Solved

Basic Router Config / Cisco 800 Series / router can ping internet, lan computers can not browse web or ping internet

Posted on 2008-06-21
28
7,921 Views
Last Modified: 2013-11-16
Basic Router Config / Cisco 800 Series
Router can ping internet, LAN computers can not browse web or ping internet

For example, from the CLI on the Cisco box, if I ping google, all is good - however if I try to ping from a LAN computer, nothing - also can't browse internet from LAN computers (aka not ICMP issues).

Really in a bit over my head with this router configuration - but trying to pan it out.  Could be a simple as NAT not being configured?

My current configuration below.
Current configuration : 7213 bytes
!
! Last configuration change at 15:29:38 PCTime Sat Jun 21 2008 by valuelogic
! NVRAM config last updated at 15:29:54 PCTime Sat Jun 21 2008 by valuelogic
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
 --More--         logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 4.2.2.2 4.2.2.1 
   default-router 192.168.1.1 
!
 --More--         !
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
 --More--         ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3431502892
 revocation-check none
 rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037 
  31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135 
  30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332 
  CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095 
 --More--           FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85 
  05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8 
  79990203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 
  93301D06 03551D0E 04160414 301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 
  300D0609 2A864886 F70D0101 04050003 81810043 F431E81C 40F87FE4 6DDC3390 
  FC30B840 70FF77E8 FD3DA633 808ACDF7 8575DA90 D180EA6B E7340CF1 31435038 
  E5EDA463 27C15C8B 843FE5E6 4B0346BF 7AC87152 34FB531F 0788E35A 67B2A8A1 
  50097D17 8643F8CC BC657B3C 0CCD3B62 7E057E60 18D60AA8 37A44B9B 87707E2D 
  ABC469F6 FAC7A854 460B95C9 6FA23C51 D31E84
  quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
! 
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
 --More--         interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 207.158.24.230 255.255.255.0
 ip access-group 102 in
 ip access-group sdm_fastethernet4_out out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 --More--          ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended sdm_fastethernet4_out
 remark SDM_ACL Category=1
 permit icmp any any
!
 --More--         logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 207.158.24.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
 --More--         access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
no cdp run
!
!
control-plane
 --More--         !
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:Crazy_Penguins
  • 14
  • 13
28 Comments
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21839204
I assume that you are accessing your Router via the Console port?

Which Fast Ethernet Interface is connected to your Internal LAN?  fastEthernet4 is connected to the Internet - yes?

-Rowan
0
 

Author Comment

by:Crazy_Penguins
ID: 21839208
I have been using the SDM to manage the box, however I do have console CLI interface as well.

Currently just one PC on the LAN 0 port

Connected to T1 on fastEthernet4, with static IP address

Hope this helps.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21839210
Not withstanding the fact that I actually can not determine what interface you have VLAN1 configured on - this might not be a big deal...

But your CBAC firewall rules will not work with standard access lists, they only work with extended access lists.  So in the case Access-List 102 is seriously going to be causing you greif and access-list sdm_fastethernet4_out is not very healthy looking either....

First of all make sure you can ping your router from your internal hosts.  Stop any firewalls such as Windows Firewall or Anti-Virus Software and execute ping 192.168.1.1 from one of these boxes.

There is nothing in your router config stopping this from being able to work.  If this dosn't work then you have a connectivity problem.

After you have tried to do the ping, weather it has worked or not, execute a "arp -a" on your windows box.... is there an entry for 192.168.1.1 ?  If there is no entry, e.g., it is showing as incomplete then you have a layer 2 problem, need to isolate that first.

ARP is the poor mans ping, even with all the access-lists in the world you will still get an ARP address if Layer 2 is functional.

-Rowan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Accepted Solution

by:
rowansmith earned 465 total points
ID: 21839219
Ok, so you are telling me that you are able to get to the box to manage it via SDM, but you can not ping it from the same host that you are able to manage it from?

It is almost certainly a local firewall (such as windows firewall) preventing a ping from operating.

Right your access lists are up the bawooza (that's a technical term :-)

Execute the following:

interface FastEthernet4
 no ip access-group 102 in
 no ip access-group sdm_fastethernet4_out out
 no ip inspect SDM_LOW out
 exit

That will remove your outbound and inbound access-lists on your T1 interface.

Now you should be able to access the Internet from your internal hosts, everything should work a breeze.... but of course now you are "insecure" as in anything on your internal network can access anything on your external network.  Perhaps not ideal....

Nothing on the outside world can reach your internal network because you do not have any address translations set up so NAT is protecting you to some extent.

Lets get this working and then we can move to building a decent firewall ruleset.

-Rowan
0
 

Author Comment

by:Crazy_Penguins
ID: 21839278
Okay,

What I intended on saying is this:

PC can ping cisco
cisco can ping PC

PC can NOT ping our ISP DNS server
cisco can ping our ISP DNS server

PC can NOT resolve DNS for www.google.com
cisco can resolve DNS for www.google.com

I am going to go execute those commands, back in a few!
0
 

Author Comment

by:Crazy_Penguins
ID: 21839311
So those commands sure did work - but as I understand it, I now have no firewall, correct?

At this point I only want to achieve two things:
1. Enable a firewall - users need to be able to do normal things - web, mail, POP, FTP, ping, etc.
2. Configure a port-forwarding rule - I need basic how-to (commands) for sending - lets say www traffic to 192.168.1.2 - and of course, how to delete the rule if needed.

Thanks for the quick response :)
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21839385
Ok below is my Cisco 1721 config that I have.  Our networks are very similar.

You will be able to take out of this what you want to do....

My Internet facing interface is Dialer0 (yours is FastEthernet 4)

My internal interface is FastEthernet 0 - Yours is Vlan1

I allow SSH inbound to my router and I allow HTTP (80) inbound to my internal windows server located at 192.168.1.7 (well actually I don't but I have added this as an example for you :-)

!-- Setup CBAC Inspection Rules
!-- There are a whole lot of other things that you can enable - you have them all, it dosn;t hurt to have them all
!-- I don't bother - TCP and UDP get everything and I only need to worry about layer 7 for FTP.
!-- Note this is about how the box deals with dynamic protocols, the only ones I let out are FTP.
!--
ip cef
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
 
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip access-group INT-In in
 ip nat inside
 ip inspect myfw in
 speed auto
!
interface Dialer0
 ip address negotiated <- My ISP give me an IP Address dynamically - you have a static IP address assigned.
 ip access-group EXT-In in
 no ip redirects
 no ip unreachables
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username XXXXXXXXX@dsl.clear.net.nz password 0 XXXXXXXXXXXXXXX
 ppp ipcp dns request
!
 
!-- This makes every internal connection from inside interface get translated using PAT
!-- for access to an external box.  This is a global translation.
!-- Anything that matches access-list 1 will be NAT'd, anything that does not match access-list 1 will not be NAT'd.
!-- Really you have to NAT everything because you have private IP addresses inside.
ip nat inside source list 1 interface Dialer0 overload
 
!-- this one NAT's my external Dynamically allocated IP address to port 22 on the inside of my router
!-- This allows me to manage my routyer via SSH from the Internet once I know it's public IP address
ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 22
 
!-- this one would allow port 80 access to a server on my inside network
!-- when someone connects to the outside interfcae they get translated through to the inside address
ip nat inside source static tcp 192.168.1.7 80 interface dialer0 80
 
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
!-- This is the access-list that goes on the outside interface and lets packets into my network
!-- I only let in port 80 and port 22 if I had no inbound NAT rules then I would have nothing in this list
!-- except deny ip any any.  This Access-List is added to dynamically by the IOS each time a packet is let out of the firewall.
!-- e.g., if you made a connection to microsoft.com, this access list would have added to to by the IOS permit any packets BACK from microsoft.com
!-- the dynamically added access-list entries can be seen by doing show ip access-list when the box is running.  They get dynamically deleted when
!-- the communications are finished.
ip access-list extended EXT-In
 permit tcp any any eq 22 log
 deny   ip any any log
 
!-- This accesslist defines what boxes on my internal network are allowed to access the Internet (or the routers interface)
ip access-list extended INT-In
!-- I allow anything on my internal network to telnet http or ssh to the router for management purposes...
 permit ip any host 192.168.1.1
!-- I also allow broadcast because my router is also my DHCP server
 permit ip any host 255.255.255.255
!-- I deny local subnet broadcast - because I just do - this is not necessarily bad or good, but I have nothing on my router that requires 
!-- it to know about the crap that Microsoft Windows sends out.
 deny   ip any host 192.168.1.255
!-- It is good practice to not let out private networks
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
!-- I let out any ICMP - not necessarily best practice but that is what I do..
 permit icmp any any
!-- I let DNS requests go anywhere I damn well please - again should probably be locked down to my upstream DNS Servers
 permit udp any any eq domain
 permit tcp any any eq domain
!-- I allow anything on my internal networks to SSH anywhere in the world
 permit tcp any any eq 22
!-- and FTP and www and https and ntp
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit udp any any eq ntp
! I have some specical stuff here for my VPN to Work (Checkpoint FW-1 VPN)
!-- i just let everything through to the work Firewalls because I could not be bothered defining rules for
!-- ISAKMP, IPSEC etc etc, at the end of the day I trust work given I run the firewalls
 permit ip any host XXX.XXX.35.129
 permit ip any host XXX.XXX.32.4
 permit ip any host XXX.XXX.32.10
 
!-- you also would need something like this to allow HTTP traffic to go back to the Internet for your webserver...
!-- there is probably a better way to do this but I have not experimented with allowing traffic back out.
!-- It would be better to set up another inspection rule in the reverse direction
 permit tcp host 192.168.1.7 eq 80 any gt 1024 established
 
!-- everything else trying to get out I log!
!-- I can check the logs and make sure that I am not stopping legitmate traffic.
 deny   ip any any log
 
access-list 1 permit any
dialer-list 1 protocol ip permit
 
!- I hate CDP well I love it, but when you have two cisco products it is a pretty pointless waste of time and network space...
no cdp run

Open in new window

0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21839400
oops, EXT-In should look like this:

ip access-list extended EXT-In
 permit tcp any any eq 22 log
 permit tcp any any eq 80 log
 deny   ip any any log

For you the second any should be your fixed Internet IP address.  Because mine is allocated dynamically I have to just allow connections to anything because I have no idea what IP Address my provider is going to dish out.  For the deny, just use any any.

Their is a "deny ip any any" at the botom of every access list anyway, but I like to include it and make it visible as it is easy to forget about it.... also by default it does not log.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21839403
You could also put these at the top of your EXT-In

deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log

That will stop your ISP or other people sending you crap, but they should not be sending you this anyway....  I just included these in my EXT-In it is good practice.

-Rowan
0
 

Author Comment

by:Crazy_Penguins
ID: 21839502
Some Questions :)

I'm in over my head, and know it.

I am having a hard time determining what parts are firewall, and what parts are port-forwarding in your configuration example.

As I understand it, I have to
(1) Make a route, to make traffic on a port go from interface to interface - for example port 80  from Fe4 to VLan1
(2) Make and Access list, saying what port can go from where to where - for example myExtIP to myIntIP for port 80
(3) Somehow apply said list in step 2 to the firewall

I may be way off - not sure.

so I see we would allow outgoing traffic like this:
!-- Outgoing traffic, SSH, WWW, HTTPS, FTP, NTP
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit udp any any eq ntp
- so what does eq mean here?  and the 'any any'?

and here is that list I was thinking of - if so, how is it different than the next thing in my list?:
!-- Port Forwarding?  or Firewall?
ip access-list extended EXT-In
 permit tcp any any eq 22 log
 permit tcp any any eq 80 log
 deny   ip any any log
Any chance you could break down the 'access-list extended EXT-In' part for me, is half that a list name?

Now this looks like port forwarding, there is an internal IP!:
!- Port Forwarding?
ip nat inside source static tcp 192.168.1.7 80 interface dialer0 80
(I need to change it like so, correct?):
ip nat inside source static tcp 192.168.1.2 80 interface fastEthernet4 80

Last, if we are making changes to a list for firewall - how do we enable/bind it to an interface?  Is it always 'on'?

I assume saving the configuration and write mem will make everything good, correct?

Sorry to be a pain - but I have been using the SonicWALL product for so long - and this is just all so different - in the end I may like it better - but just so different.

Thanks,

Andrew
0
 

Assisted Solution

by:PerfectPCFix
PerfectPCFix earned 35 total points
ID: 21839794
Is your DHCP configured? Are your clients set for Auto in Connection Setings?t
0
 

Author Comment

by:Crazy_Penguins
ID: 21839813
yep - everything is good - just working on the last few questions in the post above yours.
0
 

Author Comment

by:Crazy_Penguins
ID: 21841441
I keep screwing with it - look at the config below and see if you can help me determine why 3389 is STILL being blocked to 192.168.1.2

Thanks for helping - my next step is to look for a cliff to jump off of.

Building configuration...
 
Current configuration : 8083 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 4.2.2.2 4.2.2.1 
   default-router 192.168.1.1 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3431502892
 revocation-check none
 rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
 certificate self-signed 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037 
  31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135 
  30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332 
  CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095 
  FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85 
  05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8 
  79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034 
  0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53 
  70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680 
  14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414 
  301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101 
  04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34 
  8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D 
  65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921 
  359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8 
  51B042FE 9E6E33
  quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
! 
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 207.158.24.230 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
!
ip access-list extended sdm_fastethernet4_out
 remark SDM_ACL Category=1
 permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 207.158.24.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 103 remark RDP Connection/Firewall
access-list 103 permit tcp any eq 3389 host 192.168.1.2 eq 3389 log
access-list 103 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 permit icmp any host 207.158.24.230 echo-reply
access-list 103 permit icmp any host 207.158.24.230 time-exceeded
access-list 103 permit icmp any host 207.158.24.230 unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
 

Author Comment

by:Crazy_Penguins
ID: 21841447
side note - I know I now have many access-lists (101, 102, 203) how can I tell what it's really using?

I assume you tell it to use one, or does it automatically use all of them?
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21842935
It only uses the ones the you apply to a command or an interface.  You can have as many access-lists as you want and only be using two of them...
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21843149
access-list 103 remark RDP Connection/Firewall
access-list 103 permit tcp any eq 3389 host 192.168.1.2 eq 3389 log

Wowo.. Ok I just saw all your questions above, I am not going to get to them all for atleast the next four hours.  but I will answer them tonight...

Just quickly

p access-list extended EXT-In
 permit tcp any any eq 22 log
 permit tcp any any eq 80 log
 deny   ip any any log

the first any is the source address, the next any is the destination address the eq means equal.

So this means allows any source ip address (and therefore any port) to send packets to any destination address on port 22

eq can be gt (greater than) and range (for a range of ports) and I think you can use lt (less than).



0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21843155
Yes EXT-In is the name of the list.  You could call this My-Access-list

extended lists are required by CBAC (the ip inspect feature).

0
 

Author Comment

by:Crazy_Penguins
ID: 21843215
So, then, how do you enable/disable the usage of specific lists?  Say I wanted ListA and ListB active, but not ListC or ListD?

And as a side note, my 3389 is still not working in the above configuration.

I will be at the router again in 12 hours or so.  Time to get some shut-eye.

Thanks for all the help.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21843881

interface fastethernet 4
  ip access-group 101 in
  ip access-group 201 out

Now access list 101 is applied to all packets that enter the router in this interface.

Access list 201 is applied to all packets that leave the router on this interface

interface fastethernet 4
no ip access-group 101 in

The access list is now removed from interface FE4.  In the above example we now would only have an "out" access-list still applied to the interface.

Access-lists can also be used to match packets for other purposes such as NATing rules etc...

e.g., in the following example from your config you have:

ip nat inside source list 1 interface FastEthernet4 overload
i
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255

Remember that EVERY access list always has a deny any any on the end of it.

So in the above example Access-List 1 is being used to decide which IP addresses should be NAT'd.  In your case it is EVERYTHING on the internal network.  But now imagine the scenario where you had the setup below.

Now your router has an IP address but you also have real world IP addresses inside your network and you do not want these NAT'd...

Let say that you do not want to NAT traffic that is destined for the 192.168.2.0 network then your access-list 1 would not work and you would have to use a access list 100.  Access list 1-99 only allows for a source address to be specified.

access-list 1 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255 any

So now anything from 192.168.1.0/24 destined to anywhere except 192.168.2.0/24 will match this access list.  Everything else will be denied.

Denied in this instance means that it will NOT be NAT'd because this ACL is applied to a NAT rule.

And the REMARK fields are just comments, you can put whatever you want in here, they are designed to make your access-list readable.

-Rowan




                                    |- 202.14.100.0/24
   Internet --Router -- Router -----|
                |                   |- 192.168.1.0/24
            192.168.2.0/24

Open in new window

0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21843917
Your 3389 rule needs to look like this:

This allows packets into the router from any host destined for your external interface that eq port 2289
access-list 103
permit tcp any host 207.158.24.230 eq 3389

Your NAT rule looks good.

Remember that access-list 100 is effectively
permit ip any any
you are wide open for anything on your internal network to connect to the outside world.

Access-list 100 is applied to vlan1 (your internal network).

Lets have a look at access-list 100 in detail:

access-list 100 deny   ip 207.158.24.0 0.0.0.255 any
!-- Anything FROM a machine with the ip 207.158.24.0 - 255 will be DENIED from entering the router on VLAN1
access-list 100 deny   ip host 255.255.255.255 any
!-- Anything FROM a machine with the ip 255.255.255.255 will be DENIED from entering the router on VLAN1
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
!-- anything from local host will be denied from entering the router
access-list 100 permit ip any any
!-- everything else will be permitted.....
eg, some trojan running wild on your internal network will be able to connect to any webserver in the world or any email server in the world or any irc server in thr port etc etc etc

This line:
access-list 100 deny   ip 207.158.24.0 0.0.0.255 any

Is quite pointless you should never have this stuff on your internal network anyway.....

So your access-list could be better written by just saying:

deny ip 192.168.1.0 0.0.0.255 host 255.255.255.255
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any

Although this is still not a good outbound access list.  You should really consider applying a list similar to the one I have shown you above in the INT-In example.

-Rowan


0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21843925
And yes a "write mem" saves everything.

In my example INT-In means:

Internal INterface - Inbound to Router

and EXT-In means:

External INterface - Inbound to Router

You could possibly also have EXT-Out and INT-Out

In fact you probably should if you are doing 3389 traffic and want it to go back dynamically, for this you would need another inspection rule for inbound traffic, I will do you up an example.

-Rowan
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21844174
Ok I tested the RDP to my computer today and you only need to add a ip inspect <firewallname> in the reverse direction for each interface.

So my config looks like the one below.
Building configuration...
 
Current configuration : 3865 bytes
!
! Last configuration change at 00:28:52 UTC Wed Nov 21 2007 by admin
! NVRAM config last updated at 18:44:13 UTC Mon Nov 19 2007 by admin
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname c1720
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging rate-limit console 100
logging console errors
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
ip domain name home.smith.gen.nz
ip name-server 203.97.33.1
ip name-server 203.97.37.1
ip dhcp excluded-address 192.168.1.1 192.168.1.63
ip dhcp excluded-address 192.168.1.250 192.168.1.255
!
ip dhcp pool Home-Pool
   network 192.168.1.0 255.255.255.0
   domain-name home.smith.gen.nz
   default-router 192.168.1.1
   dns-server 203.97.33.1 203.97.37.1
   update arp
!
no ip bootp server
ip cef
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
username admin password 0 rowan99
!
!
ip ssh authentication-retries 2
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
 full-duplex
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip access-group INT-In in
 ip nat inside
 ip inspect myfw in
 ip inspect myfw out
 speed auto
!
interface Virtual-Template1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 peer default ip address pool vpnpool
 ppp authentication pap
!
interface Dialer0
 ip address negotiated
 ip access-group EXT-In in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect myfw out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username XXXXXXXXXXXXXXX@dsl.clear.net.nz password 0 XXXXXXXXXXXX
 ppp ipcp dns request
!
ip local pool vpnpool 192.168.2.10 192.168.2.20
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.68 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 22
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.2.0 255.255.255.0 192.168.1.74
ip http server
no ip http secure-server
!
!
!
ip access-list extended EXT-In
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit tcp any any eq 22 log
 permit tcp any any eq 3389 log
 deny   ip any any log
ip access-list extended INT-In
 permit ip any host 192.168.1.1
 permit ip any host 255.255.255.255
 deny   ip any host 192.168.1.255
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit udp any any eq ntp
 permit ip any host 203.144.35.129
 permit ip any host 203.144.32.4
 permit ip any host 203.144.32.10
 deny   ip any any log
logging 192.168.1.68
access-list 1 permit any
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community XXXXXXXXXXXXXXXXXXXXX RO
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
 password XXXXXXXXXXXXXXX
 transport input all
!
end

Open in new window

0
 

Author Comment

by:Crazy_Penguins
ID: 21848223
So this is where I am at now, I think it's down to something simple - RDP is still not working.
1- How to fix RDP
2- I should have my firewall configured now, correct?
4- how do I get rid of access lists 101 and 102, as I don't use them now?

Current Configuration below.

Again, thanks for the help / crash course in Cisco.

Building configuration...
 
Current configuration : 7687 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 4.2.2.2 4.2.2.1 
   default-router 192.168.1.1 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3431502892
 revocation-check none
 rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
 certificate self-signed 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037 
  31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135 
  30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332 
  CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095 
  FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85 
  05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8 
  79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034 
  0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53 
  70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680 
  14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414 
  301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101 
  04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34 
  8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D 
  65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921 
  359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8 
  51B042FE 9E6E33
  quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
! 
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 207.158.24.230 255.255.255.0
 ip access-group EXT-In in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group INT-In in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
!
ip access-list extended EXT-In
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit tcp any any eq 22 log
 permit tcp any any eq 3389 log
 deny   ip any any log
ip access-list extended INT-In
 permit ip any host 192.168.1.1
 permit ip any host 255.255.255.255
 deny   ip any host 192.168.1.255
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq 3389
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit udp any any eq ntp
 deny   ip any any log
ip access-list extended sdm_fastethernet4_out
 remark SDM_ACL Category=1
 permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
 

Author Comment

by:Crazy_Penguins
ID: 21848237
On a side note, when I look in the firewall log, I don't see anything blocked on 3389, where as before I did...
0
 

Author Comment

by:Crazy_Penguins
ID: 21849120
I have also tried setting up a telnet server on the host, in the though the RDP was whack - same results.

Modified configuration below for telnet/ssh

Building configuration...
 
Current configuration : 7981 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 4.2.2.2 4.2.2.1 
   default-router 192.168.1.1 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3431502892
 revocation-check none
 rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
 certificate self-signed 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037 
  31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135 
  30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332 
  CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095 
  FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85 
  05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8 
  79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034 
  0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53 
  70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680 
  14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414 
  301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101 
  04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34 
  8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D 
  65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921 
  359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8 
  51B042FE 9E6E33
  quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
! 
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 207.158.24.230 255.255.255.0
 ip access-group EXT-In in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group INT-In in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet4 23
ip nat inside source static tcp 192.168.1.2 22 interface FastEthernet4 22
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
!
ip access-list extended EXT-In
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit tcp any any eq 22 log
 permit tcp any any eq 3389 log
 deny   ip any any log
 permit tcp any any eq telnet log
ip access-list extended INT-In
 permit ip any host 192.168.1.1
 permit ip any host 255.255.255.255
 deny   ip any host 192.168.1.255
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq 3389
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit udp any any eq ntp
 deny   ip any any log
 permit tcp any any eq telnet log
ip access-list extended sdm_fastethernet4_out
 remark SDM_ACL Category=1
 permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
 

Author Comment

by:Crazy_Penguins
ID: 21849832
Another side-note, when on the pc at 192.168.1.1 I CAN ssh to 207.158.24.230 fine, but not from another location on the internet.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 465 total points
ID: 21851116
See the deny ip any any in your EXT-In access list at line 7?

This will deny everything except that permitted above it.  So all the entries underneath this will not be getting used.  e.g., your telnet entry will never be hit.  The order of entries in the access list is critical.

To remove a access-list you just say:

no access-list 102

In an extended access-list you can edit lines directly in the access-list, however to do this you need to give each accesslist entry a number.  This is what my access-list looks like on paper (notepad) I can just cut-n-paste this to the router...

! -----------------------------------------------------
! Allows traffic into the router from the External Network
no ip access-list extended EXT-In
ip access-list extended EXT-In
  !-- Deny inbound public address space

  10 deny ip 10.0.0.0 0.255.255.255 any log
  20 deny ip 172.16.0.0 0.15.255.255 any log
  30 deny ip 192.168.0.0 0.0.255.255 any log
  40 deny ip 169.254.0.0 0.0.255.255 any log

  !-- Permits - For inbound Management to the Router
  !-- Also needs a NAT Translation - Why!?!?!
  400 permit tcp any any eq 22 log

  500 permit tcp any any eq 3389 log
 
  ! We do not allow anything inbound by default and we log attempts
  10000 deny ip any any log
  exit

When you blow away an access-list all existing connections set up by the firewall inspection rule are blown away so this can cause outages.  Not only that when you remove the access list you are potentially open to attack from the Internet....

By numbering your entries in the extended access list you can remove specific entries as follows:

ip access-list extended EXT-In
 no 10 <cr>
 no 20 <cr>

and you can add entries where ever you want in the access-list such as:

ip access-list extended EXT-In
 9999 permit ip any any log

Will insert a permit statement BEFORE the deny statement.

This allows you to modify your accesslist on the fly in real-time.

I usually just do a no access-list and replace the entire access-list in one go.  But sometimes I do use the line feature.

I suspect that your RDP is stopping because you do not have an inspect statement on your external interface.  So there is nothing to reflect your RDP flow onto the INT-In interface.

interface vlan1
  ip inspect <fire_wall_name> out

Do a sh ip access-lists and you will see the added commands... have a look at this example....

c1720#sh ip access-lists
Standard IP access list 1
    10 permit any (629013 matches)
Extended IP access list EXT-In
     permit tcp host 203.167.223.235 eq www host 121.72.160.51 eq 53052 (8 matches)
     permit tcp host 209.85.173.18 eq www host 121.72.160.51 eq 53355 (3 matches)
     permit tcp host 209.85.173.18 eq www host 121.72.160.51 eq 53354 (3 matches)
     permit tcp host 209.85.173.18 eq www host 121.72.160.51 eq 53352 (9 matches)
     permit tcp host 209.85.173.18 eq www host 121.72.160.51 eq 53345 (9 matches)
    10 deny ip 10.0.0.0 0.255.255.255 any log
    20 deny ip 172.16.0.0 0.15.255.255 any log
    30 deny ip 192.168.0.0 0.0.255.255 any log
    40 deny ip 169.254.0.0 0.0.255.255 any log
    400 permit tcp any any eq 22 log (21 matches)
    500 permit tcp any any eq 3389 log (17 matches)
    10000 deny ip any any log (504 matches)
Extended IP access list INT-In
    500 permit ip any host 192.168.1.1 (219834 matches)
    600 permit ip any host 255.255.255.255 (1773 matches)
    1000 deny ip any host 192.168.1.255 (113402 matches)
    1100 deny ip any 10.0.0.0 0.255.255.255 log (3 matches)
    1200 deny ip any 172.16.0.0 0.15.255.255 log
    1300 deny ip any 192.168.0.0 0.0.255.255 log
    1400 deny ip any 169.254.0.0 0.0.255.255 log (76 matches)
    2000 permit icmp any any (111 matches)
    2100 permit udp any any eq domain (390129 matches)
    2200 permit tcp any any eq domain (1369 matches)
    2300 permit tcp any any eq 22 (1178 matches)
    2400 permit tcp any any eq www (4291193 matches)
    2500 permit tcp any any eq 443 (126683 matches)
    2600 permit tcp any any eq ftp
    2700 permit udp any any eq ntp (61 matches)
    2800 permit ip any host 203.144.35.129
    2900 permit ip any host 203.144.32.4
    3000 permit ip any host 203.144.32.10
    90000 deny ip any any log (1537 matches)
c1720#

See the entries at the top of ACL EXT-In - those were added dynamically by the CBAC and exist because a computer on my inside network has connected to the internet (web browsing).

Now I will connect to my computer from a remote host using RDP....

Extended IP access list EXT-In
     permit tcp host 210.18.204.2 eq 22 host 121.72.160.51 eq 53367 (47 matches)
     permit tcp host 209.85.173.19 eq www host 121.72.160.51 eq 53370 (9 matches)
     permit tcp host 209.85.173.19 eq www host 121.72.160.51 eq 53369 (3 matches)
     permit tcp host 209.85.173.19 eq www host 121.72.160.51 eq 53368 (3 matches)
     permit tcp host 63.245.209.21 eq www host 121.72.160.51 eq 4705 (8 matches)
     permit tcp host 63.245.209.21 eq www host 121.72.160.51 eq 4700 (8 matches)
     permit tcp host 203.167.223.235 eq www host 121.72.160.51 eq 53052 (8 matches)
     permit udp host 203.97.37.1 eq domain host 121.72.160.51 eq 1114
     permit udp host 203.97.33.1 eq domain host 121.72.160.51 eq 1114 (18 matches)
    10 deny ip 10.0.0.0 0.255.255.255 any log
    20 deny ip 172.16.0.0 0.15.255.255 any log
    30 deny ip 192.168.0.0 0.0.255.255 any log
    40 deny ip 169.254.0.0 0.0.255.255 any log
    400 permit tcp any any eq 22 log (21 matches)
    500 permit tcp any any eq 3389 log (19 matches)
    10000 deny ip any any log (504 matches)
Extended IP access list INT-In
     permit tcp host 192.168.1.68 eq 3389 host 210.18.204.2 eq 39493
    500 permit ip any host 192.168.1.1 (222813 matches)
    600 permit ip any host 255.255.255.255 (1773 matches)
    1000 deny ip any host 192.168.1.255 (113429 matches)
    1100 deny ip any 10.0.0.0 0.255.255.255 log (3 matches)
    1200 deny ip any 172.16.0.0 0.15.255.255 log
    1300 deny ip any 192.168.0.0 0.0.255.255 log
    1400 deny ip any 169.254.0.0 0.0.255.255 log (76 matches)
    2000 permit icmp any any (111 matches)
    2100 permit udp any any eq domain (390210 matches)
    2200 permit tcp any any eq domain (1369 matches)
    2300 permit tcp any any eq 22 (1238 matches)
    2400 permit tcp any any eq www (4291386 matches)
    2500 permit tcp any any eq 443 (126683 matches)
    2600 permit tcp any any eq ftp
    2700 permit udp any any eq ntp (61 matches)
    2800 permit ip any host 203.144.35.129
    2900 permit ip any host 203.144.32.4
    3000 permit ip any host 203.144.32.10
    90000 deny ip any any log (1537 matches)


Now I ssh'd to a machine in Australia - so you can see the dynamic addition of my outbound ssh session at the top of EXT-In - this is too make sure that the packets can get back in.  CBAC (ip inspect) takes care of this.

When I got to my box in Australia via ssh I did a telnet to port 3389.... Now you can see at the top of access-list INIT-In a dynamic entry has been made to let connections back out of my internal network for the 3389 service.

Also of intereset, although I have enabled RDP on my vista box, this actually dosn't work because Vista is blocking it... so be aware that you might also have a personal firewall stopping connections.  I ran wireshark on the Vista box with RDP enabled on and I could see the SYNs arriving on the box for port 3389 but not doing anything with them.  I have not investigated what I need to do to get vista to accept connections from off-lan - I can RDP to it just fine from a box on 192.168.1.0/24...

Yes you can ssh from the internal network to the outside address, this is intercepted at a different level in the stack on the Cisco.  To protect the cisco directly you have to apply different rules becauses the boxes primary function is a router not a ssh host.

-Rowan

Hope that helps....
0
 

Author Comment

by:Crazy_Penguins
ID: 21969139
Wound up not using this box.  Used a SonicWALL instead - not because the help here was not good, but because I am more familiar with the product.

Thanks for the help
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is this QoS Correct on this  CISCO 3825 Router 1 98
ospf neighbors not coming up 6 60
Setting up static routes to  sonicwll 4 75
Cisco EIGRP Network 6 27
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question