Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco 8xx VPN + Firewall

Posted on 2006-04-17
3
Medium Priority
?
579 Views
Last Modified: 2013-11-16
The internatl network (192.168.254.x) gets outside via NAT
I need port forwarding to the internal server (192.168.254.11) for email, etc.
VPN clients come in on IP range 192.168.253.11 to 15

Everything basically works, but the server (192.168.254.11) can not perform DNS lookups. I don't understand why. I can access port 80, 25 etc on outside systems, but using nslookup to outside servers yields nothing.

The configuration looks like this.



working8

gateway#  sh run
Building configuration...

Current configuration : 9722 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$e9g.$lRTPAodO4zz2PFK4/NxKl0
!
username admin privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxx
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef    
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name integrated-lam.com
ip name-server 192.168.254.11
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 fragment maximum 256 timeout 1
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group ciscovpn
 key my$ecret$
 dns 192.168.254.11
 wins 192.168.254.11
 domain iss.l
 pool SDM_POOL_1
 acl 103
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!        
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 70.1.238.98 255.255.255.224
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.254.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.253.11 192.168.253.15
ip classless
ip route 0.0.0.0 0.0.0.0 70.1.238.97
!        
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static 192.168.254.11 70.1.238.125 route-map SDM_RMAP_2
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 permit 208.0.0.0 0.255.255.255
access-list 2 permit 69.0.0.0 0.255.255.255
access-list 2 permit 68.0.0.0 0.255.255.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 70.1.238.96 0.0.0.31 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.253.11 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.12 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.13 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.14 192.168.254.0 0.0.0.255
access-list 101 permit ip host 192.168.253.15 192.168.254.0 0.0.0.255
access-list 101 permit udp any host 70.1.238.98 eq non500-isakmp
access-list 101 permit udp any host 70.1.238.98 eq isakmp
access-list 101 permit esp any host 70.1.238.98
access-list 101 permit ahp any host 70.1.238.98
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq telnet
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq 22
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq www
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq 443
access-list 101 permit tcp 192.168.0.0 0.0.255.255 host 70.1.238.98 eq cmd
access-list 101 permit tcp 208.0.0.0 0.255.255.255 host 70.1.238.98 eq cmd
access-list 101 permit tcp 69.0.0.0 0.255.255.255 host 70.1.238.98 eq cmd
access-list 101 permit tcp 68.0.0.0 0.255.255.255 host 70.1.238.98 eq cmd
access-list 101 permit udp any host 70.1.238.98 eq snmp
access-list 101 deny   tcp any host 70.1.238.98 eq telnet
access-list 101 deny   tcp any host 70.1.238.98 eq cmd
access-list 101 permit tcp any host 70.1.238.125 eq 443
access-list 101 permit tcp any host 70.1.238.125 eq www
access-list 101 permit tcp any host 70.1.238.125 eq smtp
access-list 101 permit tcp any host 70.1.238.125 eq 3389
access-list 101 permit udp host 192.168.254.11 eq domain host 70.1.238.98
access-list 101 deny   ip 192.168.254.0 0.0.0.255 any
access-list 101 permit icmp any host 70.1.238.98 traceroute
access-list 101 permit icmp any host 70.1.238.98 echo
access-list 101 permit icmp any host 70.1.238.98 echo-reply
access-list 101 permit icmp any host 70.1.238.98 time-exceeded
access-list 101 permit icmp any host 70.1.238.98 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 208.0.0.0 0.255.255.255 any
access-list 102 permit ip 68.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.254.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.11
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.12
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.13
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.14
access-list 104 deny   ip 192.168.254.0 0.0.0.255 host 192.168.253.15
access-list 104 deny   ip host 192.168.254.11 any
access-list 104 permit ip 192.168.254.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.15
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.14
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.13
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.12
access-list 105 deny   ip host 192.168.254.11 host 192.168.253.11
access-list 105 permit ip host 192.168.254.11 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
route-map SDM_RMAP_2 permit 1
 match ip address 105
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 transport preferred all
 transport output telnet
line vty 0 4
 access-class 102 in
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

gateway#
0
Comment
Question by:bbrendon
1 Comment
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 2000 total points
ID: 16472236
By default, nslookup uses UDP instead of TCP. Looking at your configuration, you are using IP inspect and you have an inbound access-list to int fe0/4. Add the following IP inspect rule;

ip inspect name DEFAULT100 udp


0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question