Proper ACL config on edge router to improve performance
>$FW_OUTSIDE$
This entry appears to be from SDM GUI interface that comes with security/Firewall features. Do you have the firewall feature set? Do you have the inspect rules set up?
It doesn't support SSH it was just suppose to come as a router with no bundles. Just lot's of memory (128mbyte and a 240mhz processor) don't have any inspect rules. my config will be in the next opened question. I'll open up another question subject "Proper ACL config on edge router to improve performance"
My config and it currently is configured to utilize the cable side. I have had so much problems with my t-1 side and I think you are filling me in on why! I will post the changes below in the next post that I use to send traffic out my T-1
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2005.07.04 14:57:28 =~=~=~=~=~=~=~=~=~=~=~=
Authorized access only
This system is the property of Brian K. Adams & Assoc. Inc.
Disconnect IMMEDIATELY as you are not an authorized user!
User Access Verification
Username: jbaker
Password:
NY_3725#term len 0
NY_3725#sh run
Building configuration...
Current configuration : 6851 bytes
!
! Last configuration change at 17:24:19 EST Thu Jun 30 2005 by jbaker
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
!
hostname NY_3725
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret *********************
!
username ********* privilege 15 password ********************
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$Outsi
ip address 155.155.155.1 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
!
interface Serial0/0.1 point-to-point
description $FW_OUTSIDE$Outside to T1 Interface
ip address 12.12.12.1 255.255.255.224
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$Stub LAN to PIX515E
ip address 192.168.254.237 255.255.255.240
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip nat pool HideNAT_T1 12.12.12.10 12.12.12.127 netmask 255.255.255.224
ip nat pool HideNAT_CABLE 155.155.155.2 155.155.155.2 netmask 255.255.255.248
ip nat inside source list 1 pool HideNAT_CABLE overload
ip nat inside source static 192.168.254.238 24.97.211.93
ip nat inside source static tcp 192.168.254.225 80 24.97.211.90 80 extendable
ip nat inside source static tcp 192.168.254.225 25 24.97.211.90 25 extendable
ip nat inside source static tcp 192.168.254.235 443 24.97.211.90 443 extendable
ip nat inside source static tcp 192.168.254.228 515 24.97.211.90 515 extendable
ip nat inside source static 192.168.254.226 24.97.211.92
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
ip http access-class 2
ip http authentication local
!
logging history informational
logging origin-id ip
logging source-interface FastEthernet0/0
logging server-arp
logging 192.168.254.226
access-list 1 remark SDM_ACL Category=18
access-list 1 remark IP NAT inside source list "Hide_NAT ACL"
access-list 1 remark IP Pool NAT (Hide) Stub network
access-list 1 permit 192.168.254.224 0.0.0.15
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 1 remark HTTP Server Management
access-list 2 permit 192.168.254.224 0.0.0.15
access-list 12 remark SDM_ACL Category=16
access-list 12 permit 13.13.13.1
access-list 12 permit 14.14.14.1
access-list 12 remark Elmira-LAN
access-list 12 permit 10.10.1.0 0.0.0.255
access-list 12 deny any log
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark The following pointing to the stub network at this time. Havent implemented the ip unnumbered yet.
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq telnet
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq 22
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq www
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq cmd
access-list 100 deny tcp any host 192.168.254.237 eq telnet
access-list 100 deny tcp any host 192.168.254.237 eq 22
access-list 100 deny tcp any host 192.168.254.237 eq www
access-list 100 deny tcp any host 192.168.254.237 eq 443
access-list 100 deny tcp any host 192.168.254.237 eq cmd
access-list 100 deny udp any host 192.168.254.237 eq snmp
access-list 100 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 1 remark VTY 0 4 ACL
access-list 102 permit ip 192.168.254.224 0.0.0.15 any
access-list 103 remark SDM_ACL Category=17
access-list 103 remark Cable outside in ACL
access-list 103 deny tcp any host 155.155.155.1 eq www log
access-list 103 deny tcp any host 155.155.155.1 eq 443 log
access-list 103 deny tcp any host 155.155.155.1 eq cmd log
access-list 103 deny udp any host 155.155.155.1 eq snmp log
access-list 103 permit icmp 16.16.16.0 0.0.0.255 any log
access-list 103 permit icmp host 13.13.13.1 any
access-list 103 permit icmp host 14.14.14.1 any
access-list 103 permit tcp host 15.15,15.1 any eq lpd log
access-list 103 deny icmp any any log
access-list 103 deny udp any any eq ntp log
access-list 103 permit ip any any
access-list 105 remark T1 Outside In
access-list 105 remark SDM_ACL Category=17
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny icmp any any log
access-list 105 remark T1 outside in
access-list 105 deny tcp any host 12.12.12.1 eq www log
access-list 105 deny tcp any host 12.12.12.1 eq 443 log
access-list 105 deny tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny udp any any eq ntp log
access-list 105 permit ip any any
no cdp run
banner login ^CAuthorized access only
Disconnect IMMEDIATELY as you are not an authorized user! ^C
!
line con 0
password 7 05184B2E2F4D1A0C09
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
session-timeout 30
access-class 102 in
privilege level 15
login local
transport input telnet
transport output telnet
!
scheduler allocate 4000 1000
ntp clock-period 17180446
!
end
NY_3725#exit
This entry appears to be from SDM GUI interface that comes with security/Firewall features. Do you have the firewall feature set? Do you have the inspect rules set up?
It doesn't support SSH it was just suppose to come as a router with no bundles. Just lot's of memory (128mbyte and a 240mhz processor) don't have any inspect rules. my config will be in the next opened question. I'll open up another question subject "Proper ACL config on edge router to improve performance"
My config and it currently is configured to utilize the cable side. I have had so much problems with my t-1 side and I think you are filling me in on why! I will post the changes below in the next post that I use to send traffic out my T-1
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2005.07.04 14:57:28 =~=~=~=~=~=~=~=~=~=~=~=
Authorized access only
This system is the property of Brian K. Adams & Assoc. Inc.
Disconnect IMMEDIATELY as you are not an authorized user!
User Access Verification
Username: jbaker
Password:
NY_3725#term len 0
NY_3725#sh run
Building configuration...
Current configuration : 6851 bytes
!
! Last configuration change at 17:24:19 EST Thu Jun 30 2005 by jbaker
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
!
hostname NY_3725
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret *********************
!
username ********* privilege 15 password ********************
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$Outsi
ip address 155.155.155.1 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
!
interface Serial0/0.1 point-to-point
description $FW_OUTSIDE$Outside to T1 Interface
ip address 12.12.12.1 255.255.255.224
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$Stub LAN to PIX515E
ip address 192.168.254.237 255.255.255.240
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip nat pool HideNAT_T1 12.12.12.10 12.12.12.127 netmask 255.255.255.224
ip nat pool HideNAT_CABLE 155.155.155.2 155.155.155.2 netmask 255.255.255.248
ip nat inside source list 1 pool HideNAT_CABLE overload
ip nat inside source static 192.168.254.238 24.97.211.93
ip nat inside source static tcp 192.168.254.225 80 24.97.211.90 80 extendable
ip nat inside source static tcp 192.168.254.225 25 24.97.211.90 25 extendable
ip nat inside source static tcp 192.168.254.235 443 24.97.211.90 443 extendable
ip nat inside source static tcp 192.168.254.228 515 24.97.211.90 515 extendable
ip nat inside source static 192.168.254.226 24.97.211.92
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
ip http access-class 2
ip http authentication local
!
logging history informational
logging origin-id ip
logging source-interface FastEthernet0/0
logging server-arp
logging 192.168.254.226
access-list 1 remark SDM_ACL Category=18
access-list 1 remark IP NAT inside source list "Hide_NAT ACL"
access-list 1 remark IP Pool NAT (Hide) Stub network
access-list 1 permit 192.168.254.224 0.0.0.15
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 1 remark HTTP Server Management
access-list 2 permit 192.168.254.224 0.0.0.15
access-list 12 remark SDM_ACL Category=16
access-list 12 permit 13.13.13.1
access-list 12 permit 14.14.14.1
access-list 12 remark Elmira-LAN
access-list 12 permit 10.10.1.0 0.0.0.255
access-list 12 deny any log
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark The following pointing to the stub network at this time. Havent implemented the ip unnumbered yet.
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq telnet
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq 22
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq www
access-list 100 permit tcp 192.168.254.224 0.0.0.15 host 192.168.254.237 eq cmd
access-list 100 deny tcp any host 192.168.254.237 eq telnet
access-list 100 deny tcp any host 192.168.254.237 eq 22
access-list 100 deny tcp any host 192.168.254.237 eq www
access-list 100 deny tcp any host 192.168.254.237 eq 443
access-list 100 deny tcp any host 192.168.254.237 eq cmd
access-list 100 deny udp any host 192.168.254.237 eq snmp
access-list 100 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 1 remark VTY 0 4 ACL
access-list 102 permit ip 192.168.254.224 0.0.0.15 any
access-list 103 remark SDM_ACL Category=17
access-list 103 remark Cable outside in ACL
access-list 103 deny tcp any host 155.155.155.1 eq www log
access-list 103 deny tcp any host 155.155.155.1 eq 443 log
access-list 103 deny tcp any host 155.155.155.1 eq cmd log
access-list 103 deny udp any host 155.155.155.1 eq snmp log
access-list 103 permit icmp 16.16.16.0 0.0.0.255 any log
access-list 103 permit icmp host 13.13.13.1 any
access-list 103 permit icmp host 14.14.14.1 any
access-list 103 permit tcp host 15.15,15.1 any eq lpd log
access-list 103 deny icmp any any log
access-list 103 deny udp any any eq ntp log
access-list 103 permit ip any any
access-list 105 remark T1 Outside In
access-list 105 remark SDM_ACL Category=17
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny icmp any any log
access-list 105 remark T1 outside in
access-list 105 deny tcp any host 12.12.12.1 eq www log
access-list 105 deny tcp any host 12.12.12.1 eq 443 log
access-list 105 deny tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny udp any any eq ntp log
access-list 105 permit ip any any
no cdp run
banner login ^CAuthorized access only
Disconnect IMMEDIATELY as you are not an authorized user! ^C
!
line con 0
password 7 05184B2E2F4D1A0C09
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
session-timeout 30
access-class 102 in
privilege level 15
login local
transport input telnet
transport output telnet
!
scheduler allocate 4000 1000
ntp clock-period 17180446
!
end
NY_3725#exit
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>I don't see "ip nat outside" on your T1 subif...
Currently I am pointing traffic out of my Cable interface.
<<What is your goal with the additional ISP link? Redundency? Failover? Load-sharing?
I want to make the T-1 my primary and the cable as a backup. I have read a lot of information that you have posted regarding utilizing both inputs to do a semi failover. Still find it easy just to copy and paste some tested config change files to make the swap over happen.
depending on which interface I am routing too I will use the appropriate access-group 103 or 105
I use ACL 103 and apply it to the cable interface
I use ACL 105 and apply it to the serial interface
I am going to make the changes you suggest on the acl's still keeping the cable connected then do an no access-group 103 in and a access-group 103 in to apply to the Fa0/0 interface.
The vendor who I hired put that in there. I thought it was needed for the stubnet traffic to go out as it was applied to the inside interface in. I also have a problem where rdns return the ip of the gobal outside IP instead of it's static nat. But I want to make one change at a time. Get rid of the double nat using ip ununumbered then change my pix translation rules.
Can I use the ip unnumbered on cable interface as well. That will make my switchover from t-1 to cable or vise versa much easier I may not have enough ip's to accomplish that but I will see.
Currently I am pointing traffic out of my Cable interface.
<<What is your goal with the additional ISP link? Redundency? Failover? Load-sharing?
I want to make the T-1 my primary and the cable as a backup. I have read a lot of information that you have posted regarding utilizing both inputs to do a semi failover. Still find it easy just to copy and paste some tested config change files to make the swap over happen.
depending on which interface I am routing too I will use the appropriate access-group 103 or 105
I use ACL 103 and apply it to the cable interface
I use ACL 105 and apply it to the serial interface
I am going to make the changes you suggest on the acl's still keeping the cable connected then do an no access-group 103 in and a access-group 103 in to apply to the Fa0/0 interface.
The vendor who I hired put that in there. I thought it was needed for the stubnet traffic to go out as it was applied to the inside interface in. I also have a problem where rdns return the ip of the gobal outside IP instead of it's static nat. But I want to make one change at a time. Get rid of the double nat using ip ununumbered then change my pix translation rules.
Can I use the ip unnumbered on cable interface as well. That will make my switchover from t-1 to cable or vise versa much easier I may not have enough ip's to accomplish that but I will see.
>Can I use the ip unnumbered on cable interface as well.
Unfortunately, not. The upstream router must route your subnet through a specified interface in order for you to use unnumberd. No problem with T1 because it is a direct non-broadcast sub-interface. Cable doesn't work that way.
You have little choice but to double-nat for the Cable interface
Since you have the PIX behind it and will be changing it all soon, let's just stick to the outside-->in acls that will be applied to the two ISP interfaces.
If you want the cable as the failover, we can do that easily enough with floating static. Since the PIX will be doing the bulk of the NAT and handle most statics....
interface Serial 0/0.1
ip address 153.27.11.2 255.255.255.252
interface FastEthernet 0/0
ip address 155.155.155.61 255.255.255.0
ip nat outside
interface FastEthernet 0/1
ip address 12.12.12.1 255.255.255.0
ip nat inside
//-- this nat config will not come into play unless the routing pushes the packets out the ip nat outside interface
//-- which it will not do unless/until the T1 is down
access-list 10 permit 12.12.12.0 0.0.0.255
ip nat inside source list 10 pool HideNAT_CABLE overload
//-- floating static with extra cost of "100" means this route is only a failover and will only work when the T1
//-- is down
ip route 0.0.0.0 0.0.0.0 153.27.11.1
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
Done. Now everything is automagic... Only issue is inbound static xlates for alternate IP's for email...
email is easy, www is another story....
Unfortunately, not. The upstream router must route your subnet through a specified interface in order for you to use unnumberd. No problem with T1 because it is a direct non-broadcast sub-interface. Cable doesn't work that way.
You have little choice but to double-nat for the Cable interface
Since you have the PIX behind it and will be changing it all soon, let's just stick to the outside-->in acls that will be applied to the two ISP interfaces.
If you want the cable as the failover, we can do that easily enough with floating static. Since the PIX will be doing the bulk of the NAT and handle most statics....
interface Serial 0/0.1
ip address 153.27.11.2 255.255.255.252
interface FastEthernet 0/0
ip address 155.155.155.61 255.255.255.0
ip nat outside
interface FastEthernet 0/1
ip address 12.12.12.1 255.255.255.0
ip nat inside
//-- this nat config will not come into play unless the routing pushes the packets out the ip nat outside interface
//-- which it will not do unless/until the T1 is down
access-list 10 permit 12.12.12.0 0.0.0.255
ip nat inside source list 10 pool HideNAT_CABLE overload
//-- floating static with extra cost of "100" means this route is only a failover and will only work when the T1
//-- is down
ip route 0.0.0.0 0.0.0.0 153.27.11.1
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
Done. Now everything is automagic... Only issue is inbound static xlates for alternate IP's for email...
email is easy, www is another story....
ASKER
I also have a br900 cable modem in the mix on the cable side. It occupies an ip out of my cable public subnet. I do not have control over that item.
ASKER
I haven't received the 30 bit subnet from my isp, what happens if i apply the serial0/0.1 interface instead of going the ip unnumbered route. I can still use that on the serial0/0.1 in the config you suggested and not cause any reprecussions to the cable side? It looks like that is the case studying your configs except how does that change the default route?
Would this be correct?
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
Would this be correct?
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
By jove, I think you're getting the hang of this!
There's nothing wrong with doing that. A serial interface does not behave the same as an Ethernet interface, so using the interface ID as the route is OK.
There's nothing wrong with doing that. A serial interface does not behave the same as an Ethernet interface, so using the interface ID as the route is OK.
ASKER
Never mind I just got my 30 subnet
We have assigned you x.x.x.188/30. Please use x.x.x.190/30 to number your interface. Our side will be x.x.x.189/30.
We have assigned you x.x.x.188/30. Please use x.x.x.190/30 to number your interface. Our side will be x.x.x.189/30.
Woo hooo!
ASKER
So given my new parameters would this be a correct interface config?
interface FastEthernet0/0
description Cable Outside
ip address 155.155.155.1 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
!
interface Serial0/0.1 point-to-point
description T-1 Interface
ip address x.x.x.190 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet 0/1
ip policy route-map UseTW <==========Would I use this
ip address 12.12.12.1 255.255.255.0 <======or this based on the acl below?
ip nat inside
ip route-cache flow
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip nat pool HideNAT_CABLE 155.155.155.2 155.155.155.2 netmask 255.255.255.248
ip nat inside source list 10 pool HideNAT_CABLE overload
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.190
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
!
access-list 103 remark applied to the cable traffic IN interface Fa0/0
access-list 103 permit icmp any host 155.155.155.1 echo <== nothing dangerous about this
access-list 103 permit icmp any any unreachable <== for PMTUD
access-list 103 permit icmp any any echo-reply <== for ping replies
access-list 103 permit icmp any any time-exceeded <== for traceroute
access-list 103 permit tcp any any established <== allow return traffic from outgoing requests
access-list 103 permit udp any eq 53 any <== allow DNS name service
access-list 103 remark Access from remote host for management to Cable interface Fa0/0
access-list 103 permit tcp host 13.13.13.1 host 155.155.155.1 telnet <== give yourself remote access
access-list 103 permit tcp host 14.14.14.1 host 155.155.155.1 ssh <== prefered over telnet
access-list 103 deny ip any any log <== deny everything else and log all attempts
!
access-list 105 permit icmp any host x.x.x.190 echo <== nothing dangerous about this
access-list 105 permit icmp any any unreachable <== for PMTUD
access-list 105 permit icmp any any echo-reply <== for ping replies
access-list 105 permit icmp any any time-exceeded <== for traceroute
access-list 105 permit tcp any any established <== allow return traffic from outgoing requests
access-list 105 permit udp any eq 53 any <== allow DNS name service
access-list 105 permit tcp host 13.13.13.1 host x.x.x.190 telnet <== give yourself remote access
access-list 105 permit tcp host 14.14.14.1 host x.x.x.190 ssh <== prefered over telnet
access-list 105 deny ip any any log <== deny everything else and log all attempts
!
access-list 110 permit ip host 192.168.254.238 any
access-list 110 permit ip host 192.168.254.235 any
access-list 110 permit ip host 192.168.254.236 any
!
route-map UseTW permit 10
match ip-address 110
set ip next-hop 155.155.155.14 <===This would be the cable modem IP?? It's bR900 Cisco cable modem and it does have an ip in the outside interface (Fa0/0) subnet so for example this is .14
interface FastEthernet0/0
description Cable Outside
ip address 155.155.155.1 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
!
interface Serial0/0.1 point-to-point
description T-1 Interface
ip address x.x.x.190 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet 0/1
ip policy route-map UseTW <==========Would I use this
ip address 12.12.12.1 255.255.255.0 <======or this based on the acl below?
ip nat inside
ip route-cache flow
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip nat pool HideNAT_CABLE 155.155.155.2 155.155.155.2 netmask 255.255.255.248
ip nat inside source list 10 pool HideNAT_CABLE overload
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.190
ip route 0.0.0.0 0.0.0.0 155.155.155.1 100
!
access-list 103 remark applied to the cable traffic IN interface Fa0/0
access-list 103 permit icmp any host 155.155.155.1 echo <== nothing dangerous about this
access-list 103 permit icmp any any unreachable <== for PMTUD
access-list 103 permit icmp any any echo-reply <== for ping replies
access-list 103 permit icmp any any time-exceeded <== for traceroute
access-list 103 permit tcp any any established <== allow return traffic from outgoing requests
access-list 103 permit udp any eq 53 any <== allow DNS name service
access-list 103 remark Access from remote host for management to Cable interface Fa0/0
access-list 103 permit tcp host 13.13.13.1 host 155.155.155.1 telnet <== give yourself remote access
access-list 103 permit tcp host 14.14.14.1 host 155.155.155.1 ssh <== prefered over telnet
access-list 103 deny ip any any log <== deny everything else and log all attempts
!
access-list 105 permit icmp any host x.x.x.190 echo <== nothing dangerous about this
access-list 105 permit icmp any any unreachable <== for PMTUD
access-list 105 permit icmp any any echo-reply <== for ping replies
access-list 105 permit icmp any any time-exceeded <== for traceroute
access-list 105 permit tcp any any established <== allow return traffic from outgoing requests
access-list 105 permit udp any eq 53 any <== allow DNS name service
access-list 105 permit tcp host 13.13.13.1 host x.x.x.190 telnet <== give yourself remote access
access-list 105 permit tcp host 14.14.14.1 host x.x.x.190 ssh <== prefered over telnet
access-list 105 deny ip any any log <== deny everything else and log all attempts
!
access-list 110 permit ip host 192.168.254.238 any
access-list 110 permit ip host 192.168.254.235 any
access-list 110 permit ip host 192.168.254.236 any
!
route-map UseTW permit 10
match ip-address 110
set ip next-hop 155.155.155.14 <===This would be the cable modem IP?? It's bR900 Cisco cable modem and it does have an ip in the outside interface (Fa0/0) subnet so for example this is .14
ASKER
Just going to dismiss with all the fake ip's and use the real last octet, since I have already screwed up in my posting.
Here is what I have to work with in my Net documentation that I have created.
I will submit a config file for just the router utilizing this info.
NY WAN/LAN IP Information
Cable Public IP Configuration x.x.x.88/29
Network ID x.x.x.88
Mask 255.255.255.248
Inverse Mask x.x.x.7
Broadcast x.x.x.95
Usable Range x.x.x.89-x.x.x.94
IP address assignment
x.x.x.89 – Cable Modem External
x.x.x.90 – public domain name which uses PAT
PAT
80 – x.x.x.101
25 – x.x.x.101
443 – x.x.x.98
515 – x.x.x.99
x.x.x.91 – Outside Global NAT Pool (overload)
x.x.x.92 – ssh
x.x.x.93 – vpn (client and site to site)
x.x.x.94 – Cisco 3725 FastEthernet0/0 (Outside)
MCI T-1 Corp Edge Router to MCI Edge Router IP Configuration x.x.x.188/30
Network ID x.x.x.188
Mask 255.255.255.252
Inverse Mask 0.0.0.3
Broadcast x.x.x.91
Usable Range x.x.x.89 – x.x.x.90
Stub Network IP Configuration x.x.x.96/27 (This is the publicly assigned ip range from MCI T-1) and will be used on the stubnet between the pix and the edge router.
Network ID x.x.x.96
Mask 255.255.255.240
Inverse Mask 0.0.0.15
Broadcast x.x.x.127
Usable Range x.x.x.-x.x.x.230
Usable Range x.x.x.233 – x.x.x.238
IP address assignment
x.x.x.97 – Edge Router Inside interface IP
x.x.x.98 – https to PIX Inside Host
x.x.x.99 – lpd to PIX Inside Host
x.x.x.100 – SSH to PIX Inside Host (This is an SFTP server) (This inside host also is the syslog server)
x.x.x.101 – http/smtp to PIX DMZ Host ====I could split these up
x.x.x.102 – reserved
x.x.x.103 – x.x.x.125 Outside Global NAT Pool for the PIX Outside Interface
x.x.x.126 – Outside Global NAT Pool (PAT) (overload if the first16 IP’s fill up)
DMZ Network IP Configuration 192.168.10.0/24
Network ID 192.168.10.0
Mask 255.255.255.0
Inverse Mask 0.0.0.255
Broadcast 192.168.10.254
Usable Range 192.168.10.1 – 192.168.10.254
IP address assignment
192.168.10.2 – DMZWEB
192.168.10.254 – Pix 515E Ethernet2 (DMZ)
Internal Network IP Configuration 10.10.1.0/24
Network ID 10.10.1.0
Mask 255.255.255.0
Inverse Mask 0.0.0.255
Broadcast 10.10.1.255
Usable Range 10.10.1.1 – 10.10.1.254
10.10.1.254 – Pix 515E Ethernet1 (Inside)
Here is what I have to work with in my Net documentation that I have created.
I will submit a config file for just the router utilizing this info.
NY WAN/LAN IP Information
Cable Public IP Configuration x.x.x.88/29
Network ID x.x.x.88
Mask 255.255.255.248
Inverse Mask x.x.x.7
Broadcast x.x.x.95
Usable Range x.x.x.89-x.x.x.94
IP address assignment
x.x.x.89 – Cable Modem External
x.x.x.90 – public domain name which uses PAT
PAT
80 – x.x.x.101
25 – x.x.x.101
443 – x.x.x.98
515 – x.x.x.99
x.x.x.91 – Outside Global NAT Pool (overload)
x.x.x.92 – ssh
x.x.x.93 – vpn (client and site to site)
x.x.x.94 – Cisco 3725 FastEthernet0/0 (Outside)
MCI T-1 Corp Edge Router to MCI Edge Router IP Configuration x.x.x.188/30
Network ID x.x.x.188
Mask 255.255.255.252
Inverse Mask 0.0.0.3
Broadcast x.x.x.91
Usable Range x.x.x.89 – x.x.x.90
Stub Network IP Configuration x.x.x.96/27 (This is the publicly assigned ip range from MCI T-1) and will be used on the stubnet between the pix and the edge router.
Network ID x.x.x.96
Mask 255.255.255.240
Inverse Mask 0.0.0.15
Broadcast x.x.x.127
Usable Range x.x.x.-x.x.x.230
Usable Range x.x.x.233 – x.x.x.238
IP address assignment
x.x.x.97 – Edge Router Inside interface IP
x.x.x.98 – https to PIX Inside Host
x.x.x.99 – lpd to PIX Inside Host
x.x.x.100 – SSH to PIX Inside Host (This is an SFTP server) (This inside host also is the syslog server)
x.x.x.101 – http/smtp to PIX DMZ Host ====I could split these up
x.x.x.102 – reserved
x.x.x.103 – x.x.x.125 Outside Global NAT Pool for the PIX Outside Interface
x.x.x.126 – Outside Global NAT Pool (PAT) (overload if the first16 IP’s fill up)
DMZ Network IP Configuration 192.168.10.0/24
Network ID 192.168.10.0
Mask 255.255.255.0
Inverse Mask 0.0.0.255
Broadcast 192.168.10.254
Usable Range 192.168.10.1 – 192.168.10.254
IP address assignment
192.168.10.2 – DMZWEB
192.168.10.254 – Pix 515E Ethernet2 (DMZ)
Internal Network IP Configuration 10.10.1.0/24
Network ID 10.10.1.0
Mask 255.255.255.0
Inverse Mask 0.0.0.255
Broadcast 10.10.1.255
Usable Range 10.10.1.1 – 10.10.1.254
10.10.1.254 – Pix 515E Ethernet1 (Inside)
ASKER
>Can I use the ip unnumbered on cable interface as well.
Unfortunately, not. The upstream router must route your subnet through a specified interface in order for you to use unnumberd. No problem with T1 because it is a direct non-broadcast sub-interface. Cable doesn't work that way.
You have little choice but to double-nat for the Cable interface
OK you already answered that. I will build 2 configurations for the PIX so this will be complicated for a failover I suppose. But if I build my config modification lines in a text pad I can easily apply them. I have console level access to all interfaces on my WAN via a Raritan Dominion KX solution.
still working on the configs but I am almost finished.
Unfortunately, not. The upstream router must route your subnet through a specified interface in order for you to use unnumberd. No problem with T1 because it is a direct non-broadcast sub-interface. Cable doesn't work that way.
You have little choice but to double-nat for the Cable interface
OK you already answered that. I will build 2 configurations for the PIX so this will be complicated for a failover I suppose. But if I build my config modification lines in a text pad I can easily apply them. I have console level access to all interfaces on my WAN via a Raritan Dominion KX solution.
still working on the configs but I am almost finished.
ASKER
With this access-group applied to the outside interface I could not get out or get in to any servers inside. In my old config I had a line prior to the deny ip any any log that stated permit ip any any I always thought those an add pair since the permit would pretty much negate the usefullness of the deny even if it wasn't implied (or is that only on PIX 6.3 that an automatic deny is applied)
access-list 105 permit icmp any host <new serial ip> echo <== nothing dangerous about this
access-list 105 permit icmp any any unreachable <== for PMTUD
access-list 105 permit icmp any any echo-reply <== for ping replies
access-list 105 permit icmp any any time-exceeded <== for traceroute
access-list 105 permit tcp any any established <== allow return traffic from outgoing requests
access-list 105 permit udp any eq 53 any <== allow DNS name service
access-list 105 permit tcp host <your ip> host <new serial ip> telnet <== give yourself remote access
access-list 105 permit tcp host <your ip> host <new serial ip> ssh <== prefered over telnet
access-list 105 deny ip any any log <== deny everything else and log all attempts
My old acces-group 105
access-list 105 remark T1 outside in
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny icmp any any log
access-list 105 remark block the following ports on the external interface Fa0/0
access-list 105 deny tcp any host 12.12.12.1 eq www log
access-list 105 deny tcp any host 12.12.12.1 eq 443 log
access-list 105 deny tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny udp any any eq ntp log
access-list 105 permit ip any any
access-list 105 permit icmp any host <new serial ip> echo <== nothing dangerous about this
access-list 105 permit icmp any any unreachable <== for PMTUD
access-list 105 permit icmp any any echo-reply <== for ping replies
access-list 105 permit icmp any any time-exceeded <== for traceroute
access-list 105 permit tcp any any established <== allow return traffic from outgoing requests
access-list 105 permit udp any eq 53 any <== allow DNS name service
access-list 105 permit tcp host <your ip> host <new serial ip> telnet <== give yourself remote access
access-list 105 permit tcp host <your ip> host <new serial ip> ssh <== prefered over telnet
access-list 105 deny ip any any log <== deny everything else and log all attempts
My old acces-group 105
access-list 105 remark T1 outside in
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny icmp any any log
access-list 105 remark block the following ports on the external interface Fa0/0
access-list 105 deny tcp any host 12.12.12.1 eq www log
access-list 105 deny tcp any host 12.12.12.1 eq 443 log
access-list 105 deny tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny udp any any eq ntp log
access-list 105 permit ip any any
>I could not get out or get in to any servers inside.
Sorry about that. Yes, you need explicit acl entries for inbound
Your permit ip any any at the end did take care of that for inbound, but it's not a good thing.
Yes, there is an implicit deny all at the end of every acl, even on pix.
The "established" line should have allowed return traffic.
Given your static statements:
ip nat inside source static 192.168.254.238 24.97.211.93
ip nat inside source static tcp 192.168.254.225 80 24.97.211.90 80 extendable
ip nat inside source static tcp 192.168.254.225 25 24.97.211.90 25 extendable
ip nat inside source static tcp 192.168.254.235 443 24.97.211.90 443 extendable
ip nat inside source static tcp 192.168.254.228 515 24.97.211.90 515 extendable
ip nat inside source static 192.168.254.226 24.97.211.92
Which ports inbound do you need for .92 and .93?
New ACL 105 example (removed all <== comment lines)
access-list 105 permit icmp any host <new serial ip> echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq 53 any
access-list 105 permit tcp host <your ip> host <new serial ip> telnet
access-list 105 permit tcp host <your ip> host <new serial ip> ssh
access-list 105 permit tcp any host 24.97.211.90 eq www
access-list 105 permit tcp any host 24.97.211.90 eq 443
access-list 105 permit tcp any host 24.97.211.90 eq smtp
access-list 105 permit tcp any host 24.97.211.90 eq 515
access-list 105 deny ip any any log
You can use the log "show log" to see what ports/IP's are being denied for troubleshooting..
Sorry about that. Yes, you need explicit acl entries for inbound
Your permit ip any any at the end did take care of that for inbound, but it's not a good thing.
Yes, there is an implicit deny all at the end of every acl, even on pix.
The "established" line should have allowed return traffic.
Given your static statements:
ip nat inside source static 192.168.254.238 24.97.211.93
ip nat inside source static tcp 192.168.254.225 80 24.97.211.90 80 extendable
ip nat inside source static tcp 192.168.254.225 25 24.97.211.90 25 extendable
ip nat inside source static tcp 192.168.254.235 443 24.97.211.90 443 extendable
ip nat inside source static tcp 192.168.254.228 515 24.97.211.90 515 extendable
ip nat inside source static 192.168.254.226 24.97.211.92
Which ports inbound do you need for .92 and .93?
New ACL 105 example (removed all <== comment lines)
access-list 105 permit icmp any host <new serial ip> echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq 53 any
access-list 105 permit tcp host <your ip> host <new serial ip> telnet
access-list 105 permit tcp host <your ip> host <new serial ip> ssh
access-list 105 permit tcp any host 24.97.211.90 eq www
access-list 105 permit tcp any host 24.97.211.90 eq 443
access-list 105 permit tcp any host 24.97.211.90 eq smtp
access-list 105 permit tcp any host 24.97.211.90 eq 515
access-list 105 deny ip any any log
You can use the log "show log" to see what ports/IP's are being denied for troubleshooting..
ASKER
I had to do a console line by line entry of the acl's. the ones above would not be applicable to how it was set up. One thing I did do is save the config as I had it. let me work it over and post both the edge router and the pix config files to see how I had it set up. Just so you know I could pass icmp/smtp traffic between the inside and the dmz no problem. I could ping out from the inside and dmz via ip with no poblem. It is when I wanted to resolve host names from inside or dmz or gain access from outside to the network.
I may have messed up with the stub network config. I could ping MCI's side of the network with no problem so I know I could get to the next hop from the dmz or inside.
thanks for your help with this I will get my configs posted up shortly
I may have messed up with the stub network config. I could ping MCI's side of the network with no problem so I know I could get to the next hop from the dmz or inside.
thanks for your help with this I will get my configs posted up shortly
ASKER
OK here is my routers config file. I am using acl 105 since it is applied to the serial0/0.1 int
!-------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
!
hostname PIX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret ********************
!
username ***** privilege 15 password ************
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Outside Interface TW Cable
ip address x.x.x.94 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
!
interface Serial0/0.1 point-to-point(/30 subnet provided by MCI for edge networks. My side .190 MCI's .189)
description Outside Interface MCI T-1 Point-to-point
ip address x.x.x.190 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/1
description Inside Interface NY3725
ip address x.x.x.97 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
no ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.189 <==== MCI's side of the stub outer network.
ip route 0.0.0.0 0.0.0.0 x.x.x.89 100 <=== cisco cable modem br900
ip http server
ip http access-class 2
ip http authentication local
!
access-list 1 remark Cable NAT pool
access-list 1 permit x.x.x..96 0.0.0.15
access-list 2 remark http access to SDM
access-list 2 permit x.x.x..96 0.0.0.15
access-list 10 remark Cable NAT Source list
access-list 10 permit x.x.x..96 0.0.0.15
access-list 102 remark vty 04 access in
access-list 103 remark applied to the cable traffic IN interface Fa0/0
access-list 103 permit icmp any x.x.x.88 0.0.0.7 echo
access-list 103 permit icmp any any unreachable
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit tcp any any established
access-list 103 permit udp any eq domain any
access-list 103 deny ip any any log
access-list 105 remark applied to the T-1 traffic in Interface Serial0/0.1
access-list 105 permit icmp any x.x.x.188 0.0.0.3 echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq domain any
access-list 105 deny ip any any log
access-list 110 remark double NAT Scenario for cable Connection
access-list 110 permit ip host x.x.x.225 any
access-list 110 permit ip host x.x.x.226 any
access-list 110 permit ip host x.x.x.227 any
access-list 110 permit ip host x.x.x.228 any
no cdp run
banner login ^CAuthorized access only
!
Disconnect IMMEDIATELY as you are not an authorized user! ^C
!
line con 0
password **********
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
session-timeout 30
privilege level 15
login local
transport input telnet
transport output telnet
!
scheduler allocate 4000 1000
ntp clock-period 17180446
!
end
!-------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
!
hostname PIX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret ********************
!
username ***** privilege 15 password ************
clock timezone EST -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Outside Interface TW Cable
ip address x.x.x.94 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
!
interface Serial0/0.1 point-to-point(/30 subnet provided by MCI for edge networks. My side .190 MCI's .189)
description Outside Interface MCI T-1 Point-to-point
ip address x.x.x.190 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/1
description Inside Interface NY3725
ip address x.x.x.97 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
no ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.189 <==== MCI's side of the stub outer network.
ip route 0.0.0.0 0.0.0.0 x.x.x.89 100 <=== cisco cable modem br900
ip http server
ip http access-class 2
ip http authentication local
!
access-list 1 remark Cable NAT pool
access-list 1 permit x.x.x..96 0.0.0.15
access-list 2 remark http access to SDM
access-list 2 permit x.x.x..96 0.0.0.15
access-list 10 remark Cable NAT Source list
access-list 10 permit x.x.x..96 0.0.0.15
access-list 102 remark vty 04 access in
access-list 103 remark applied to the cable traffic IN interface Fa0/0
access-list 103 permit icmp any x.x.x.88 0.0.0.7 echo
access-list 103 permit icmp any any unreachable
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit tcp any any established
access-list 103 permit udp any eq domain any
access-list 103 deny ip any any log
access-list 105 remark applied to the T-1 traffic in Interface Serial0/0.1
access-list 105 permit icmp any x.x.x.188 0.0.0.3 echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq domain any
access-list 105 deny ip any any log
access-list 110 remark double NAT Scenario for cable Connection
access-list 110 permit ip host x.x.x.225 any
access-list 110 permit ip host x.x.x.226 any
access-list 110 permit ip host x.x.x.227 any
access-list 110 permit ip host x.x.x.228 any
no cdp run
banner login ^CAuthorized access only
!
Disconnect IMMEDIATELY as you are not an authorized user! ^C
!
line con 0
password **********
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
session-timeout 30
privilege level 15
login local
transport input telnet
transport output telnet
!
scheduler allocate 4000 1000
ntp clock-period 17180446
!
end
ASKER
Here is my Config on the PIX. Thanks for any assistance.
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password ********* encrypted
passwd ********** encrypted
hostname Pix
domain-name domain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list outside_cryptomap_20 permit ip x.x.1.0 255.255.255.0 x.x.2.0 255.255.255.0
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark next 2 lines are for web access to dmz web/mail relay server host .101 is translated on pix outside
access-list outside_access_in permit tcp any host x.x.x.101 eq www
access-list outside_access_in permit tcp any host x.x.x.101 eq smtp
access-list outside_access_in remark access from home network to ssh server
access-list outside_access_in permit tcp host x.x.x.97 host x.x.x.100 eq ssh
access-list inside_access_in remark allow exchange to send smtp to dmz relay server traffic
access-list inside_access_in permit tcp host x.x.1.2 host x.x.10.2 eq smtp
access-list inside_access_in remark deny all other inside hosts from sending smtp traffic out
access-list inside_access_in deny tcp any any eq smtp log
access-list inside_access_in permit ip any any
access-list DMZ_access_in remark allow all dmz hosts to query dns
access-list DMZ_access_in permit tcp x.x.10.0 255.255.255.0 any eq domain
access-list DMZ_access_in remark allow dmz mail relay server to send mail to inside exchange
access-list DMZ_access_in permit tcp host x.x.10.2 host x.x.1.2 eq smtp
access-list DMZ_access_in remark not sure why this line is here must have been a double finger entry
access-list DMZ_access_in permit tcp host x.x.10.2 host x.x.1.2
access-list DMZ_access_in permit ip any any
access-list inside_outbound_nat0_acl remark no nat on ipsec site to site traffic across the wan
access-list inside_outbound_nat0_acl permit ip x.x.1.0 255.255.255.0 x.x.2.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 23
logging device-id hostname
logging host inside x.x.1.3
icmp permit any unreachable outside <========since I am applying icmp rules via acls do I need these globals?
icmp permit any echo-reply outside <========ditto
icmp permit any timestamp-request outside <======ditto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.126 255.255.255.224
ip address inside x.x.1.254 255.255.255.0
ip address DMZ x.x.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN x.x.x.10-x.x.x.19
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.2 255.255.255.255 inside
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.97 255.255.255.255 outside
pdm location x.x.x.197 255.255.255.255 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.3 255.255.255.255 inside
pdm location x.x.x.24 255.255.255.255 inside
pdm location x.x.x.2 255.255.255.255 DMZ
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.237 255.255.255.255 outside
pdm location x.x.x.13 255.255.255.255 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.94 255.255.255.255 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 100 x.x.x.103-x.x.x.124 netmask 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 100 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.98 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.99 x.x.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.100 x.x.1.3 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.101 x.x.10.2 netmask 255.255.255.255 0 0
static (inside,DMZ) x.x.1.2 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,DMZ) x.x.1.3 x.x.1.3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 157.130.10.189 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http x.x.1.0 255.255.255.0 inside
http x.x.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.197
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.197 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroupname address-pool VPN
vpngroup vpngroupname dns-server x.x.1.1
vpngroup vpngroupname default-domain bka.local
vpngroup vpngroupname pfs
vpngroup vpngroupname idle-time 1800
vpngroup vpngroupname password ********
telnet x.x.1.0 255.255.255.0 inside
telnet x.x.2.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.97 255.255.255.255 outside
ssh x.x.x.197 255.255.255.255 outside
ssh x.x.1.0 255.255.255.0 inside
ssh x.x.2.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 15
username ******* password ******** encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:***********
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password ********* encrypted
passwd ********** encrypted
hostname Pix
domain-name domain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list outside_cryptomap_20 permit ip x.x.1.0 255.255.255.0 x.x.2.0 255.255.255.0
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark next 2 lines are for web access to dmz web/mail relay server host .101 is translated on pix outside
access-list outside_access_in permit tcp any host x.x.x.101 eq www
access-list outside_access_in permit tcp any host x.x.x.101 eq smtp
access-list outside_access_in remark access from home network to ssh server
access-list outside_access_in permit tcp host x.x.x.97 host x.x.x.100 eq ssh
access-list inside_access_in remark allow exchange to send smtp to dmz relay server traffic
access-list inside_access_in permit tcp host x.x.1.2 host x.x.10.2 eq smtp
access-list inside_access_in remark deny all other inside hosts from sending smtp traffic out
access-list inside_access_in deny tcp any any eq smtp log
access-list inside_access_in permit ip any any
access-list DMZ_access_in remark allow all dmz hosts to query dns
access-list DMZ_access_in permit tcp x.x.10.0 255.255.255.0 any eq domain
access-list DMZ_access_in remark allow dmz mail relay server to send mail to inside exchange
access-list DMZ_access_in permit tcp host x.x.10.2 host x.x.1.2 eq smtp
access-list DMZ_access_in remark not sure why this line is here must have been a double finger entry
access-list DMZ_access_in permit tcp host x.x.10.2 host x.x.1.2
access-list DMZ_access_in permit ip any any
access-list inside_outbound_nat0_acl remark no nat on ipsec site to site traffic across the wan
access-list inside_outbound_nat0_acl permit ip x.x.1.0 255.255.255.0 x.x.2.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 23
logging device-id hostname
logging host inside x.x.1.3
icmp permit any unreachable outside <========since I am applying icmp rules via acls do I need these globals?
icmp permit any echo-reply outside <========ditto
icmp permit any timestamp-request outside <======ditto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.126 255.255.255.224
ip address inside x.x.1.254 255.255.255.0
ip address DMZ x.x.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN x.x.x.10-x.x.x.19
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.2 255.255.255.255 inside
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.97 255.255.255.255 outside
pdm location x.x.x.197 255.255.255.255 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.3 255.255.255.255 inside
pdm location x.x.x.24 255.255.255.255 inside
pdm location x.x.x.2 255.255.255.255 DMZ
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.237 255.255.255.255 outside
pdm location x.x.x.13 255.255.255.255 outside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.94 255.255.255.255 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 100 x.x.x.103-x.x.x.124 netmask 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 100 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.98 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.99 x.x.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.100 x.x.1.3 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.101 x.x.10.2 netmask 255.255.255.255 0 0
static (inside,DMZ) x.x.1.2 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,DMZ) x.x.1.3 x.x.1.3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 157.130.10.189 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http x.x.1.0 255.255.255.0 inside
http x.x.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.197
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.197 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroupname address-pool VPN
vpngroup vpngroupname dns-server x.x.1.1
vpngroup vpngroupname default-domain bka.local
vpngroup vpngroupname pfs
vpngroup vpngroupname idle-time 1800
vpngroup vpngroupname password ********
telnet x.x.1.0 255.255.255.0 inside
telnet x.x.2.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.97 255.255.255.255 outside
ssh x.x.x.197 255.255.255.255 outside
ssh x.x.1.0 255.255.255.0 inside
ssh x.x.2.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 15
username ******* password ******** encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:***********
: end
[OK]
Interface Fast 0/1 still has to be identified as nat inside for the cable connection to work.
With acl 105 applied as it is, you won't have any access to any server services from outside..
What you really want to be careful of is setting too extensive of an acl on the router, and then having the same acl applied on the PIX. Makes troubleshooting very difficult.
Let the router do it's thing - pass packets as quickly as possible.
Let the PIX do it's thing - block all unwanted traffic to internal hosts
The ACL on the router should do nothing more than protect the router itself..
Since you protect the router internal http server with an access-class, and you protect the telnet vty with an access-class, there is virtually no real reason to run "any" access-list on the external interface.
With acl 105 applied as it is, you won't have any access to any server services from outside..
What you really want to be careful of is setting too extensive of an acl on the router, and then having the same acl applied on the PIX. Makes troubleshooting very difficult.
Let the router do it's thing - pass packets as quickly as possible.
Let the PIX do it's thing - block all unwanted traffic to internal hosts
The ACL on the router should do nothing more than protect the router itself..
Since you protect the router internal http server with an access-class, and you protect the telnet vty with an access-class, there is virtually no real reason to run "any" access-list on the external interface.
ASKER
I am following you. So since my PIX config is managing access via this config:
PIX
ip address outside x.x.x.126 255.255.255.224
ip address inside x.x.1.254 255.255.255.0
ip address DMZ x.x.10.254 255.255.255.0
access-group outside_access_in in interface outside
static (inside,outside) x.x.x.98 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.99 x.x.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.100 x.x.1.3 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.101 x.x.10.2 netmask 255.255.255.255 0 0
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark next 2 lines are for web access to dmz web/mail relay server host .101 is translated on pix outside
access-list outside_access_in permit tcp any host x.x.x.101 eq www
access-list outside_access_in permit tcp any host x.x.x.101 eq smtp
access-list outside_access_in remark access from home network to ssh server
access-list outside_access_in permit tcp host x.x.x.97 host x.x.x.100 eq ssh
Edge Router
interface Serial0/0.1 point-to-point(/30 subnet provided by MCI for edge networks. My side .190 MCI's .189)
description Outside Interface MCI T-1 Point-to-point
ip address x.x.x.190 255.255.255.252
ip access-group 105 in
then I can do a no access-group 105 on the serial0/0.1 interface
access-list 105 remark applied to the T-1 traffic in Interface Serial0/0.1
access-list 105 permit icmp any x.x.x.188 0.0.0.3 echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq domain any
access-list 105 deny ip any any log
PIX
ip address outside x.x.x.126 255.255.255.224
ip address inside x.x.1.254 255.255.255.0
ip address DMZ x.x.10.254 255.255.255.0
access-group outside_access_in in interface outside
static (inside,outside) x.x.x.98 x.x.1.2 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.99 x.x.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.100 x.x.1.3 netmask 255.255.255.255 0 0
static (DMZ,outside) x.x.x.101 x.x.10.2 netmask 255.255.255.255 0 0
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark next 2 lines are for web access to dmz web/mail relay server host .101 is translated on pix outside
access-list outside_access_in permit tcp any host x.x.x.101 eq www
access-list outside_access_in permit tcp any host x.x.x.101 eq smtp
access-list outside_access_in remark access from home network to ssh server
access-list outside_access_in permit tcp host x.x.x.97 host x.x.x.100 eq ssh
Edge Router
interface Serial0/0.1 point-to-point(/30 subnet provided by MCI for edge networks. My side .190 MCI's .189)
description Outside Interface MCI T-1 Point-to-point
ip address x.x.x.190 255.255.255.252
ip access-group 105 in
then I can do a no access-group 105 on the serial0/0.1 interface
access-list 105 remark applied to the T-1 traffic in Interface Serial0/0.1
access-list 105 permit icmp any x.x.x.188 0.0.0.3 echo
access-list 105 permit icmp any any unreachable
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit tcp any any established
access-list 105 permit udp any eq domain any
access-list 105 deny ip any any log
>then I can do a no access-group 105 on the serial0/0.1 interface
Exactly. Looks like you're on the right track.
Exactly. Looks like you're on the right track.
ASKER
Ok I will give that a try this eve and post my results when finished. Can't interrupt business flow man do I need to get my tftp server back up and running. Line by line is for the birds!!!!!!
I like Pumpkin tftp server
http://www.klever.net
Else SolarWinds tftp server (I like ALL of their stuff!)
http://www.solarwinds.net/Download-Tools.htm
http://www.klever.net
Else SolarWinds tftp server (I like ALL of their stuff!)
http://www.solarwinds.net/Download-Tools.htm
ASKER
I have used solarwinds but I will check into pumpkin thanks.
ASKER
OK much has happened since I last commented. I guess I had to learn the hard way ole trial and error. Thankfully to lrmoore suggestions on tftp and my re-familiarization of the protocol allowed me to save all my config and flash images. even when I erased the flash by accident I was able to go through ronmon and use tftpdnld (once again per lrmoores post in another article) and restore my router back to the newest config.
Thanks lrmoore. I have increased my throughput 88%. (by removing all the unnecessarty acls on my edge router and just let it route allowing my pix to take up the load. Packet time through the tunnel used to take 72ms but now only takes 12 - 15ms!!!!! My replications are going to be real happy now.
Thanks lrmoore. I have increased my throughput 88%. (by removing all the unnecessarty acls on my edge router and just let it route allowing my pix to take up the load. Packet time through the tunnel used to take 72ms but now only takes 12 - 15ms!!!!! My replications are going to be real happy now.
Glad to hear it, grasshopper!
interface Fast0/1
ip policy route-map UseTW