.90 80 extendable
ip nat inside source static tcp 192.168.254.225 25 24.97.211.90 25 extendable
ip nat inside source static tcp 192.168.254.235 443 24.97.211.90 443 extendable
ip nat inside source static tcp 192.168.254.228 515 24.97.211.90 515 extendable
ip nat inside source static 192.168.254.226 24.97.211.92

Which ports inbound do you need for .92 and .93?

New ACL 105 example (removed all <== comment lines)

access-list 105 permit icmp any host <new serial ip> echo  
 access-list 105 permit icmp any any unreachable      
 access-list 105 permit icmp any any echo-reply        
 access-list 105 permit icmp any any time-exceeded  
 access-list 105 permit tcp any any established        
 access-list 105 permit udp any eq 53 any              
 access-list 105 permit tcp host <your ip> host <new serial ip> telnet
 access-list 105 permit tcp host <your ip> host <new serial ip> ssh  
 access-list 105 permit tcp any host 24.97.211.90 eq www
 access-list 105 permit tcp any host 24.97.211.90 eq 443
 access-list 105 permit tcp any host 24.97.211.90 eq smtp
 access-list 105 permit tcp any host 24.97.211.90 eq 515
 access-list 105 deny ip any any log

You can use the log "show log" to see what ports/IP's are being denied for troubleshooting..
                       
apscnjohnnieAuthor Commented:
I had to do a console line by line entry of the acl's.  the ones above would not be applicable to how it was set up.  One thing I did do is save the config as I had it.  let me work it over and post both the edge router and the pix config files to see how I had it set up.  Just so you know I could pass icmp/smtp traffic between the inside and the dmz no problem.  I could ping out from the inside and dmz via ip with no poblem.  It is when I wanted to resolve host names from inside or dmz or gain access from outside to the network.

I may have messed up with the stub network config.  I could ping MCI's side of the network with no problem so I know I could get to the next hop from the dmz or inside.

thanks for your help with this I will get my configs posted up shortly
apscnjohnnieAuthor Commented:
OK here is my routers config file.  I am using acl 105 since it is applied to the serial0/0.1 int

!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
!
hostname PIX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret ********************
!
username ***** privilege 15 password ************
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Outside Interface TW Cable
 ip address x.x.x.94 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay
 ip route-cache flow
!
interface Serial0/0.1 point-to-point(/30 subnet provided by MCI for edge networks. My side .190 MCI's .189)
 description Outside Interface MCI T-1 Point-to-point
 ip address x.x.x.190 255.255.255.252
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 500 IETF  
!
interface FastEthernet0/1
 description Inside Interface NY3725
 ip address x.x.x.97 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
no ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.189 <==== MCI's side of the stub outer network.
ip route 0.0.0.0 0.0.0.0 x.x.x.89 100 <=== cisco cable modem br900
ip http server
ip http access-class 2
ip http authentication local
!
access-list 1 remark Cable NAT pool
access-list 1 permit x.x.x..96 0.0.0.15
access-list 2 remark http access to SDM
access-list 2 permit x.x.x..96 0.0.0.15
access-list 10 remark Cable NAT Source list
access-list 10 permit x.x.x..96 0.0.0.15
access-list 102 remark vty 04 access in
access-list 103 remark applied to the cable traffic IN interface Fa0/0
access-list 103 permit icmp any x.x.x.88 0.0.0.7 echo
access-list 103 permit icmp any any unreachable
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit tcp any any established
access-list 103 permit udp any eq domain any
access-list 103 deny   ip any any log
access-list 105 remark applied to the T-1 traffic in Interface Serial0/0.1
access-list 105 permit icmp any x.x.x.188 0.0.0.3 echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq domain any
access-list 105 deny   ip any any log
access-list 110 remark double NAT Scenario for cable Connection
access-list 110 permit ip host x.x.x.225 any
access-list 110 permit ip host x.x.x.226 any
access-list 110 permit ip host x.x.x.227 any
access-list 110 permit ip host x.x.x.228 any
no cdp run
banner login ^CAuthorized access only
!    
Disconnect IMMEDIATELY as you are not an authorized user! ^C
!
line con 0
 password **********
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 session-timeout 30
 privilege level 15
 login local
 transport input telnet
 transport output telnet
!
scheduler allocate 4000 1000
ntp clock-period 17180446
!
end
apscnjohnnieAuthor Commented:
Here is my Config on the PIX.  Thanks for any assistance.

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password ********* encrypted
passwd ********** encrypted
hostname Pix
domain-name domain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list outside_cryptomap_20 permit ip x.x.1.0 255.255.255.0 x.x.2.0 255.255.255.0
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark next 2 lines are for web access to dmz web/mail relay server host .101 is translated on pix outside
access-list outside_access_in permit tcp any host x.x.x.101 eq www
access-list outside_access_in permit tcp any host x.x.x.101 eq smtp
access-list outside_access_in remark access from home network to ssh server
access-list outside_access_in permit tcp host x.x.x.97 host x.x.x.100 eq ssh
access-list inside_access_in remark allow exchange to send smtp to dmz relay server traffic
access-list inside_access_in permit tcp host x.x.1.2 host x.x.10.2 eq smtp
access-list inside_access_in remark deny all other inside hosts from sending smtp traffic out
access-list inside_access_in deny tcp any any eq smtp log
access-list inside_access_in permit ip any any
access-list DMZ_access_in remark allow all dmz hosts to query dns
access-list DMZ_access_in permit tcp x.x.10.0 255.255.255.0 any eq domain
access-list DMZ_access_in remark allow dmz mail relay server to send mail to inside exchange
access-list DMZ_access_in permit tcp host x.x.10.2 host x.x.1.2 eq smtp
access-list DMZ_access_in remark not sure why this line is here must have been a double finger entry
access-list DMZ_access_in permit tcp host x.x.10.2 host x.x.1.2
access-list DMZ_access_in permit ip any any
access-list inside_outbound_nat0_acl remark no nat on ipsec site to site traffic across the wan
access-list inside_outbound_nat0_acl permit ip x.x.1.0 255.255.255.0 x.x.2.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 23
logging device-id hostname
logging host inside x.x.1.3
icmp permit any unreachable outside <========since I am applying icmp rules via acls do I need these globals?
icmp permit any echo-reply outside <========ditto
icmp permit any timestamp-request outside <======ditto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.126 255.255.255.224
ip address inside x.x.1.254 255.255.255.0
ip address DMZ x.x.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN x.x.x.10-x.x.x.19
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.2 255.255.255.255 inside
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.97 255.255.255.255 outside
pdm location x.x.x.197 255.255.255.255 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.3 255.255.255.255 inside
pdm location x.x.x.24 255.255.255.255 inside
pdm location x.x.x.2 255.255.255.255 DMZ
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.237 255.255.255.255 outside
pdm location x.x.x.13 255.255.255.255 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.94 255.255.255.255 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 100 x.x.x.103-x.x.x.124 netmask 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 100 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.98 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.99 x.x.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.100 x.x.1.3 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.101 x.x.10.2 netmask 255.255.255.255 0 0
static (inside,DMZ) x.x.1.2 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,DMZ) x.x.1.3 x.x.1.3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 157.130.10.189 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http x.x.1.0 255.255.255.0 inside
http x.x.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.197
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.197 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroupname address-pool VPN
vpngroup vpngroupname dns-server x.x.1.1
vpngroup vpngroupname default-domain bka.local
vpngroup vpngroupname pfs
vpngroup vpngroupname idle-time 1800
vpngroup vpngroupname password ********
telnet x.x.1.0 255.255.255.0 inside
telnet x.x.2.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.97 255.255.255.255 outside
ssh x.x.x.197 255.255.255.255 outside
ssh x.x.1.0 255.255.255.0 inside
ssh x.x.2.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 15
username ******* password ******** encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:***********************
: end
[OK]
lrmooreCommented:
Interface Fast 0/1 still has to be identified as nat inside for the cable connection to work.
With acl 105 applied as it is, you won't have any access to any server services from outside..

What you really want to be careful of is setting too extensive of an acl on the router, and then having the same acl applied on the PIX. Makes troubleshooting very difficult.

Let the router do it's thing - pass packets as quickly as possible.
Let the PIX do it's thing - block all unwanted traffic to internal hosts

The ACL on the router should do nothing more than protect the router itself..
Since you protect the router internal http server with an access-class, and you protect the telnet vty with an access-class, there is virtually no real reason to run "any" access-list on the external interface.

apscnjohnnieAuthor Commented:
I am following you.  So since my PIX config is managing access via this config:

PIX

ip address outside x.x.x.126 255.255.255.224
ip address inside x.x.1.254 255.255.255.0
ip address DMZ x.x.10.254 255.255.255.0

access-group outside_access_in in interface outside

static (inside,outside) x.x.x.98 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.99 x.x.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.100 x.x.1.3 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.101 x.x.10.2 netmask 255.255.255.255 0 0

access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark next 2 lines are for web access to dmz web/mail relay server host .101 is translated on pix outside
access-list outside_access_in permit tcp any host x.x.x.101 eq www
access-list outside_access_in permit tcp any host x.x.x.101 eq smtp
access-list outside_access_in remark access from home network to ssh server
access-list outside_access_in permit tcp host x.x.x.97 host x.x.x.100 eq ssh

Edge Router
interface Serial0/0.1 point-to-point(/30 subnet provided by MCI for edge networks. My side .190 MCI's .189)
 description Outside Interface MCI T-1 Point-to-point
 ip address x.x.x.190 255.255.255.252
 ip access-group 105 in

then I can do a no access-group 105 on the serial0/0.1 interface
access-list 105 remark applied to the T-1 traffic in Interface Serial0/0.1
access-list 105 permit icmp any x.x.x.188 0.0.0.3 echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq domain any
access-list 105 deny   ip any any log
lrmooreCommented:
>then I can do a no access-group 105 on the serial0/0.1 interface

Exactly. Looks like you're on the right track.

apscnjohnnieAuthor Commented:
Ok I will give that a try this eve and post my results when finished.  Can't interrupt business flow man do I need to get my tftp server back up and running.  Line by line is for the birds!!!!!!
lrmooreCommented:
I like Pumpkin tftp server
http://www.klever.net

Else SolarWinds tftp server  (I like ALL of their stuff!)
http://www.solarwinds.net/Download-Tools.htm
apscnjohnnieAuthor Commented:
I have used solarwinds but I will check into pumpkin thanks.
apscnjohnnieAuthor Commented:
OK much has happened since I last commented.  I guess I had to learn the hard way ole trial and error.  Thankfully to lrmoore suggestions on tftp and my re-familiarization of the protocol allowed me to save all my config and flash images.  even when I erased the flash by accident I was able to go through ronmon and use tftpdnld (once again per lrmoores post in another article) and restore my router back to the newest config.

Thanks lrmoore.  I have increased my throughput 88%.  (by removing all the unnecessarty acls on my edge router and just let it route allowing my pix to take up the load.  Packet time through the tunnel used to take 72ms but now only takes 12 - 15ms!!!!!  My replications are going to be real happy now.
lrmooreCommented:
Glad to hear it, grasshopper!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Languages and Standards

From novice to tech pro — start learning today.