chuck_v
asked on
Cisco 1700 serries router firewall config .. working toooo well
hi guys, maybe someone here can assist.
trying to get natting on my cisco 1700 series router to work but its not.
been 4 days at this and still nothing. all i want to do is host my own personal website. online remote scans are saying that port 80 (and all ports i am allowing in) well, is not open for some reason. i know its not the server cause i can see the site internally. externally though, the router for some reason just will not open the ports. when i vew the logs of the router, i can see
Sep 2 16:39:16.309: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.239.113.146(80
) -> 150.101.163.87(2184), 1 packet
Sep 2 16:39:20.601: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.139.99(80)
-> 150.101.163.87(2185), 1 packet
i just dont understand what is wrong or what can be modified to make this all work
config below
interface ATM0/0
description +++ CONNECTION TO ISP +++
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
description +++ LAN +++$ETH-LAN$$FW_INSIDE$
ip address 192.168.0.2 255.255.0.0
ip broadcast-address 192.168.255.255
ip access-group 100 in
no ip unreachables
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Dialer1
description +++ Virtual Connection to ATM0/0 +++$FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxx@xxxxxxxx.net
ppp chap password xxxxxxxxxxxxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.11 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.11 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.11 20 interface Dialer1 20
ip nat inside source static tcp 192.168.0.11 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.11 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.11 3200 interface Dialer1 3200
ip nat inside source static tcp 192.168.0.11 53 interface Dialer1 53
ip nat inside source static tcp 192.168.0.11 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.11 6080 interface Dialer1 6080
ip nat inside source static tcp 192.168.0.11 3389 interface Dialer1 3389
ip nat inside source static udp 192.168.0.11 53 interface Dialer1 53
ip nat outside source static tcp 150.101.163.87 25 192.168.0.11 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.83.231.0 0.0.0.255
access-list 1 permit 192.168.33.0 0.0.0.255
access-list 100 remark ************************** ********** ********** *
access-list 100 remark *** FOR FE0/0 - INTERNAL TO INTERNET ***
access-list 100 remark ************************** ********** ********** *
access-list 100 permit ip any any
access-list 101 remark ************************** ********** ********** *
access-list 101 remark *** DIALER1 FROM THE INTERNET TO WEB SERVER ***
access-list 101 remark ************************** ********** ********** *
access-list 101 remark RDP:3389, FTP-DATA:20, FTP:21, EMAIL SERVER APP:3200
access-list 101 remark POP3:110, SMTP:25, HTTP Other:6080, HTTPS:443
access-list 101 remark HTTP:80, DNS UDP/TCP:53
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3200
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 6080
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 remark PROVIDER DNS SERVER / FORWARD
access-list 101 permit udp host 192.231.203.3 eq domain any
access-list 101 permit udp host 192.231.203.2 eq domain any
access-list 101 remark NETWORK TIME PROTOCOL
access-list 101 permit udp host 216.27.190.202 eq ntp any eq ntp
access-list 101 remark ICMP REPLY AND MESSAGEING
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
have i miss-interpreted the config?
any help on this would be GREAT
trying to get natting on my cisco 1700 series router to work but its not.
been 4 days at this and still nothing. all i want to do is host my own personal website. online remote scans are saying that port 80 (and all ports i am allowing in) well, is not open for some reason. i know its not the server cause i can see the site internally. externally though, the router for some reason just will not open the ports. when i vew the logs of the router, i can see
Sep 2 16:39:16.309: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.239.113.146(80
) -> 150.101.163.87(2184), 1 packet
Sep 2 16:39:20.601: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.139.99(80)
-> 150.101.163.87(2185), 1 packet
i just dont understand what is wrong or what can be modified to make this all work
config below
interface ATM0/0
description +++ CONNECTION TO ISP +++
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
description +++ LAN +++$ETH-LAN$$FW_INSIDE$
ip address 192.168.0.2 255.255.0.0
ip broadcast-address 192.168.255.255
ip access-group 100 in
no ip unreachables
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Dialer1
description +++ Virtual Connection to ATM0/0 +++$FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxx@xxxxxxxx.net
ppp chap password xxxxxxxxxxxxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.11 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.11 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.11 20 interface Dialer1 20
ip nat inside source static tcp 192.168.0.11 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.11 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.11 3200 interface Dialer1 3200
ip nat inside source static tcp 192.168.0.11 53 interface Dialer1 53
ip nat inside source static tcp 192.168.0.11 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.11 6080 interface Dialer1 6080
ip nat inside source static tcp 192.168.0.11 3389 interface Dialer1 3389
ip nat inside source static udp 192.168.0.11 53 interface Dialer1 53
ip nat outside source static tcp 150.101.163.87 25 192.168.0.11 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.83.231.0 0.0.0.255
access-list 1 permit 192.168.33.0 0.0.0.255
access-list 100 remark **************************
access-list 100 remark *** FOR FE0/0 - INTERNAL TO INTERNET ***
access-list 100 remark **************************
access-list 100 permit ip any any
access-list 101 remark **************************
access-list 101 remark *** DIALER1 FROM THE INTERNET TO WEB SERVER ***
access-list 101 remark **************************
access-list 101 remark RDP:3389, FTP-DATA:20, FTP:21, EMAIL SERVER APP:3200
access-list 101 remark POP3:110, SMTP:25, HTTP Other:6080, HTTPS:443
access-list 101 remark HTTP:80, DNS UDP/TCP:53
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3200
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 6080
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 remark PROVIDER DNS SERVER / FORWARD
access-list 101 permit udp host 192.231.203.3 eq domain any
access-list 101 permit udp host 192.231.203.2 eq domain any
access-list 101 remark NETWORK TIME PROTOCOL
access-list 101 permit udp host 216.27.190.202 eq ntp any eq ntp
access-list 101 remark ICMP REPLY AND MESSAGEING
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
have i miss-interpreted the config?
any help on this would be GREAT
ASKER
hi atyar,
i have a static (or DHCP reserved) IP from my ISP, so thats not an issue
and im unsure how to do PAT .. ill see if i can setup the nat inside source to be my internal IP .. but dont think that will change anything
most of the port forward is going to a dedicated IP though, so unsure what you mean
i have a static (or DHCP reserved) IP from my ISP, so thats not an issue
and im unsure how to do PAT .. ill see if i can setup the nat inside source to be my internal IP .. but dont think that will change anything
most of the port forward is going to a dedicated IP though, so unsure what you mean
PAT involves an 'overload' statement on an ip source statement, but I wouldn't go there if you have the ip address to spare. If you only have 1 static address, though, you'll need to use pat, so you can tie the web server internal ip address to that 1 static ip on port 80, while the other ports are still tied to the router interface. See this webpage for an example of how to configure pat:
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml
If you can make the changes and clean up your access lists, then test, I can help further from there with troubleshooting. I do know that this works - I've done the same thing for an ftp server behind a 1720 router in a remote office using pat with a cable modem.
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml
If you can make the changes and clean up your access lists, then test, I can help further from there with troubleshooting. I do know that this works - I've done the same thing for an ftp server behind a 1720 router in a remote office using pat with a cable modem.
ASKER
ill attempt this tonight (hopefully) and provide update. though i thought the ACL's were used as a control point. removing them would open my router up would it not?
ASKER
oh, maybe off topic, but hence my config change. as you are aware, i am trying to host websites internally for a few of my friends (so not traffic heavy).
i have realized that a basic *.asp file which just sends email as a webbased form, would not find the SMTP server of which was hard coded.
so, on my WIn2k3 box, i have an email server (3rd party) & DNS w/IIS
all is working fine EXCEPT the webmail form. when i tell teh form to submit to my SMTP server (which is internal), it says it cannot find it. i have tried the following
external IP of my router (smtp = 101.132.42.xxx)
name of my server (mail.i-design.cc)
none of the two above work. i think its cause of the config above preventing my internal websites to see the DNS internally
is the config above something to do with this?
cheers
i have realized that a basic *.asp file which just sends email as a webbased form, would not find the SMTP server of which was hard coded.
so, on my WIn2k3 box, i have an email server (3rd party) & DNS w/IIS
all is working fine EXCEPT the webmail form. when i tell teh form to submit to my SMTP server (which is internal), it says it cannot find it. i have tried the following
external IP of my router (smtp = 101.132.42.xxx)
name of my server (mail.i-design.cc)
none of the two above work. i think its cause of the config above preventing my internal websites to see the DNS internally
is the config above something to do with this?
cheers
acl's do control which traffic passes when one is applied to an interface in a given direction. When one is applied, all traffic is implicitly denied, except that which is explicitly permitted.
any chance the win2K3 box has the windows internet connection firewall turned on on the network interface and it's blocking the smtp traffic?
any chance the win2K3 box has the windows internet connection firewall turned on on the network interface and it's blocking the smtp traffic?
ASKER
no chance at all in respect to the firewall internet connection on my windows box.
reason for this is cause i can send external email (eg, hotmail) to a MX record i have on my DNS and i can receive it via my 3rd party email server software
i am getting email from externally just fine, and i can send from internal to external just fine. i just cant submit a webmail form from the inside to the outside as it cannot find the server.
i am thinking that my config above is somehow preventing me from doing so
reason for this is cause i can send external email (eg, hotmail) to a MX record i have on my DNS and i can receive it via my 3rd party email server software
i am getting email from externally just fine, and i can send from internal to external just fine. i just cant submit a webmail form from the inside to the outside as it cannot find the server.
i am thinking that my config above is somehow preventing me from doing so
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks for the points :)
one thought when I was looking at your last post - hotmail won't use the dns settings on your box, as it is hosted on their server and the inbound/outbound functionality of hotmail is on their end. maybe something to look at again...
one thought when I was looking at your last post - hotmail won't use the dns settings on your box, as it is hosted on their server and the inbound/outbound functionality of hotmail is on their end. maybe something to look at again...
ASKER
as in use hotmail for my main email server? eg, http://domains.live.com? i have thought of using the domains thing but it offers not groups and or lists management and no centralized account management. so i rule that out completely
as for previous, hotmail can send to my internal mail server.. just my pages cant send to itself
as for previous, hotmail can send to my internal mail server.. just my pages cant send to itself
1)Get a static address assigned to you by your isp (they'd probably give you 2 - 1 for your router, and 1 for your web server). You can do with just 1 static address and then use PortAddressTranslation, but NAT is simpler and you've got most of the config already.
2)Setup your ip nat inside source static statements to use the static address for your web server, rather than the interface. If your isp dynamic address changes, how will you know what it is to connect to it?
3)There is an implicit deny any any at the end of every access list, so you don't need the deny statements at the end of your access-list 101