Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 944
  • Last Modified:

Cisco 2821 causing heck, or maybe its just me!

Hi all,

First post ever so I'll try and make it to the point and give you the whole layout instead of jumping around that way you have the full picture.

Company has the following network setup.
Dell Server which handles our DNS & Exchange, also has a website that is both handled inside and outside the network using IIS 6 with an SSL , 2 switches (both working just fine), 1 Voip server connected to a PRI and then via ethernet back to one of the switches, (Works like a charm), then we come to my personal nemesis, a 2821 Cisco router. It has 2 xT1 ports (not being used yet) and 2 eth ports.
We use 2 bonded T1's via ethernet to connect to the internet giving us 3meg and 3meg down.


Just to add to this to really set the stage, this is the first attempt with a Cisco anything and I've had it about a week.

We have 5 public IP's of which we are using just one right now, not including the gateway.
Gig0/1=untrusted outside 69.xx.xx.242
Gig0/0=trusted inside 192.168.16.1
Gateway=69.xx.xx.241
Public IP's=69.xx.xx.242-247

Cisco Router=192.168.16.1
Voip server 192.168.16.200
Managed Switch 1 and 2 192.168.250&251
Dell Server (DNS & II 6 & Exchange & Website) 192.168.16.3

Here's my issue(s), since putting this new router into our network, all heck has broken loose. DNS not resolving, SSL not passing through the firewall etc. People are even having a hardtime browsing through our own network. I personally think I goofed up somewhere and clicked one too many things and I'm not afraid to admit it !

Here's the show-run
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect alert-off
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 imap3
ip inspect name DEFAULT100 pop3
ip inspect name DEFAULT100 pop3s
ip inspect name DEFAULT100 qmtp-tcp
ip inspect name DEFAULT100 fragment maximum 256 timeout 1
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
        ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
        ip inspect name SDM_LOW dns alert off audit-trail off
ip inspect name SDM_LOW ftp alert off audit-trail off
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.199
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 192.168.16.253 192.168.16.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.16.0 255.255.255.0
   dns-server 216.xx.xx.157 192.168.16.3
   default-router 192.168.16.1
   lease 5
!
ip dhcp pool voip
   host 192.168.16.200 255.255.255.0
   hardware-address 001c.c411.ce54
!
ip dhcp pool kyocera
   host 192.168.16.88 255.255.255.0
   hardware-address 00c0.ee5c.2074
!
ip dhcp pool bwcopier
           host 192.168.16.18 255.255.255.0
   hardware-address 00c0.eed0.c2c7
!
ip dhcp pool dell server
   host 192.168.16.3 255.255.255.0
   hardware-address 0014.2277.df3f
!
ip dhcp pool linux process sever (just 1 app, nothing fancy)
   host 192.168.16.240 255.255.255.0
   hardware-address 000e.0cb7.1f61
!
ip dhcp pool 24port switch
   host 192.168.16.250 255.255.255.0
   hardware-address 0015.c52f.a2a3
!
ip dhcp pool 48port switch
   host 192.168.16.251 255.255.255.0
   hardware-address 0015.c5d3.0058

!
!
no ip bootp server
ip domain name fxxxx.xxx.xxx.net
ip name-server 216.xx.xx.157
ip name-server 216.xx.xx.146
ip name-server 192.168.16.3
ip name-server 192.168.16.200
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-xxxxxxxxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxx
 revocation-check none
 rsakeypair TP-self-signed-xxxxxxx
!
!
        crypto pki certificate chain TP-self-signed-883605245
 certificate self-signed 01
  CERTIFICATE CODE LEFT OUT ON PURPOSE
  quit
username XXX privilege 15 secret 5 XXXXXXXXX
        username cxxxxx privilege 15 view root secret 5 xxxxxx
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
!
controller T1 0/0/1
 framing esf
 linecode b8zs
!
policy-map SDM-QoS-Policy-1
!
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 192.168.16.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
         no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 69.xx.xx.242 255.255.255.248
 ip access-group 120 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
         no mop enabled
 service-policy output SDM-QoS-Policy-1
!
ip classless
ip route 0.0.0.0 0.0.0.0 69.xx.xx.241 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool insidepool 192.168.16.0 192.168.16.254 netmask 255.255.255.0
ip nat pool tdspool 69.xx.xx.242 69.xx.xx.246 netmask 255.255.255.248
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.16.1 21 interface GigabitEthernet0/1 21
ip nat inside source static tcp 192.168.16.200 5060 interface GigabitEthernet0/1 5060
ip nat inside source static udp 192.168.16.3 53 interface GigabitEthernet0/1 53
ip nat inside source static udp 192.168.16.3 123 interface GigabitEthernet0/1 123
ip nat inside source static tcp 192.168.16.200 9000 interface GigabitEthernet0/1 9000
ip nat inside source static tcp 192.168.16.3 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 192.168.16.200 8000 interface GigabitEthernet0/1 8000
        ip nat inside source static tcp 192.168.16.3 3306 interface GigabitEthernet0/1 3306
ip nat inside source static tcp 192.168.16.3 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.168.16.3 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.168.16.3 4125 interface GigabitEthernet0/1 4125
ip nat inside source static tcp 192.168.16.3 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 192.168.16.3 1701 interface GigabitEthernet0/1 1701
ip nat inside source static tcp 192.168.16.3 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.16.3 110 interface GigabitEthernet0/1 110
ip nat inside source static tcp 192.168.16.3 366 interface GigabitEthernet0/1 366
ip nat inside source static tcp 192.168.16.3 118 interface GigabitEthernet0/1 118
ip nat inside source static tcp 192.168.16.3 444 interface GigabitEthernet0/1 444
!
ip access-list extended sdm_gigabitethernet0/0_in
         
 permit ip 0.0.0.0 255.255.255.0 any
 
ip access-list extended sdm_gigabitethernet0/1_in
 
 permit udp host 216.xx.xx.146 eq domain any
 permit udp host 216.xx.xx.157 eq domain any
 permit ip host 192.168.10.0 host 69.xx.xx.242
 
ip access-list extended sdm_gigabitethernet0/1_in_100
 
 permit ip any any
 
ip access-list extended sdm_gigabitethernet0/1_out
 
 permit ip 0.0.0.0 255.255.255.0 host 69.xx.xx.242
 
        logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100
access-list 100 permit udp host 192.168.16.200 eq domain any
access-list 100 permit udp host 192.168.16.3 eq domain any
access-list 100 permit ip 69.xx.xx.240 0.0.0.7 any
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit tcp any any eq www
access-list 100 permit ip any any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
        access-list 100
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101
access-list 101 permit udp host 192.168.16.3 eq domain host 69.xx.xx.243
access-list 101 permit udp host 216.xx.xx.157 eq domain host 69.xx.xx.243
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host 69.xx.xx.243 echo-reply
access-list 101 permit icmp any host 69.xx.xx.243 time-exceeded
access-list 101 permit icmp any host 69.xx.xx.243 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101

access-list 101

access-list 102
access-list 102 permit tcp any host 69.xx.xx.242 eq 444
access-list 102 permit tcp any host 69.xx.xx.242 eq 118
access-list 102 permit tcp any host 69.xx.xx.242 eq 366
access-list 102 permit tcp any host 69.xx.xx.242 eq pop3
access-list 102 permit udp any host 69.xx.xx.242 eq 1434
access-list 102 permit tcp any host 69.xx.xx.242 eq 1723
access-list 102 permit tcp any host 69.xx.xx.242 eq 1701
access-list 102 permit tcp any host 69.xx.xx.242 eq 3389
access-list 102 permit tcp any host 69.xx.xx.242 eq 4125
access-list 102 permit tcp any host 69.xx.xx.242 eq 443
access-list 102 permit tcp any host 69.xx.xx.242 eq smtp
access-list 102 permit tcp any host 69.xx.xx.242 eq 3306
access-list 102 permit tcp any host 69.xx.xx.242 eq 8000
access-list 102 permit tcp any host 69.xx.xx.242 eq www
access-list 102 permit tcp any host 69.xx.xx.242 eq 9000
access-list 102 permit udp any host 69.xx.xx.242 eq ntp
access-list 102 permit udp any host 69.xx.xx.242 eq domain
access-list 102 permit tcp any host 69.xx.xx.242 eq 5060
access-list 102 permit tcp any host 69.xx.xx.242 eq ftp
access-list 102 permit udp host 216.xx.xx.146 eq domain host 69.xx.xx.242
access-list 102 permit udp host 216.xx.xx.157 eq domain host 69.xx.xx.242
access-list 102 remark Auto generated by SDM for NTP (123) 66.36.239.104
access-list 102 permit udp host 66.36.239.104 eq ntp host 69.xx.xx.242 eq ntp
access-list 102 deny   ip 192.168.16.0 0.0.0.255 any
access-list 102 permit icmp any host 69.xx.xx.242 echo-reply
access-list 102 permit icmp any host 69.xx.xx.242 time-exceeded
access-list 102 permit icmp any host 69.xx.xx.242 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
        access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 110 8
access-list 110 permit ip 192.168.16.0 0.0.0.255 any
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
        access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 110 8
access-list 120 permit tcp any host 69.xx.xx.242 eq www
access-list 120 permit tcp any host 69.xx.xx.242 eq 3306
access-list 120 permit udp any host 69.xx.xx.242 eq ntp
access-list 120 permit tcp any host 69.xx.xx.242 eq 8000
access-list 120 permit udp any host 69.xx.xx.242 eq 1434
access-list 120 permit tcp any host 69.xx.xx.242 eq 9000
access-list 120 permit tcp any host 69.xx.xx.242 eq smtp
        access-list 120 permit tcp any host 69.xx.xx.242 eq ftp
access-list 120 permit tcp any host 69.xx.xx.242 eq 443
access-list 120 permit tcp any host 69.xx.xx.242 eq 444
access-list 120 permit tcp any host 69.xx.xx.242 eq 4125
access-list 120 permit tcp any host 69.xx.xx.242 eq 3389
access-list 120 permit tcp any host 69.xx.xx.242 eq 1701
access-list 120 permit tcp any host 69.xx.xx.242 eq 1723
access-list 120 permit tcp any host 69.xx.xx.242 eq pop3
access-list 120 permit udp any eq domain any
access-list 120 permit tcp any host 69.xx.xx.242 eq 366
access-list 120 permit tcp any host 69.xx.xx.242 eq 118
access-list 120 permit tcp any any eq telnet
access-list 120 permit icmp any any
access-list 120 permit tcp any any established
access-list 120 deny   ip any any log
access-list 120 permit tcp any host 69.xx.xx.242 eq 5060
access-list 130 remark Outside access
access-list 130
access-list 130 permit udp any eq domain any
access-list 130 remark Outside access
access-list 130
access-list 130 remark Outside access
access-list 130
        access-list 130 remark Outside access
access-list 130
no cdp run
!
!
control-plane

You can take a breath now LOL
Like I said, I know networking but this Cisco is giving me one helluva headache but I know once its fully configured, it'll run forever.
Thanks for taking the time to read this
0
MarkMaloney
Asked:
MarkMaloney
1 Solution
 
Jan SpringerCommented:
It sounds like you are not allowing outside traffic to reach your DNS servers in your access-list.  

Try changing this:

access-list 120 permit udp any eq domain any

to this:

access-list 120 permit udp any eq domain any
access-list 120 permit udp any any eq domain
access-list 120 permit tcp any eq domain any
access-list 120 permit tcp any any eq domain
0
 
MarkMaloneyAuthor Commented:
Jesper, thanks for your suggestion , it was a combo of both your suggestion and my goof up. I had the outside DNS server listed first in the DNS settings and not the internal one. Once I changed that plus your suggestion, all works :-)
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now