JAMason1182
asked on
Cisco 1841 - Multiple Public IPs with some static NATs and a dynamic NAT
OK, I have another thread open for this but it is in the wrong place and will be disposed of shortly ( I presume).
So, I have several public IPs. We will call them XXX.XX.XX.78, .81, .82, .83, .84, and I believe .85 (I'm not using 85 so it doesn't matter). The 78 address is the main address for my router AND ALL desktops that exist in the LAN. My LAN is on a 10.20.20.0 subnet.
Also, the 81 address, 82, 83, 84 and eventually 85 (if it is mine) will be statically NATted to an individual server.
The question is... why isn't it working!? I thought I had it working but this week our email ceased all together. I tracked it down and sure enough the mail server has NO access through the router. I have been piddling with it and now I can't get through the static NATS in either direction. The desktops have no trouble, so the main 78 address is still natted just fine.
What am I doing wrong? And how can I best debug this issue to get the most out of my time in seeing NATS, etc?
I won't be able to log on until monday. SO, I offer a full 500 points to anyone who can help me with this either over the weekend or first-thing monday.
So, I have several public IPs. We will call them XXX.XX.XX.78, .81, .82, .83, .84, and I believe .85 (I'm not using 85 so it doesn't matter). The 78 address is the main address for my router AND ALL desktops that exist in the LAN. My LAN is on a 10.20.20.0 subnet.
Also, the 81 address, 82, 83, 84 and eventually 85 (if it is mine) will be statically NATted to an individual server.
The question is... why isn't it working!? I thought I had it working but this week our email ceased all together. I tracked it down and sure enough the mail server has NO access through the router. I have been piddling with it and now I can't get through the static NATS in either direction. The desktops have no trouble, so the main 78 address is still natted just fine.
What am I doing wrong? And how can I best debug this issue to get the most out of my time in seeing NATS, etc?
I won't be able to log on until monday. SO, I offer a full 500 points to anyone who can help me with this either over the weekend or first-thing monday.
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Secondary interface - External
ip address 10.20.21.2 255.255.255.0 secondary
ip address 10.20.21.3 255.255.255.0 secondary
ip address 10.20.21.1 255.255.255.0
ip access-group 102 in
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.8 255.255.255.0 secondary
ip address 192.168.2.8 255.255.255.0 secondary
ip address 10.20.20.1 255.255.255.0
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description External - T1$FW_OUTSIDE$$ES_WAN$
ip address XXX.XX.XX.81 255.255.255.248 secondary
ip address XXX.XX.XX.82 255.255.255.248 secondary
ip address XXX.XX.XX.83 255.255.255.248 secondary
ip address XXX.XX.XX.84 255.255.255.248 secondary
ip address XXX.XX.XX.85 255.255.255.248 secondary
ip address XXX.XX.XX.78 255.255.255.248
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 106 interface Serial0/0/0 overload
ip nat inside source static 10.20.20.48 XXX.XX.XX.81
ip nat inside source static 10.20.20.49 XXX.XX.XX.82
ip nat inside source static 10.20.20.52 XXX.XX.XX.83
ip nat inside source static 10.20.20.50 XXX.XX.XX.84
!
logging trap warnings
access-list 2 remark ########### Router Configuration Access (local only)##########
access-list 2 permit 10.20.20.0 0.0.0.255
access-list 2 deny any
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny tcp any host 10.20.20.1 eq telnet log
access-list 100 deny tcp any host 10.20.20.1 eq 22 log
access-list 100 deny tcp any host 10.20.20.1 eq www log
access-list 100 deny tcp any host 10.20.20.1 eq 443 log
access-list 100 deny tcp any host 10.20.20.1 eq cmd log
access-list 100 deny udp any host 10.20.20.1 eq snmp log
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny tcp any any eq smtp log
access-list 100 permit ip any any
access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny ip host 66.199.187.181 any log
access-list 101 deny udp any any range 1025 1028 log
access-list 101 remark ---- Allow Established ----
access-list 101 permit tcp any any established
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any log
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny ip any 0.0.0.255 255.255.255.0 log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny tcp any any range 6000 6003 log
access-list 101 deny tcp any any range 2000 2003 log
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny tcp any any eq 2049 log
access-list 101 deny udp any any eq 2049 log
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny udp any any log
access-list 101 deny ip any any log
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255 log
access-list 106 permit ip 10.20.20.0 0.0.0.255 any
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
no cdp run
!
Please post the output of show ip nat translation
ASKER
Here you go:
midnr001#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
--- XXX.XX.XX.81 10.20.20.48 --- ---
udp XXX.XX.XX.82:123 10.20.20.49:123 128.194.254.7:123 128.194.254.7:123
udp XXX.XX.XX.82:123 10.20.20.49:123 128.194.254.8:123 128.194.254.8:123
udp XXX.XX.XX.82:123 10.20.20.49:123 128.194.254.9:123 128.194.254.9:123
--- XXX.XX.XX.82 10.20.20.49 --- ---
udp XXX.XX.XX.84:123 10.20.20.50:123 128.194.254.8:123 128.194.254.8:123
tcp XXX.XX.XX.84:40732 10.20.20.50:40732 12.120.18.110:80 12.120.18.110:80
tcp XXX.XX.XX.84:55181 10.20.20.50:55181 12.120.17.110:80 12.120.17.110:80
--- XXX.XX.XX.84 10.20.20.50 --- ---
tcp XXX.XX.XX.83:45941 10.20.20.52:45941 65.54.244.72:25 65.54.244.72:25
--- XXX.XX.XX.83 10.20.20.52 --- ---
udp XXX.XX.XX.78:49447 10.20.20.55:49447 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:50726 10.20.20.55:50726 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:52336 10.20.20.55:52336 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:55315 10.20.20.55:55315 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:60212 10.20.20.55:60212 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:62417 10.20.20.55:62417 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:63220 10.20.20.55:63220 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:123 10.20.20.57:123 128.194.254.9:123 128.194.254.9:123
midnr001#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
--- XXX.XX.XX.81 10.20.20.48 --- ---
udp XXX.XX.XX.82:123 10.20.20.49:123 128.194.254.7:123 128.194.254.7:123
udp XXX.XX.XX.82:123 10.20.20.49:123 128.194.254.8:123 128.194.254.8:123
udp XXX.XX.XX.82:123 10.20.20.49:123 128.194.254.9:123 128.194.254.9:123
--- XXX.XX.XX.82 10.20.20.49 --- ---
udp XXX.XX.XX.84:123 10.20.20.50:123 128.194.254.8:123 128.194.254.8:123
tcp XXX.XX.XX.84:40732 10.20.20.50:40732 12.120.18.110:80 12.120.18.110:80
tcp XXX.XX.XX.84:55181 10.20.20.50:55181 12.120.17.110:80 12.120.17.110:80
--- XXX.XX.XX.84 10.20.20.50 --- ---
tcp XXX.XX.XX.83:45941 10.20.20.52:45941 65.54.244.72:25 65.54.244.72:25
--- XXX.XX.XX.83 10.20.20.52 --- ---
udp XXX.XX.XX.78:49447 10.20.20.55:49447 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:50726 10.20.20.55:50726 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:52336 10.20.20.55:52336 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:55315 10.20.20.55:55315 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:60212 10.20.20.55:60212 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:62417 10.20.20.55:62417 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:63220 10.20.20.55:63220 XXX.XX.XX.10:53 XXX.XX.XX.10:53
udp XXX.XX.XX.78:123 10.20.20.57:123 128.194.254.9:123 128.194.254.9:123
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I also don't see access-list 102 in your config you pasted
Also can you post your NAT and ACL config, ideally I would suggest you post your entire config and change public IPs and passwords etc.
ASKER
Ok, I tried a few things, but no change in usability. I also tried to remove some of the plain-static entries and add just ports (testing using the 83 address)
But, no avail. Here's my latter-half config. I don't think the VPN info and crypt info is relevant. I figure everything from interfaces through NAT and the ACLs should give you what you need.
But, no avail. Here's my latter-half config. I don't think the VPN info and crypt info is relevant. I figure everything from interfaces through NAT and the ACLs should give you what you need.
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Secondary interface - External
ip address 10.20.21.2 255.255.255.0 secondary
ip address 10.20.21.3 255.255.255.0 secondary
ip address 10.20.21.1 255.255.255.0
ip access-group 102 in
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.8 255.255.255.0 secondary
ip address 192.168.2.8 255.255.255.0 secondary
ip address 10.20.20.1 255.255.255.0
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description External - T1$FW_OUTSIDE$$ES_WAN$
ip address XXX.XX.XX.81 255.255.255.248 secondary
ip address XXX.XX.XX.78 255.255.255.248
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat pool pool01 XXX.XX.XX.78 XXX.XX.XX.78 prefix-length 24
ip nat inside source list 106 pool pool01 overload
ip nat inside source static 10.20.20.48 XXX.XX.XX.81
ip nat inside source static 10.20.20.49 XXX.XX.XX.82
ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable
ip nat inside source static tcp 10.20.20.52 80 XXX.XX.XX.83 80 extendable
ip nat inside source static tcp 10.20.20.52 110 XXX.XX.XX.83 110 extendable
ip nat inside source static tcp 10.20.20.52 143 XXX.XX.XX.83 143 extendable
ip nat inside source static tcp 10.20.20.52 443 XXX.XX.XX.83 443 extendable
ip nat inside source static 10.20.20.50 XXX.XX.XX.84
!
logging trap debugging
access-list 2 remark ########### Router Configuration Access (local only)##########
access-list 2 permit 10.20.20.0 0.0.0.255
access-list 2 deny any
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny tcp any host 10.20.20.1 eq telnet log
access-list 100 deny tcp any host 10.20.20.1 eq 22 log
access-list 100 deny tcp any host 10.20.20.1 eq www log
access-list 100 deny tcp any host 10.20.20.1 eq 443 log
access-list 100 deny tcp any host 10.20.20.1 eq cmd log
access-list 100 deny udp any host 10.20.20.1 eq snmp log
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny tcp any any eq smtp log
access-list 100 permit ip any any
access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny ip host 66.199.187.181 any log
access-list 101 deny udp any any range 1025 1028 log
access-list 101 remark ---- Allow Established ----
access-list 101 permit tcp any any established
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any log
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny ip any 0.0.0.255 255.255.255.0 log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny tcp any any range 6000 6003 log
access-list 101 deny tcp any any range 2000 2003 log
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny tcp any any eq 2049 log
access-list 101 deny udp any any eq 2049 log
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny tcp any any eq 138 log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny udp any any log
access-list 101 deny ip any any log
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 permit ip 10.20.20.0 0.0.0.255 any
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!
!
!
ASKER
OK, I did some changes. I took out some of my IPs from the external Serial interface. I also hooked up the old laptop to work on my secondary external interface, fe0/0. This interface I use for testing. Usually it isn't even hooked up.
I've attached the configuration as it now stands.
I can now reach the outside world from the servers. BUT I can't access the servers from the outside. (Can't get email, etc., despite the ACLs and NAT configuration as shown below)
Question: Do I need to do anything since my public IPs XXX.XX.XX.81 through 85 are not in the same subnet as my main public IP 78?
I've attached the configuration as it now stands.
I can now reach the outside world from the servers. BUT I can't access the servers from the outside. (Can't get email, etc., despite the ACLs and NAT configuration as shown below)
Question: Do I need to do anything since my public IPs XXX.XX.XX.81 through 85 are not in the same subnet as my main public IP 78?
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Secondary interface - External
ip address 10.20.21.1 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.8 255.255.255.0 secondary
ip address 192.168.2.8 255.255.255.0 secondary
ip address 10.20.20.1 255.255.255.0
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description External - T1$FW_OUTSIDE$$ES_WAN$
ip address XXX.XX.XX.78 255.255.255.248
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 10.20.21.0 255.255.255.0 FastEthernet0/0
!
!
no ip http server
no ip http secure-server
ip nat pool NATPOOL XXX.XX.XX.78 XXX.XX.XX.78 prefix-length 24
ip nat inside source list 106 pool NATPOOL overload
ip nat inside source static tcp 10.20.20.48 53 XXX.XX.XX.81 53 extendable
ip nat inside source static udp 10.20.20.48 53 XXX.XX.XX.81 53 extendable
ip nat inside source static tcp 10.20.20.49 53 XXX.XX.XX.82 53 extendable
ip nat inside source static udp 10.20.20.49 53 XXX.XX.XX.82 53 extendable
ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable
ip nat inside source static tcp 10.20.20.52 80 XXX.XX.XX.83 80 extendable
ip nat inside source static tcp 10.20.20.52 110 XXX.XX.XX.83 110 extendable
ip nat inside source static tcp 10.20.20.52 143 XXX.XX.XX.83 143 extendable
ip nat inside source static tcp 10.20.20.50 80 XXX.XX.XX.84 80 extendable
ip nat inside source static tcp 10.20.20.50 443 XXX.XX.XX.84 443 extendable
!
logging trap warnings
access-list 2 remark ########### Router Configuration Access (local only)####### ###
access-list 2 permit 10.20.20.0 0.0.0.255
access-list 2 deny any
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall ########## ###
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny tcp any host 10.20.20.1 eq telnet
access-list 100 deny tcp any host 10.20.20.1 eq 22
access-list 100 deny tcp any host 10.20.20.1 eq www
access-list 100 deny tcp any host 10.20.20.1 eq 443
access-list 100 deny tcp any host 10.20.20.1 eq cmd
access-list 100 deny udp any host 10.20.20.1 eq snmp
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny tcp any any eq smtp
access-list 100 permit ip any any
access-list 101 remark ########### Serial0/0/0 Incoming Firewall ##############
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny ip host 66.199.187.181 any log
access-list 101 deny udp any any range 1025 1028 log
access-list 101 remark ---- Allow Established ----
access-list 101 permit tcp any any established
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny ip any 0.0.0.255 255.255.255.0
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny tcp any any range 6000 6003
access-list 101 deny tcp any any range 2000 2003
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp log
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny udp any any log
access-list 101 deny ip any any log
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 permit ip 10.20.20.0 0.0.0.255 any
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
ASKER
Another quick note:
Doing a traceroute from my house to my ips ends in a loop for the 81-85 addresses... but the 78 address resolves just fine.... is the issue with my NAT or ACL configuration or do I need to contact my ISP to see if anything changed?
Doing a traceroute from my house to my ips ends in a loop for the 81-85 addresses... but the 78 address resolves just fine.... is the issue with my NAT or ACL configuration or do I need to contact my ISP to see if anything changed?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
First off, thank you for your reply. I need some info on some things you said, and would like to work towards other things you said.
"... look at configuring the IOS firewall (CBAC) as you can configure an inspection rule that will take care of your UDP traffic flows and pretty much any protocol you can think of..."
Can you help me with this? This sounds fantastic and if it can help me with the UDP traffic as well as the tcp traffic then it is the way to go. So far in the past, I couldn't get the tcp established to allow the traffic from my servers to return back (such as for yum update, etc.)
"...With regards to the static NATs, if you are using a single IP for each server, there is no need to do a port specific nat..."
If you read my original configuration, you'll see that I did use the straight static NATs (not PAT). It worked... with the exception noted above. I couldn't update my servers or even ping out from a server because the UDP and tcp traffic was blocked... UDP since the ACL didn't allow UDP traffic back to the anything but the 78 public IP (ie XXX.XX.XX.81 couldn't ping out or do an HTTP request) and the tcp didn't handle the established tcp traffic... the reply for even a simple HTTP request wouldn't get back trhough the ACL.... and I didn't know how to get it to allow it without opening up additional ports.
"...You mentioned mail before, but there is no static nat on port 25 in our config..."
How about the following line from the post above (the posts earlier NATted the entire IP, not just port 25.)
ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable
I believe you just didn't see that line.. .you sound too intelligent in your response to have seen that and dismissed it.
"...You can also use an inspect rule in the opposite direction to let this through...."
Again I would like your help in getting these "inspect rules" setup so I can better control the traffic without such extravagant ACLs.
(to be continued on next comment...)
"... look at configuring the IOS firewall (CBAC) as you can configure an inspection rule that will take care of your UDP traffic flows and pretty much any protocol you can think of..."
Can you help me with this? This sounds fantastic and if it can help me with the UDP traffic as well as the tcp traffic then it is the way to go. So far in the past, I couldn't get the tcp established to allow the traffic from my servers to return back (such as for yum update, etc.)
"...With regards to the static NATs, if you are using a single IP for each server, there is no need to do a port specific nat..."
If you read my original configuration, you'll see that I did use the straight static NATs (not PAT). It worked... with the exception noted above. I couldn't update my servers or even ping out from a server because the UDP and tcp traffic was blocked... UDP since the ACL didn't allow UDP traffic back to the anything but the 78 public IP (ie XXX.XX.XX.81 couldn't ping out or do an HTTP request) and the tcp didn't handle the established tcp traffic... the reply for even a simple HTTP request wouldn't get back trhough the ACL.... and I didn't know how to get it to allow it without opening up additional ports.
"...You mentioned mail before, but there is no static nat on port 25 in our config..."
How about the following line from the post above (the posts earlier NATted the entire IP, not just port 25.)
ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable
I believe you just didn't see that line.. .you sound too intelligent in your response to have seen that and dismissed it.
"...You can also use an inspect rule in the opposite direction to let this through...."
Again I would like your help in getting these "inspect rules" setup so I can better control the traffic without such extravagant ACLs.
(to be continued on next comment...)
ASKER
(continued from before...)
----the following will be another question after I get this question answered.... but just in case it fits with the current question I'll put it here for now...-----
So how are you on routing as well? Reason why I ask is because I have never been able to get my LAN to be able to access the servers via their public IP... it's as though the router sends out the packets and doesn't get them back. I'm not sure what to do with this... whether it is a loopback interface requirement or something. Also, I'd like to get my FastEthernet 0/0 interface routed in a way that I can finally get some of my systems separated off.... but still remain fully accessible via the existing private network. For example... ideally, I want to eventually get the servers all on the 10.20.21.0 subnet and leave the 10.20.20.0 subnet as the desktop subnet. BUT I need to make sure that the routing is complete so I don't lose any functionality or connectivity. I know this affect the NATs, but that is OK because once I get this original NAT situation resolved, I just NAT the "new" IP instead of the "old" IP for each server and then the routing/ACLs/"inspect rules" will ensure the traffic goes where it is supposed to.
----Back to my original question... -----
So if I put all my NAT rules as the straight static NATs, can you help me get the kinks worked out and the inspection rules setup?
----the following will be another question after I get this question answered.... but just in case it fits with the current question I'll put it here for now...-----
So how are you on routing as well? Reason why I ask is because I have never been able to get my LAN to be able to access the servers via their public IP... it's as though the router sends out the packets and doesn't get them back. I'm not sure what to do with this... whether it is a loopback interface requirement or something. Also, I'd like to get my FastEthernet 0/0 interface routed in a way that I can finally get some of my systems separated off.... but still remain fully accessible via the existing private network. For example... ideally, I want to eventually get the servers all on the 10.20.21.0 subnet and leave the 10.20.20.0 subnet as the desktop subnet. BUT I need to make sure that the routing is complete so I don't lose any functionality or connectivity. I know this affect the NATs, but that is OK because once I get this original NAT situation resolved, I just NAT the "new" IP instead of the "old" IP for each server and then the routing/ACLs/"inspect rules" will ensure the traffic goes where it is supposed to.
----Back to my original question... -----
So if I put all my NAT rules as the straight static NATs, can you help me get the kinks worked out and the inspection rules setup?
ASKER
I did some reading and got the ip inspect rules added, then cleaned up my ACLs.
In about 10 minutes, I'll be calling my ISP to find out if they changed something... it's the only thing I can think of that would explain what is happening since nobody has said anything about my configuration being the definite culprit.
In about 10 minutes, I'll be calling my ISP to find out if they changed something... it's the only thing I can think of that would explain what is happening since nobody has said anything about my configuration being the definite culprit.
ASKER
Well, since a few of you helped me work out some kinks in my firewall, I'll be awarding some points to you according to how much help I got out of it.
Turns out my ISP was adding "new customers" and made a mistake and the guy had to reload the configuration... which happened to not be the current configuration so my extra IPs in question (which I added in the last 8 months) were dropped. Doofus.
Note to self... ALWAYS WRITE THE RUNNING CONFIG TO THE STARTUP CONFIG!
Anyhow, once he added the routes back in it began to work. One good thing to think about is I got the ip inspect rules simplifying my ACLS tremendously... not to mention I'm much more familiar with my own setup!....
Turns out my ISP was adding "new customers" and made a mistake and the guy had to reload the configuration... which happened to not be the current configuration so my extra IPs in question (which I added in the last 8 months) were dropped. Doofus.
Note to self... ALWAYS WRITE THE RUNNING CONFIG TO THE STARTUP CONFIG!
Anyhow, once he added the routes back in it began to work. One good thing to think about is I got the ip inspect rules simplifying my ACLS tremendously... not to mention I'm much more familiar with my own setup!....
ASKER
While it can be considered purely opinion, separating my static NATs into PATs was a bad idea. However, tweeter514 did convince me to relook how my IPs are assigned to the interface. cstosgale raised some questions that ultimately convinced me that my ISPs were at fault, thus I took much from his answers. Also, it appears he spent more time with my question.