Solved

Cisco 1841 - Multiple Public IPs with some static NATs and a dynamic NAT

Posted on 2008-10-10
14
1,198 Views
Last Modified: 2010-04-21
OK, I have another thread open for this but it is in the wrong place and will be disposed of shortly ( I presume).

So, I have several public IPs. We will call them XXX.XX.XX.78, .81, .82, .83, .84, and I believe .85 (I'm not using 85 so it doesn't matter). The 78 address is the main address for my router AND ALL desktops that exist in the LAN. My LAN is on a 10.20.20.0 subnet.

Also, the 81 address, 82, 83, 84 and eventually 85 (if it is mine) will be statically NATted to an individual server.

The question is... why isn't it working!? I thought I had it working but this week our email ceased all together. I tracked it down and sure enough the mail server has NO access through the router. I have been piddling with it and now I can't get through the static NATS in either direction. The desktops have no trouble, so the main 78 address is still natted just fine.

What am I doing wrong? And how can I best debug this issue to get the most out of my time in seeing NATS, etc?

I won't be able to log on until monday. SO, I offer a full 500 points to anyone who can help me with this either over the weekend or first-thing monday.
interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description Secondary interface - External

 ip address 10.20.21.2 255.255.255.0 secondary

 ip address 10.20.21.3 255.255.255.0 secondary

 ip address 10.20.21.1 255.255.255.0

 ip access-group 102 in

 ip nat outside

 ip virtual-reassembly

 shutdown

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 description $ES_LAN$$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.8 255.255.255.0 secondary

 ip address 192.168.2.8 255.255.255.0 secondary

 ip address 10.20.20.1 255.255.255.0

 ip access-group 100 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface Serial0/0/0

 description External - T1$FW_OUTSIDE$$ES_WAN$

 ip address XXX.XX.XX.81 255.255.255.248 secondary

 ip address XXX.XX.XX.82 255.255.255.248 secondary

 ip address XXX.XX.XX.83 255.255.255.248 secondary

 ip address XXX.XX.XX.84 255.255.255.248 secondary

 ip address XXX.XX.XX.85 255.255.255.248 secondary

 ip address XXX.XX.XX.78 255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 crypto map CMAP

!

ip local pool vpn1 192.168.3.1 192.168.3.254

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 106 interface Serial0/0/0 overload

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

ip nat inside source static 10.20.20.49 XXX.XX.XX.82

ip nat inside source static 10.20.20.52 XXX.XX.XX.83

ip nat inside source static 10.20.20.50 XXX.XX.XX.84

!

logging trap warnings

access-list 2 remark ########### Router Configuration Access (local only)##########

access-list 2 permit 10.20.20.0 0.0.0.255

access-list 2 deny   any

 

access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd

access-list 100 deny   tcp any host 10.20.20.1 eq telnet log

access-list 100 deny   tcp any host 10.20.20.1 eq 22 log

access-list 100 deny   tcp any host 10.20.20.1 eq www log

access-list 100 deny   tcp any host 10.20.20.1 eq 443 log

access-list 100 deny   tcp any host 10.20.20.1 eq cmd log

access-list 100 deny   udp any host 10.20.20.1 eq snmp log

 

access-list 100 remark --Don't want to be email blocked! so only our server can send...

access-list 100 permit tcp host 10.20.20.52 any eq smtp

access-list 100 remark --I trust myself, so I can send...

access-list 100 permit tcp host 10.20.20.114 any eq smtp

access-list 100 deny   tcp any any eq smtp log

access-list 100 permit ip any any

 

access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----

access-list 101 remark ---- BLACKLIST ----

access-list 101 deny   ip host 66.199.187.181 any log

access-list 101 deny   udp any any range 1025 1028 log

access-list 101 remark ---- Allow Established ----

access-list 101 permit tcp any any established

access-list 101 remark ---- Allow NTP ----

access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp

access-list 101 remark ---- Allow PING ----

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any log

access-list 101 remark ---- Allow VPN connection Access ----

access-list 101 permit esp any host XXX.XX.XX.78

access-list 101 permit ahp any host XXX.XX.XX.78

access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp

access-list 101 remark ---- Block local on external and broadcasts ----

access-list 101 deny   ip any 0.0.0.255 255.255.255.0 log

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log

access-list 101 remark ---- Block Erroneous Service Ports ----

access-list 101 deny   tcp any any range 6000 6003 log

access-list 101 deny   tcp any any range 2000 2003 log

access-list 101 remark ---- Block NFS Service ----

access-list 101 deny   tcp any any eq 2049 log

access-list 101 deny   udp any any eq 2049 log

access-list 101 remark ---- Block NETBIOS/SMB Service ----

access-list 101 deny   tcp any any eq 138 log

access-list 101 deny   tcp any any eq 445 log

access-list 101 deny   udp any any eq netbios-ns log

access-list 101 deny   udp any any eq netbios-dgm log

access-list 101 permit tcp any host XXX.XX.XX.84 eq www

access-list 101 permit tcp any host XXX.XX.XX.84 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq www

access-list 101 permit tcp any host XXX.XX.XX.83 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3

access-list 101 permit tcp any host XXX.XX.XX.83 eq 143

access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp

access-list 101 permit tcp any host XXX.XX.XX.81 eq domain

access-list 101 permit udp any host XXX.XX.XX.81 eq domain

access-list 101 permit tcp any host XXX.XX.XX.82 eq domain

access-list 101 permit udp any host XXX.XX.XX.82 eq domain

access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----

access-list 101 permit udp any host XXX.XX.XX.78

access-list 101 deny   udp any any log

access-list 101 deny   ip any any log

 

access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----

access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255 log

access-list 106 permit ip 10.20.20.0 0.0.0.255 any

access-list 150 permit ip 10.20.20.0 0.0.0.255 any

no cdp run

!

Open in new window

0
Comment
Question by:JAMason1182
  • 9
  • 2
  • 2
  • +1
14 Comments
 
LVL 11

Expert Comment

by:donmanrobb
Comment Utility
Please post the output of show ip nat translation
0
 

Author Comment

by:JAMason1182
Comment Utility
Here you go:







midnr001#sh ip nat translation

Pro Inside global      Inside local       Outside local      Outside global

--- XXX.XX.XX.81       10.20.20.48        ---                ---

udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.7:123  128.194.254.7:123

udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.8:123  128.194.254.8:123

udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.9:123  128.194.254.9:123

--- XXX.XX.XX.82       10.20.20.49        ---                ---

udp XXX.XX.XX.84:123   10.20.20.50:123    128.194.254.8:123  128.194.254.8:123

tcp XXX.XX.XX.84:40732 10.20.20.50:40732  12.120.18.110:80   12.120.18.110:80

tcp XXX.XX.XX.84:55181 10.20.20.50:55181  12.120.17.110:80   12.120.17.110:80

--- XXX.XX.XX.84       10.20.20.50        ---                ---

tcp XXX.XX.XX.83:45941 10.20.20.52:45941  65.54.244.72:25    65.54.244.72:25

--- XXX.XX.XX.83       10.20.20.52        ---                ---

udp XXX.XX.XX.78:49447 10.20.20.55:49447  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:50726 10.20.20.55:50726  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:52336 10.20.20.55:52336  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:55315 10.20.20.55:55315  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:60212 10.20.20.55:60212  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:62417 10.20.20.55:62417  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:63220 10.20.20.55:63220  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:123   10.20.20.57:123    128.194.254.9:123  128.194.254.9:123

midnr001#sh ip nat translation

Pro Inside global      Inside local       Outside local      Outside global

--- XXX.XX.XX.81       10.20.20.48        ---                ---

udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.7:123  128.194.254.7:123

udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.8:123  128.194.254.8:123

udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.9:123  128.194.254.9:123

--- XXX.XX.XX.82       10.20.20.49        ---                ---

udp XXX.XX.XX.84:123   10.20.20.50:123    128.194.254.8:123  128.194.254.8:123

tcp XXX.XX.XX.84:40732 10.20.20.50:40732  12.120.18.110:80   12.120.18.110:80

tcp XXX.XX.XX.84:55181 10.20.20.50:55181  12.120.17.110:80   12.120.17.110:80

--- XXX.XX.XX.84       10.20.20.50        ---                ---

tcp XXX.XX.XX.83:45941 10.20.20.52:45941  65.54.244.72:25    65.54.244.72:25

--- XXX.XX.XX.83       10.20.20.52        ---                ---

udp XXX.XX.XX.78:49447 10.20.20.55:49447  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:50726 10.20.20.55:50726  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:52336 10.20.20.55:52336  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:55315 10.20.20.55:55315  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:60212 10.20.20.55:60212  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:62417 10.20.20.55:62417  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:63220 10.20.20.55:63220  XXX.XX.XX.10:53    XXX.XX.XX.10:53

udp XXX.XX.XX.78:123   10.20.20.57:123    128.194.254.9:123  128.194.254.9:123

Open in new window

0
 
LVL 1

Assisted Solution

by:tweeter514
tweeter514 earned 50 total points
Comment Utility
JAMason,

First you don't need to have all those IP's on your outside interface, I personally would remove them. How I would push your External IP's to your clients is something like:

ip nat inside source static 10.20.20.X X.X.X.84 extendable

that will map the address for you, I would suggest only pointing in the ports you want so if they are hosting a webpage maybe:

ip nat inside source static tcp 10.20.20.X 80 X.X.X.84 80 extendable
0
 
LVL 1

Expert Comment

by:tweeter514
Comment Utility
I also don't see access-list 102 in your config you pasted
0
 
LVL 11

Expert Comment

by:donmanrobb
Comment Utility
Also can you post your NAT and ACL config, ideally I would suggest you post your entire config and change public IPs and passwords etc.
0
 

Author Comment

by:JAMason1182
Comment Utility
Ok, I tried a few things, but no change in usability. I also tried to remove some of the plain-static entries and add just ports (testing using the 83 address)

But, no avail. Here's my latter-half config. I don't think the VPN info and crypt info is relevant. I figure everything from interfaces through NAT and the ACLs should give you what you need.

interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description Secondary interface - External

 ip address 10.20.21.2 255.255.255.0 secondary

 ip address 10.20.21.3 255.255.255.0 secondary

 ip address 10.20.21.1 255.255.255.0

 ip access-group 102 in

 ip nat outside

 ip virtual-reassembly

 shutdown

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 description $ES_LAN$$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.8 255.255.255.0 secondary

 ip address 192.168.2.8 255.255.255.0 secondary

 ip address 10.20.20.1 255.255.255.0

 ip access-group 100 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

 no mop enabled

!

interface Serial0/0/0

 description External - T1$FW_OUTSIDE$$ES_WAN$

 ip address XXX.XX.XX.81 255.255.255.248 secondary

 ip address XXX.XX.XX.78 255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 crypto map CMAP

!

ip local pool vpn1 192.168.3.1 192.168.3.254

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

!

no ip http server

no ip http secure-server

ip nat pool pool01 XXX.XX.XX.78 XXX.XX.XX.78 prefix-length 24

ip nat inside source list 106 pool pool01 overload

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

ip nat inside source static 10.20.20.49 XXX.XX.XX.82

ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable

ip nat inside source static tcp 10.20.20.52 80 XXX.XX.XX.83 80 extendable

ip nat inside source static tcp 10.20.20.52 110 XXX.XX.XX.83 110 extendable

ip nat inside source static tcp 10.20.20.52 143 XXX.XX.XX.83 143 extendable

ip nat inside source static tcp 10.20.20.52 443 XXX.XX.XX.83 443 extendable

ip nat inside source static 10.20.20.50 XXX.XX.XX.84

!

logging trap debugging

access-list 2 remark ########### Router Configuration Access (local only)##########

access-list 2 permit 10.20.20.0 0.0.0.255

access-list 2 deny   any

access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd

access-list 100 deny   tcp any host 10.20.20.1 eq telnet log

access-list 100 deny   tcp any host 10.20.20.1 eq 22 log

access-list 100 deny   tcp any host 10.20.20.1 eq www log

access-list 100 deny   tcp any host 10.20.20.1 eq 443 log

access-list 100 deny   tcp any host 10.20.20.1 eq cmd log

access-list 100 deny   udp any host 10.20.20.1 eq snmp log

access-list 100 remark --Don't want to be email blocked! so only our server can send...

access-list 100 permit tcp host 10.20.20.52 any eq smtp

access-list 100 remark --I trust myself, so I can send...

access-list 100 permit tcp host 10.20.20.114 any eq smtp

access-list 100 deny   tcp any any eq smtp log

access-list 100 permit ip any any

access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----

access-list 101 remark ---- BLACKLIST ----

access-list 101 deny   ip host 66.199.187.181 any log

access-list 101 deny   udp any any range 1025 1028 log

access-list 101 remark ---- Allow Established ----

access-list 101 permit tcp any any established

access-list 101 remark ---- Allow NTP ----

access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp

access-list 101 remark ---- Allow PING ----

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any log

access-list 101 remark ---- Allow VPN connection Access ----

access-list 101 permit esp any host XXX.XX.XX.78

access-list 101 permit ahp any host XXX.XX.XX.78

access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp

access-list 101 remark ---- Block local on external and broadcasts ----

access-list 101 deny   ip any 0.0.0.255 255.255.255.0 log

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log

access-list 101 remark ---- Block Erroneous Service Ports ----

access-list 101 deny   tcp any any range 6000 6003 log

access-list 101 deny   tcp any any range 2000 2003 log

access-list 101 remark ---- Block NFS Service ----

access-list 101 deny   tcp any any eq 2049 log

access-list 101 deny   udp any any eq 2049 log

access-list 101 remark ---- Block NETBIOS/SMB Service ----

access-list 101 deny   tcp any any eq 138 log

access-list 101 deny   tcp any any eq 445 log

access-list 101 deny   udp any any eq netbios-ns log

access-list 101 deny   udp any any eq netbios-dgm log

access-list 101 permit tcp any host XXX.XX.XX.84 eq www

access-list 101 permit tcp any host XXX.XX.XX.84 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq www

access-list 101 permit tcp any host XXX.XX.XX.83 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3

access-list 101 permit tcp any host XXX.XX.XX.83 eq 143

access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp

access-list 101 permit tcp any host XXX.XX.XX.81 eq domain

access-list 101 permit udp any host XXX.XX.XX.81 eq domain

access-list 101 permit tcp any host XXX.XX.XX.82 eq domain

access-list 101 permit udp any host XXX.XX.XX.82 eq domain

access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----

access-list 101 permit udp any host XXX.XX.XX.78

access-list 101 deny   udp any any log

access-list 101 deny   ip any any log

access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----

access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 106 permit ip 10.20.20.0 0.0.0.255 any

access-list 150 permit ip 10.20.20.0 0.0.0.255 any

no cdp run

!

!

!

!

control-plane

!

!

!

Open in new window

0
 

Author Comment

by:JAMason1182
Comment Utility
OK, I did some changes. I took out some of my IPs from the external Serial interface. I also hooked up the old laptop to work on my secondary external interface, fe0/0. This interface I use for testing. Usually it isn't even hooked up.

I've attached the configuration as it now stands.

I can now reach the outside world from the servers. BUT I can't access the servers from the outside. (Can't get email, etc., despite the ACLs and NAT configuration as shown below)

Question: Do I need to do anything since my public IPs XXX.XX.XX.81 through 85 are not in the same subnet as my main public IP 78?

!

interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description Secondary interface - External

 ip address 10.20.21.1 255.255.255.0

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 description $ES_LAN$$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.8 255.255.255.0 secondary

 ip address 192.168.2.8 255.255.255.0 secondary

 ip address 10.20.20.1 255.255.255.0

 ip access-group 100 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface Serial0/0/0

 description External - T1$FW_OUTSIDE$$ES_WAN$

 ip address XXX.XX.XX.78 255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 crypto map CMAP

!

ip local pool vpn1 192.168.3.1 192.168.3.254

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

ip route 10.20.21.0 255.255.255.0 FastEthernet0/0

!

!

no ip http server

no ip http secure-server

ip nat pool NATPOOL XXX.XX.XX.78 XXX.XX.XX.78 prefix-length 24

ip nat inside source list 106 pool NATPOOL overload

ip nat inside source static tcp 10.20.20.48 53 XXX.XX.XX.81 53 extendable

ip nat inside source static udp 10.20.20.48 53 XXX.XX.XX.81 53 extendable

ip nat inside source static tcp 10.20.20.49 53 XXX.XX.XX.82 53 extendable

ip nat inside source static udp 10.20.20.49 53 XXX.XX.XX.82 53 extendable

ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable

ip nat inside source static tcp 10.20.20.52 80 XXX.XX.XX.83 80 extendable

ip nat inside source static tcp 10.20.20.52 110 XXX.XX.XX.83 110 extendable

ip nat inside source static tcp 10.20.20.52 143 XXX.XX.XX.83 143 extendable

ip nat inside source static tcp 10.20.20.50 80 XXX.XX.XX.84 80 extendable

ip nat inside source static tcp 10.20.20.50 443 XXX.XX.XX.84 443 extendable

!

logging trap warnings

access-list 2 remark ########### Router Configuration Access (local only)#######         ###

access-list 2 permit 10.20.20.0 0.0.0.255

access-list 2 deny   any

access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall ##########         ###

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22

access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd

access-list 100 deny   tcp any host 10.20.20.1 eq telnet

access-list 100 deny   tcp any host 10.20.20.1 eq 22

access-list 100 deny   tcp any host 10.20.20.1 eq www

access-list 100 deny   tcp any host 10.20.20.1 eq 443

access-list 100 deny   tcp any host 10.20.20.1 eq cmd

access-list 100 deny   udp any host 10.20.20.1 eq snmp

access-list 100 remark --Don't want to be email blocked! so only our server can          send...

access-list 100 permit tcp host 10.20.20.52 any eq smtp

access-list 100 remark --I trust myself, so I can send...

access-list 100 permit tcp host 10.20.20.114 any eq smtp

access-list 100 deny   tcp any any eq smtp

access-list 100 permit ip any any

access-list 101 remark ########### Serial0/0/0 Incoming Firewall  ##############

access-list 101 remark ---- BLACKLIST ----

access-list 101 deny   ip host 66.199.187.181 any log

access-list 101 deny   udp any any range 1025 1028 log

access-list 101 remark ---- Allow Established ----

access-list 101 permit tcp any any established

access-list 101 remark ---- Allow NTP ----

access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp

access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp

access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp

access-list 101 remark ---- Allow PING ----

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any

access-list 101 remark ---- Allow VPN connection Access ----

access-list 101 permit esp any host XXX.XX.XX.78

access-list 101 permit ahp any host XXX.XX.XX.78

access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp

access-list 101 remark ---- Block local on external and broadcasts ----

access-list 101 deny   ip any 0.0.0.255 255.255.255.0

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 remark ---- Block Erroneous Service Ports ----

access-list 101 deny   tcp any any range 6000 6003

access-list 101 deny   tcp any any range 2000 2003

access-list 101 remark ---- Block NFS Service ----

access-list 101 deny   tcp any any eq 2049

access-list 101 deny   udp any any eq 2049

access-list 101 remark ---- Block NETBIOS/SMB Service ----

access-list 101 deny   tcp any any eq 138

access-list 101 deny   tcp any any eq 445

access-list 101 deny   udp any any eq netbios-ns

access-list 101 deny   udp any any eq netbios-dgm

access-list 101 permit tcp any host XXX.XX.XX.84 eq www

access-list 101 permit tcp any host XXX.XX.XX.84 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq www

access-list 101 permit tcp any host XXX.XX.XX.83 eq 443

access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3

access-list 101 permit tcp any host XXX.XX.XX.83 eq 143

access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp log

access-list 101 permit tcp any host XXX.XX.XX.81 eq domain

access-list 101 permit udp any host XXX.XX.XX.81 eq domain

access-list 101 permit tcp any host XXX.XX.XX.82 eq domain

access-list 101 permit udp any host XXX.XX.XX.82 eq domain

access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----

access-list 101 permit udp any host XXX.XX.XX.78

access-list 101 deny   udp any any log

access-list 101 deny   ip any any log

access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----

access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 106 permit ip 10.20.20.0 0.0.0.255 any

access-list 150 permit ip 10.20.20.0 0.0.0.255 any

no cdp run

!

!

!

!

control-plane

Open in new window

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:JAMason1182
Comment Utility
Another quick note:
Doing a traceroute from my house to my ips ends in a loop for the 81-85 addresses... but the 78 address resolves just fine.... is the issue with my NAT or ACL configuration or do I need to contact my ISP to see if anything changed?
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 450 total points
Comment Utility
Hi,

there's a few things you've done in this config that will simply make your life a lot harder. I would stongly recommend taking a look at configuring the IOS firewall (CBAC) as you can configure an inspection rule that will take care of your UDP traffic flows and pretty much any protocol you can think of. It is much more advanced than the permit with the established keyword.

With regards to the static NATs, if you are using a single IP for each server, there is no need to do a port specific nat. This will just make things more complicated. You can just do:-

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

and use the access list to control which ports are open for that IP address. This will also mean that outgoing traffic from that server will come from this address instead of your 78 address.

The more convoluted your config, the harder it is to troubleshoot!

You mentioned mail before, but there is no static nat on port 25 in our config, which would explain why that is not working.

Also, something to bear in mind about static nats is you need to allow the reply packets through the inside access list. In this case you are as you have a permit ip any any, but it's worth bearing in mind. You can also use an inspect rule in the opposite direction to let this through.

If you set up the nats as above, you should be able to ping / trace route to the servers IPs as the icmp packets will get to the servers. If you still have a loop, I would check with your ISP.

In the example a
0
 

Author Comment

by:JAMason1182
Comment Utility
First off, thank you for your reply.  I need some info on some things you said, and would like to work towards other things you said.

"... look at configuring the IOS firewall (CBAC) as you can configure an inspection rule that will take care of your UDP traffic flows and pretty much any protocol you can think of..."
Can you help me with this? This sounds fantastic and if it can help me with the UDP traffic as well as the tcp traffic then it is the way to go. So far in the past, I couldn't get the tcp established to allow the traffic from my servers to return back (such as for yum update, etc.)

"...With regards to the static NATs, if you are using a single IP for each server, there is no need to do a port specific nat..."
If you read my original configuration, you'll see that I did use the straight static NATs (not PAT). It worked... with the exception noted above. I couldn't update my servers or even ping out from a server because the UDP and tcp traffic was blocked... UDP since the ACL didn't allow UDP traffic back to the anything but the 78 public IP (ie XXX.XX.XX.81 couldn't ping out or do an HTTP request) and the tcp didn't handle the established tcp traffic... the reply for even a simple HTTP request wouldn't get back trhough the ACL.... and I didn't know how to get it to allow it without opening up additional ports.

"...You mentioned mail before, but there is no static nat on port 25 in our config..."
How about the following line from the post above (the posts earlier NATted the entire IP, not just port 25.)

ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable

I believe you just didn't see that line.. .you sound too intelligent in your response to have seen that and dismissed it.

"...You can also use an inspect rule in the opposite direction to let this through...."
Again I would like your help in getting these "inspect rules" setup so I can better control the traffic without such extravagant ACLs.


(to be continued on next comment...)
0
 

Author Comment

by:JAMason1182
Comment Utility
(continued from before...)

----the following will be another question after I get this question answered.... but just in case it fits with the current question I'll put it here for now...-----

So how are you on routing as well? Reason why I ask is because I have never been able to get my LAN to be able to access the servers via their public IP... it's as though the router sends out the packets and doesn't get them back. I'm not sure what to do with this... whether it is a loopback interface requirement or something.  Also, I'd like to get my FastEthernet 0/0 interface routed in a way that I can finally get some of my systems separated off.... but still remain fully accessible via the existing private network. For example... ideally, I want to eventually get the servers all on the 10.20.21.0 subnet and leave the 10.20.20.0 subnet as the desktop subnet. BUT I need to make sure that the routing is complete so I don't lose any functionality or connectivity. I know this affect the NATs, but that is OK because once I get this original NAT situation resolved, I just NAT the "new" IP instead of the "old" IP for each server and then the routing/ACLs/"inspect rules" will ensure the traffic goes where it is supposed to.

----Back to my original question... -----

So if I put all my NAT rules as the straight static NATs, can you help me get the kinks worked out and the inspection rules setup?
0
 

Author Comment

by:JAMason1182
Comment Utility
I did some reading and got the ip inspect rules added, then cleaned up my ACLs.

In about 10 minutes, I'll be calling my ISP to find out if they changed something... it's the only thing I can think of that would explain what is happening since nobody has said anything about my configuration being the definite culprit.
0
 

Author Comment

by:JAMason1182
Comment Utility
Well, since a few of you helped me work out some kinks in my firewall, I'll be awarding some points to you according to how much help I got out of it.

Turns out my ISP was adding "new customers" and made a mistake and the guy had to reload the configuration... which happened to not be the current configuration so my extra IPs in question (which I added in the last 8 months) were dropped.  Doofus.

Note to self... ALWAYS WRITE THE RUNNING CONFIG TO THE STARTUP CONFIG!

Anyhow, once he added the routes back in it began to work. One good thing to think about is I got the ip inspect rules simplifying my ACLS tremendously... not to mention I'm much more familiar with my own setup!....
0
 

Author Closing Comment

by:JAMason1182
Comment Utility
While it can be considered purely opinion, separating my static NATs into PATs was a bad idea. However, tweeter514 did convince me to relook how my IPs are assigned to the interface. cstosgale raised some questions that ultimately convinced me that my ISPs were at fault, thus I took much from his answers. Also, it appears he spent more time with my question.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Switch Speed 2 57
Multicast in a layer 2 to layer 3 migration 1 36
Eigrp Router 5 45
How to use a IP block on cisco 877 3 24
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now