Crazy_Penguins
asked on
Basic Router Config / Cisco 800 Series / router can ping internet, lan computers can not browse web or ping internet
Basic Router Config / Cisco 800 Series
Router can ping internet, LAN computers can not browse web or ping internet
For example, from the CLI on the Cisco box, if I ping google, all is good - however if I try to ping from a LAN computer, nothing - also can't browse internet from LAN computers (aka not ICMP issues).
Really in a bit over my head with this router configuration - but trying to pan it out. Could be a simple as NAT not being configured?
My current configuration below.
Router can ping internet, LAN computers can not browse web or ping internet
For example, from the CLI on the Cisco box, if I ping google, all is good - however if I try to ping from a LAN computer, nothing - also can't browse internet from LAN computers (aka not ICMP issues).
Really in a bit over my head with this router configuration - but trying to pan it out. Could be a simple as NAT not being configured?
My current configuration below.
Current configuration : 7213 bytes
!
! Last configuration change at 15:29:38 PCTime Sat Jun 21 2008 by valuelogic
! NVRAM config last updated at 15:29:54 PCTime Sat Jun 21 2008 by valuelogic
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
--More-- logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.1
default-router 192.168.1.1
!
--More-- !
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
--More-- ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3431502892
revocation-check none
rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135
30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332
CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095
--More-- FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85
05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8
79990203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB
93301D06 03551D0E 04160414 301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93
300D0609 2A864886 F70D0101 04050003 81810043 F431E81C 40F87FE4 6DDC3390
FC30B840 70FF77E8 FD3DA633 808ACDF7 8575DA90 D180EA6B E7340CF1 31435038
E5EDA463 27C15C8B 843FE5E6 4B0346BF 7AC87152 34FB531F 0788E35A 67B2A8A1
50097D17 8643F8CC BC657B3C 0CCD3B62 7E057E60 18D60AA8 37A44B9B 87707E2D
ABC469F6 FAC7A854 460B95C9 6FA23C51 D31E84
quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
--More-- interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 207.158.24.230 255.255.255.0
ip access-group 102 in
ip access-group sdm_fastethernet4_out out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
--More-- ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended sdm_fastethernet4_out
remark SDM_ACL Category=1
permit icmp any any
!
--More-- logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 207.158.24.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
--More-- access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
--More-- !
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay,
What I intended on saying is this:
PC can ping cisco
cisco can ping PC
PC can NOT ping our ISP DNS server
cisco can ping our ISP DNS server
PC can NOT resolve DNS for www.google.com
cisco can resolve DNS for www.google.com
I am going to go execute those commands, back in a few!
What I intended on saying is this:
PC can ping cisco
cisco can ping PC
PC can NOT ping our ISP DNS server
cisco can ping our ISP DNS server
PC can NOT resolve DNS for www.google.com
cisco can resolve DNS for www.google.com
I am going to go execute those commands, back in a few!
ASKER
So those commands sure did work - but as I understand it, I now have no firewall, correct?
At this point I only want to achieve two things:
1. Enable a firewall - users need to be able to do normal things - web, mail, POP, FTP, ping, etc.
2. Configure a port-forwarding rule - I need basic how-to (commands) for sending - lets say www traffic to 192.168.1.2 - and of course, how to delete the rule if needed.
Thanks for the quick response :)
At this point I only want to achieve two things:
1. Enable a firewall - users need to be able to do normal things - web, mail, POP, FTP, ping, etc.
2. Configure a port-forwarding rule - I need basic how-to (commands) for sending - lets say www traffic to 192.168.1.2 - and of course, how to delete the rule if needed.
Thanks for the quick response :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Some Questions :)
I'm in over my head, and know it.
I am having a hard time determining what parts are firewall, and what parts are port-forwarding in your configuration example.
As I understand it, I have to
(1) Make a route, to make traffic on a port go from interface to interface - for example port 80 from Fe4 to VLan1
(2) Make and Access list, saying what port can go from where to where - for example myExtIP to myIntIP for port 80
(3) Somehow apply said list in step 2 to the firewall
I may be way off - not sure.
so I see we would allow outgoing traffic like this:
!-- Outgoing traffic, SSH, WWW, HTTPS, FTP, NTP
permit tcp any any eq 22
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
permit udp any any eq ntp
- so what does eq mean here? and the 'any any'?
and here is that list I was thinking of - if so, how is it different than the next thing in my list?:
!-- Port Forwarding? or Firewall?
ip access-list extended EXT-In
permit tcp any any eq 22 log
permit tcp any any eq 80 log
deny ip any any log
Any chance you could break down the 'access-list extended EXT-In' part for me, is half that a list name?
Now this looks like port forwarding, there is an internal IP!:
!- Port Forwarding?
ip nat inside source static tcp 192.168.1.7 80 interface dialer0 80
(I need to change it like so, correct?):
ip nat inside source static tcp 192.168.1.2 80 interface fastEthernet4 80
Last, if we are making changes to a list for firewall - how do we enable/bind it to an interface? Is it always 'on'?
I assume saving the configuration and write mem will make everything good, correct?
Sorry to be a pain - but I have been using the SonicWALL product for so long - and this is just all so different - in the end I may like it better - but just so different.
Thanks,
Andrew
I'm in over my head, and know it.
I am having a hard time determining what parts are firewall, and what parts are port-forwarding in your configuration example.
As I understand it, I have to
(1) Make a route, to make traffic on a port go from interface to interface - for example port 80 from Fe4 to VLan1
(2) Make and Access list, saying what port can go from where to where - for example myExtIP to myIntIP for port 80
(3) Somehow apply said list in step 2 to the firewall
I may be way off - not sure.
so I see we would allow outgoing traffic like this:
!-- Outgoing traffic, SSH, WWW, HTTPS, FTP, NTP
permit tcp any any eq 22
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
permit udp any any eq ntp
- so what does eq mean here? and the 'any any'?
and here is that list I was thinking of - if so, how is it different than the next thing in my list?:
!-- Port Forwarding? or Firewall?
ip access-list extended EXT-In
permit tcp any any eq 22 log
permit tcp any any eq 80 log
deny ip any any log
Any chance you could break down the 'access-list extended EXT-In' part for me, is half that a list name?
Now this looks like port forwarding, there is an internal IP!:
!- Port Forwarding?
ip nat inside source static tcp 192.168.1.7 80 interface dialer0 80
(I need to change it like so, correct?):
ip nat inside source static tcp 192.168.1.2 80 interface fastEthernet4 80
Last, if we are making changes to a list for firewall - how do we enable/bind it to an interface? Is it always 'on'?
I assume saving the configuration and write mem will make everything good, correct?
Sorry to be a pain - but I have been using the SonicWALL product for so long - and this is just all so different - in the end I may like it better - but just so different.
Thanks,
Andrew
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yep - everything is good - just working on the last few questions in the post above yours.
ASKER
I keep screwing with it - look at the config below and see if you can help me determine why 3389 is STILL being blocked to 192.168.1.2
Thanks for helping - my next step is to look for a cliff to jump off of.
Thanks for helping - my next step is to look for a cliff to jump off of.
Building configuration...
Current configuration : 8083 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.1
default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3431502892
revocation-check none
rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
certificate self-signed 01
30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135
30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332
CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095
FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85
05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8
79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034
0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53
70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680
14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414
301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101
04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34
8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D
65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921
359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8
51B042FE 9E6E33
quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 207.158.24.230 255.255.255.0
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
!
ip access-list extended sdm_fastethernet4_out
remark SDM_ACL Category=1
permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 207.158.24.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 103 remark RDP Connection/Firewall
access-list 103 permit tcp any eq 3389 host 192.168.1.2 eq 3389 log
access-list 103 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 permit icmp any host 207.158.24.230 echo-reply
access-list 103 permit icmp any host 207.158.24.230 time-exceeded
access-list 103 permit icmp any host 207.158.24.230 unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER
side note - I know I now have many access-lists (101, 102, 203) how can I tell what it's really using?
I assume you tell it to use one, or does it automatically use all of them?
I assume you tell it to use one, or does it automatically use all of them?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, then, how do you enable/disable the usage of specific lists? Say I wanted ListA and ListB active, but not ListC or ListD?
And as a side note, my 3389 is still not working in the above configuration.
I will be at the router again in 12 hours or so. Time to get some shut-eye.
Thanks for all the help.
And as a side note, my 3389 is still not working in the above configuration.
I will be at the router again in 12 hours or so. Time to get some shut-eye.
Thanks for all the help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So this is where I am at now, I think it's down to something simple - RDP is still not working.
1- How to fix RDP
2- I should have my firewall configured now, correct?
4- how do I get rid of access lists 101 and 102, as I don't use them now?
Current Configuration below.
Again, thanks for the help / crash course in Cisco.
1- How to fix RDP
2- I should have my firewall configured now, correct?
4- how do I get rid of access lists 101 and 102, as I don't use them now?
Current Configuration below.
Again, thanks for the help / crash course in Cisco.
Building configuration...
Current configuration : 7687 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.1
default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3431502892
revocation-check none
rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
certificate self-signed 01
30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135
30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332
CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095
FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85
05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8
79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034
0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53
70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680
14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414
301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101
04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34
8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D
65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921
359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8
51B042FE 9E6E33
quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 207.158.24.230 255.255.255.0
ip access-group EXT-In in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group INT-In in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
!
ip access-list extended EXT-In
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
permit tcp any any eq 22 log
permit tcp any any eq 3389 log
deny ip any any log
ip access-list extended INT-In
permit ip any host 192.168.1.1
permit ip any host 255.255.255.255
deny ip any host 192.168.1.255
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
permit icmp any any
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq 3389
permit tcp any any eq 22
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
permit udp any any eq ntp
deny ip any any log
ip access-list extended sdm_fastethernet4_out
remark SDM_ACL Category=1
permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER
On a side note, when I look in the firewall log, I don't see anything blocked on 3389, where as before I did...
ASKER
I have also tried setting up a telnet server on the host, in the though the RDP was whack - same results.
Modified configuration below for telnet/ssh
Modified configuration below for telnet/ssh
Building configuration...
Current configuration : 7981 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.1
default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3431502892
revocation-check none
rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
certificate self-signed 01
30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135
30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332
CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095
FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85
05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8
79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034
0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53
70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680
14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414
301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101
04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34
8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D
65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921
359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8
51B042FE 9E6E33
quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 207.158.24.230 255.255.255.0
ip access-group EXT-In in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group INT-In in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet4 23
ip nat inside source static tcp 192.168.1.2 22 interface FastEthernet4 22
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
!
ip access-list extended EXT-In
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
permit tcp any any eq 22 log
permit tcp any any eq 3389 log
deny ip any any log
permit tcp any any eq telnet log
ip access-list extended INT-In
permit ip any host 192.168.1.1
permit ip any host 255.255.255.255
deny ip any host 192.168.1.255
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
permit icmp any any
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq 3389
permit tcp any any eq 22
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
permit udp any any eq ntp
deny ip any any log
permit tcp any any eq telnet log
ip access-list extended sdm_fastethernet4_out
remark SDM_ACL Category=1
permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER
Another side-note, when on the pc at 192.168.1.1 I CAN ssh to 207.158.24.230 fine, but not from another location on the internet.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wound up not using this box. Used a SonicWALL instead - not because the help here was not good, but because I am more familiar with the product.
Thanks for the help
Thanks for the help
ASKER
Currently just one PC on the LAN 0 port
Connected to T1 on fastEthernet4, with static IP address
Hope this helps.