Solved

Need help getting Cisco Router Configuration finished

Posted on 2006-06-10
10
588 Views
Last Modified: 2010-04-17
I used the Cisco ConfigMaker and a bunch of internet reading to get me this far in configuring my Cisco 3620 Router.  I used the NAT option in the ConfigMaker, and then added the additional access-list items shown below.

From the way I read it - this should work.  When I put it into a live environment - I get no trafic out, and no traffic in (at least - the web server is not accessible).

This is going into a COLO space - so I want to get config right before having to run back in there.

Please let me know what I am missing - it must be something simple...
0
Comment
Question by:bwasyliuk
  • 4
  • 4
  • 2
10 Comments
 
LVL 7

Author Comment

by:bwasyliuk
ID: 16878873
Cisco3620#sho run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco3620
!
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip subnet-zero
no ip domain-lookup
!
!
!
interface Ethernet0/0
 description connected to Internet
 ip address xxx.xxx.xx2.66 255.255.255.240
 ip access-group 101 in
 no ip directed-broadcast
 ip nat outside
!
interface Ethernet0/1
 description connected to EthernetLAN
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 no ip directed-broadcast
 ip nat inside
!
router rip
 version 2
 passive-interface Ethernet0/0
 network 192.168.0.0
 no auto-summary
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.0.25 1433 xxx.xxx.xx2.66 1433 extendable
ip nat inside source static tcp 192.168.0.24 80 xxx.xxx.xx2.66 80 extendable
ip nat inside source static tcp 192.168.0.27 21 xxx.xxx.xx2.66 21 extendable
ip nat inside source static tcp 192.168.0.27 20 xxx.xxx.xx2.66 20 extendable
ip nat inside source static tcp 192.168.0.27 25 xxx.xxx.xx2.66 25 extendable
ip nat inside source static tcp 192.168.0.27 110 xxx.xxx.xx2.66 110 extendable
ip nat inside source static tcp 192.168.0.26 80 xxx.xxx.xx2.66 8081 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xx2.65
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host xxx.xxx.xx2.66 eq www
access-list 101 permit tcp any host xxx.xxx.xx2.66 eq 8081
access-list 101 permit tcp host 111.222.224.174 host xxx.xxx.xx2.66 eq 1433
access-list 101 permit tcp host 222.111.163.228 host xxx.xxx.xx2.66 eq 1433
access-list 101 permit tcp host 212.121.32.242 host xxx.xxx.xx2.66 eq 1433
access-list 101 permit tcp any host xxx.xxx.xx2.66 range ftp-data ftp
access-list 101 permit tcp any host xxx.xxx.xx2.66 eq pop3
access-list 101 permit tcp any host xxx.xxx.xx2.66 eq smtp
access-list 101 deny   ip any host xxx.xxx.xx2.66
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password 7 xxxxxxxxxxxxxxxxxxx
 login
 transport input none
line aux 0
line vty 0 4
 password 7 xxxxxxxxxxxxxxxxxxx
 login
!
end
0
 
LVL 11

Expert Comment

by:grsteed
ID: 16879610
You have your access lists applied in the wrong direction. They should be set as outbound instead of inbound. (ip access-group 100 out, ip access-group 101 out)

The direction is from the perspective of the interface/router.  So in would be into the interface from the attached network and out to the attached network.

Hope this helps

Gary


0
 
LVL 7

Author Comment

by:bwasyliuk
ID: 16879860
I'm not saying you are wrong... but switching the in's to out's really seems backwards to me, here is how I understand it currently reading:

ACL100 is applied to E0/1 (connected to the "inside network")
ACL101 is applied to E0/0 (connected to the internet)

ACL100 says permit ANY IP traffic IN to the router on interface E0/1 (which to me says any inside server can connect to the internet)

ACL101 has multiple rules saying which traffic can come IN from "the internet" (such as, certain traffic will be accepted, ex. HTTP port 80)

This seems right to me, can you explain where I am mis-understanding?
0
 
LVL 11

Expert Comment

by:grsteed
ID: 16879932
Well, for ACL100 it doesn't really matter since it is permitting any any.

For ACL101, this line "access-list 101 permit tcp any host xxx.xxx.xx2.66 eq www" is saying to permit any Source address coming IN on that interface access to port 80 on xxx.xxx.xx2.66.

Now that I look at that, I've never seen an access-list filtering on the IP of the router interface. Normally it's filtering an IP of a server that exists on that network.  

Since I' ve never tried to apply ACL's on a NAT interface, I'm going to have to withdraw my comment above and let the other Experts chime in.

I'll be interested in what they have to say.

Gary
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16880535
It looks like you are simply missing allowing udp in on acl 101 for DNS name resolution

add this line to acl 101
  access-list 101 permit udp any eq 53 any

Change the last line of acl 101 from:
 >access-list 101 deny   ip any host xxx.xxx.xx2.66

To this:
 access-list 101 deny ip any any log

The "log" keyword make troubleshooting easier. Remember that you have to take these steps to change an acl:
1- remove from interface
2 - delete the acl
3 - re-create the acl in new order
4 - re-apply acl to the interface

Suggest also removing acl 100 from the inside interface. Allow any any is default and requires no acl. The only time you want to put an acl is if you want to change that and restrict something. Inbound from Public you certainly want to keep the acl.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Expert Comment

by:lrmoore
ID: 16880541
Also, can you look at result of "show ip int brief" and see that both interfaces are  up / up ? Neither one is "Administratively down" ?
0
 
LVL 7

Author Comment

by:bwasyliuk
ID: 16881108
So if I understand correctly, the line
access-list 101 permit udp any eq 53 any

will be when an "inside" server does a DNS request, the returning traffic from the request is on UPD 53?

That would explain why I could not seem to browse the internet from an inside computer.

Is there anything obvious why I could not bring up the website (port 80) from an outside connection?

Is that why you are suggesting to use the "log" keyword?  Where does it log to, do I have to have the console connected to watch the log output?

Also, I checked the "show ip int brief" and both interfaces are up.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16881242
Yes, this lets return traffic from an external DNS server responding to your inside host in.
Depends on where you set logging. You can log to a buffer and see it from telnet session "sho log", or you can log to an external syslog server (http://www.kiwisyslog.com)
Add these commands to the router:
 logg buff debug 4096

If you setup a syslog host, add this too:
 logg host z.b.c.d

Your website might not respond if it can't do reverse dns resolution because you're blocking the dns
0
 
LVL 7

Author Comment

by:bwasyliuk
ID: 16882556
Thanks for the help, turns out the problems were caused by not having this line:

access-list 101 permit udp any eq 53 any

I am experiencing something weird - but its not critical so I am going to close this question.  It seems that "inside" hosts cannot resolve the domains pointing back to the xxx.xxx.xx2.66 (outside internet address on E0/0).  They can find other domains no problem (ie: google.com).

Weird "side-effect" that I thought would cause mail issues, but seems like it is only when I try to use the web browser.

Anyways - I may raise another question just for that one.  Thanks for the help lrmoore.

Ben
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16882961
Simple answer to that one. Your inside hosts simply cannot reach your own web servers by their public IP address. Internal hosts have to resolve to the private IP address. No way around it.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now