[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 457
  • Last Modified:

Cisco 1700 serries router firewall config .. working toooo well

hi guys, maybe someone here can assist.

trying to get natting on my cisco 1700 series router to work but its not.

been 4 days at this and still nothing. all i want to do is host my own personal website. online remote scans are saying that port 80 (and all ports i am allowing in) well, is not open for some reason. i know its not the server cause i can see the site internally. externally though, the router for some reason just will not open the ports. when  i vew the logs of the router, i can see

Sep  2 16:39:16.309: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.239.113.146(80
) -> 150.101.163.87(2184), 1 packet
Sep  2 16:39:20.601: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.139.99(80)
-> 150.101.163.87(2185), 1 packet

i just dont understand what is wrong or what can be modified to make this all work

config below

interface ATM0/0
 description +++ CONNECTION TO ISP +++
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0/0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0/0
 description +++ LAN +++$ETH-LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.0.0
 ip broadcast-address 192.168.255.255
 ip access-group 100 in
 no ip unreachables
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface Dialer1
 description +++ Virtual Connection to ATM0/0 +++$FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxxxxx@xxxxxxxx.net
 ppp chap password xxxxxxxxxxxxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.11 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.11 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.11 20 interface Dialer1 20
ip nat inside source static tcp 192.168.0.11 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.11 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.11 3200 interface Dialer1 3200
ip nat inside source static tcp 192.168.0.11 53 interface Dialer1 53
ip nat inside source static tcp 192.168.0.11 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.11 6080 interface Dialer1 6080
ip nat inside source static tcp 192.168.0.11 3389 interface Dialer1 3389
ip nat inside source static udp 192.168.0.11 53 interface Dialer1 53
ip nat outside source static tcp 150.101.163.87 25 192.168.0.11 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.83.231.0 0.0.0.255
access-list 1 permit 192.168.33.0 0.0.0.255
access-list 100 remark ***********************************************
access-list 100 remark ***  FOR FE0/0 - INTERNAL TO INTERNET ***
access-list 100 remark ***********************************************
access-list 100 permit ip any any
access-list 101 remark ***********************************************
access-list 101 remark *** DIALER1 FROM THE INTERNET TO WEB SERVER ***
access-list 101 remark ***********************************************
access-list 101 remark RDP:3389, FTP-DATA:20, FTP:21, EMAIL SERVER APP:3200
access-list 101 remark POP3:110, SMTP:25, HTTP Other:6080, HTTPS:443
access-list 101 remark HTTP:80, DNS UDP/TCP:53
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3200
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 6080
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 remark PROVIDER DNS SERVER / FORWARD
access-list 101 permit udp host 192.231.203.3 eq domain any
access-list 101 permit udp host 192.231.203.2 eq domain any
access-list 101 remark NETWORK TIME PROTOCOL
access-list 101 permit udp host 216.27.190.202 eq ntp any eq ntp
access-list 101 remark ICMP REPLY AND MESSAGEING
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit

have i miss-interpreted the config?

any help on this would be GREAT
0
chuck_v
Asked:
chuck_v
  • 5
  • 5
1 Solution
 
atyarCommented:
If you want to host a webpage to the 'outside world', I would do the following:
1)Get a static address assigned to you by your isp (they'd probably give you 2 - 1 for your router, and 1 for your web server).  You can do with just 1 static address and then use PortAddressTranslation, but NAT is simpler and you've got most of the config  already.
2)Setup your ip nat inside source static statements to use the static address for your web server, rather than the interface.  If your isp dynamic address changes, how will you know what it is to connect to it?
3)There is an implicit deny any any at the end of every access list, so you don't need the deny statements at the end of your access-list 101

0
 
chuck_vAuthor Commented:
hi atyar,

i have a static (or DHCP reserved) IP from my ISP, so thats not an issue

and im unsure how to do PAT .. ill see if i can setup the nat inside source to be my internal IP .. but dont think that will change anything

most of the port forward is going to a dedicated IP though, so unsure what you mean
0
 
atyarCommented:
PAT involves an 'overload' statement on an ip source statement, but I wouldn't go there if you have the ip address to spare.  If you only have 1 static address, though, you'll need to use pat, so you can tie the web server internal ip address to that 1 static ip on port 80, while the other ports are still tied to the router interface.  See this webpage for an example of how to configure pat:
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml

If you can make the changes and clean up your access lists, then test, I can help further from there with troubleshooting.  I do know that this works - I've done the same thing for an ftp server behind a 1720 router in a remote office using pat with a cable modem.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
chuck_vAuthor Commented:
ill attempt this tonight (hopefully) and provide update. though i thought the ACL's were used as a control point. removing them would open my router up would it not?
0
 
chuck_vAuthor Commented:
oh, maybe off topic, but hence my config change. as you are aware, i am trying to host websites internally for a few of my friends (so not traffic heavy).

i have realized that a basic *.asp file which just sends email as a webbased form, would not find the SMTP server of which was hard coded.

so, on my WIn2k3 box, i have an email server (3rd party) & DNS w/IIS

all is working fine EXCEPT the webmail form. when i tell teh form to submit to my SMTP server (which is internal), it says it cannot find it. i have tried the following

external IP of my router (smtp = 101.132.42.xxx)
name of my server (mail.i-design.cc)

none of the two above work. i think its cause of the config above preventing my internal websites to see the DNS internally

is the config above something to do with this?

cheers
0
 
atyarCommented:
acl's do control which traffic passes when one is applied to an interface in a given direction.  When one is applied, all traffic is implicitly denied, except that which is explicitly permitted.

any chance the win2K3 box has the windows internet connection firewall turned on on the network interface and it's blocking the smtp traffic?
0
 
chuck_vAuthor Commented:
no chance at all in respect to the firewall internet connection on my windows box.

reason for this is cause i can send external email (eg, hotmail) to a MX record i have on my DNS and i can receive it via my 3rd party email server software

i am getting email from externally just fine, and i can send from internal to external just fine. i just cant submit a webmail form from the inside to the outside as it cannot find the server.

i am thinking that my config above is somehow preventing me from doing so
0
 
atyarCommented:
Well, I'm sorry, but I don't think I can help you from here, then.  I have no experience with webmail setups to be able to offer a constructive suggestion.   If email is working internal to external just fine, I wouldn't necessarily think it's your router, as mx record traffic is being passed successfully, if the traffic is coming from the same ip address (internal to external, webmail).   If it's a different address, examine the traffic you're allowing on the working ip vs the non-working.  If it's the same address, unless the webmail is somehow using port 80 to channel it's mx record lookup (I doubt it), or some other proprietary port (check the software specs), I'd suspect the webmail configuration not the router.

Good luck, though! :)
0
 
atyarCommented:
thanks for the points :)
one thought when I was looking at your last post - hotmail won't use the dns settings on your box, as it is hosted on their server and the inbound/outbound functionality of hotmail is on their end.  maybe something to look at again...
0
 
chuck_vAuthor Commented:
as in use hotmail for my main email server? eg, http://domains.live.com? i have thought of using the domains thing but it offers not groups and or lists management and no centralized account management. so i rule that out completely

as for previous, hotmail can send to my internal mail server.. just my pages cant send to itself
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now