Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco 1841 - Multiple Public IPs with some static NATs and a dynamic NAT

Posted on 2008-10-10
14
1,202 Views
Last Modified: 2010-04-21
OK, I have another thread open for this but it is in the wrong place and will be disposed of shortly ( I presume).

So, I have several public IPs. We will call them XXX.XX.XX.78, .81, .82, .83, .84, and I believe .85 (I'm not using 85 so it doesn't matter). The 78 address is the main address for my router AND ALL desktops that exist in the LAN. My LAN is on a 10.20.20.0 subnet.

Also, the 81 address, 82, 83, 84 and eventually 85 (if it is mine) will be statically NATted to an individual server.

The question is... why isn't it working!? I thought I had it working but this week our email ceased all together. I tracked it down and sure enough the mail server has NO access through the router. I have been piddling with it and now I can't get through the static NATS in either direction. The desktops have no trouble, so the main 78 address is still natted just fine.

What am I doing wrong? And how can I best debug this issue to get the most out of my time in seeing NATS, etc?

I won't be able to log on until monday. SO, I offer a full 500 points to anyone who can help me with this either over the weekend or first-thing monday.
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Secondary interface - External
 ip address 10.20.21.2 255.255.255.0 secondary
 ip address 10.20.21.3 255.255.255.0 secondary
 ip address 10.20.21.1 255.255.255.0
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.8 255.255.255.0 secondary
 ip address 192.168.2.8 255.255.255.0 secondary
 ip address 10.20.20.1 255.255.255.0
 ip access-group 100 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description External - T1$FW_OUTSIDE$$ES_WAN$
 ip address XXX.XX.XX.81 255.255.255.248 secondary
 ip address XXX.XX.XX.82 255.255.255.248 secondary
 ip address XXX.XX.XX.83 255.255.255.248 secondary
 ip address XXX.XX.XX.84 255.255.255.248 secondary
 ip address XXX.XX.XX.85 255.255.255.248 secondary
 ip address XXX.XX.XX.78 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 106 interface Serial0/0/0 overload
ip nat inside source static 10.20.20.48 XXX.XX.XX.81
ip nat inside source static 10.20.20.49 XXX.XX.XX.82
ip nat inside source static 10.20.20.52 XXX.XX.XX.83
ip nat inside source static 10.20.20.50 XXX.XX.XX.84
!
logging trap warnings
access-list 2 remark ########### Router Configuration Access (local only)##########
access-list 2 permit 10.20.20.0 0.0.0.255
access-list 2 deny   any
 
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny   tcp any host 10.20.20.1 eq telnet log
access-list 100 deny   tcp any host 10.20.20.1 eq 22 log
access-list 100 deny   tcp any host 10.20.20.1 eq www log
access-list 100 deny   tcp any host 10.20.20.1 eq 443 log
access-list 100 deny   tcp any host 10.20.20.1 eq cmd log
access-list 100 deny   udp any host 10.20.20.1 eq snmp log
 
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny   tcp any any eq smtp log
access-list 100 permit ip any any
 
access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny   ip host 66.199.187.181 any log
access-list 101 deny   udp any any range 1025 1028 log
access-list 101 remark ---- Allow Established ----
access-list 101 permit tcp any any established
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any log
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny   ip any 0.0.0.255 255.255.255.0 log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny   tcp any any range 6000 6003 log
access-list 101 deny   tcp any any range 2000 2003 log
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny   tcp any any eq 2049 log
access-list 101 deny   udp any any eq 2049 log
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny   udp any any log
access-list 101 deny   ip any any log
 
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255 log
access-list 106 permit ip 10.20.20.0 0.0.0.255 any
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
no cdp run
!

Open in new window

0
Comment
Question by:JAMason1182
  • 9
  • 2
  • 2
  • +1
14 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 22692410
Please post the output of show ip nat translation
0
 

Author Comment

by:JAMason1182
ID: 22692620
Here you go:






midnr001#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- XXX.XX.XX.81       10.20.20.48        ---                ---
udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.7:123  128.194.254.7:123
udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.8:123  128.194.254.8:123
udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.9:123  128.194.254.9:123
--- XXX.XX.XX.82       10.20.20.49        ---                ---
udp XXX.XX.XX.84:123   10.20.20.50:123    128.194.254.8:123  128.194.254.8:123
tcp XXX.XX.XX.84:40732 10.20.20.50:40732  12.120.18.110:80   12.120.18.110:80
tcp XXX.XX.XX.84:55181 10.20.20.50:55181  12.120.17.110:80   12.120.17.110:80
--- XXX.XX.XX.84       10.20.20.50        ---                ---
tcp XXX.XX.XX.83:45941 10.20.20.52:45941  65.54.244.72:25    65.54.244.72:25
--- XXX.XX.XX.83       10.20.20.52        ---                ---
udp XXX.XX.XX.78:49447 10.20.20.55:49447  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:50726 10.20.20.55:50726  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:52336 10.20.20.55:52336  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:55315 10.20.20.55:55315  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:60212 10.20.20.55:60212  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:62417 10.20.20.55:62417  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:63220 10.20.20.55:63220  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:123   10.20.20.57:123    128.194.254.9:123  128.194.254.9:123
midnr001#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- XXX.XX.XX.81       10.20.20.48        ---                ---
udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.7:123  128.194.254.7:123
udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.8:123  128.194.254.8:123
udp XXX.XX.XX.82:123   10.20.20.49:123    128.194.254.9:123  128.194.254.9:123
--- XXX.XX.XX.82       10.20.20.49        ---                ---
udp XXX.XX.XX.84:123   10.20.20.50:123    128.194.254.8:123  128.194.254.8:123
tcp XXX.XX.XX.84:40732 10.20.20.50:40732  12.120.18.110:80   12.120.18.110:80
tcp XXX.XX.XX.84:55181 10.20.20.50:55181  12.120.17.110:80   12.120.17.110:80
--- XXX.XX.XX.84       10.20.20.50        ---                ---
tcp XXX.XX.XX.83:45941 10.20.20.52:45941  65.54.244.72:25    65.54.244.72:25
--- XXX.XX.XX.83       10.20.20.52        ---                ---
udp XXX.XX.XX.78:49447 10.20.20.55:49447  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:50726 10.20.20.55:50726  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:52336 10.20.20.55:52336  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:55315 10.20.20.55:55315  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:60212 10.20.20.55:60212  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:62417 10.20.20.55:62417  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:63220 10.20.20.55:63220  XXX.XX.XX.10:53    XXX.XX.XX.10:53
udp XXX.XX.XX.78:123   10.20.20.57:123    128.194.254.9:123  128.194.254.9:123

Open in new window

0
 
LVL 1

Assisted Solution

by:tweeter514
tweeter514 earned 50 total points
ID: 22695268
JAMason,

First you don't need to have all those IP's on your outside interface, I personally would remove them. How I would push your External IP's to your clients is something like:

ip nat inside source static 10.20.20.X X.X.X.84 extendable

that will map the address for you, I would suggest only pointing in the ports you want so if they are hosting a webpage maybe:

ip nat inside source static tcp 10.20.20.X 80 X.X.X.84 80 extendable
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Expert Comment

by:tweeter514
ID: 22695283
I also don't see access-list 102 in your config you pasted
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 22696034
Also can you post your NAT and ACL config, ideally I would suggest you post your entire config and change public IPs and passwords etc.
0
 

Author Comment

by:JAMason1182
ID: 22698220
Ok, I tried a few things, but no change in usability. I also tried to remove some of the plain-static entries and add just ports (testing using the 83 address)

But, no avail. Here's my latter-half config. I don't think the VPN info and crypt info is relevant. I figure everything from interfaces through NAT and the ACLs should give you what you need.

interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Secondary interface - External
 ip address 10.20.21.2 255.255.255.0 secondary
 ip address 10.20.21.3 255.255.255.0 secondary
 ip address 10.20.21.1 255.255.255.0
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.8 255.255.255.0 secondary
 ip address 192.168.2.8 255.255.255.0 secondary
 ip address 10.20.20.1 255.255.255.0
 ip access-group 100 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description External - T1$FW_OUTSIDE$$ES_WAN$
 ip address XXX.XX.XX.81 255.255.255.248 secondary
 ip address XXX.XX.XX.78 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat pool pool01 XXX.XX.XX.78 XXX.XX.XX.78 prefix-length 24
ip nat inside source list 106 pool pool01 overload
ip nat inside source static 10.20.20.48 XXX.XX.XX.81
ip nat inside source static 10.20.20.49 XXX.XX.XX.82
ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable
ip nat inside source static tcp 10.20.20.52 80 XXX.XX.XX.83 80 extendable
ip nat inside source static tcp 10.20.20.52 110 XXX.XX.XX.83 110 extendable
ip nat inside source static tcp 10.20.20.52 143 XXX.XX.XX.83 143 extendable
ip nat inside source static tcp 10.20.20.52 443 XXX.XX.XX.83 443 extendable
ip nat inside source static 10.20.20.50 XXX.XX.XX.84
!
logging trap debugging
access-list 2 remark ########### Router Configuration Access (local only)##########
access-list 2 permit 10.20.20.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall #############
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny   tcp any host 10.20.20.1 eq telnet log
access-list 100 deny   tcp any host 10.20.20.1 eq 22 log
access-list 100 deny   tcp any host 10.20.20.1 eq www log
access-list 100 deny   tcp any host 10.20.20.1 eq 443 log
access-list 100 deny   tcp any host 10.20.20.1 eq cmd log
access-list 100 deny   udp any host 10.20.20.1 eq snmp log
access-list 100 remark --Don't want to be email blocked! so only our server can send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny   tcp any any eq smtp log
access-list 100 permit ip any any
access-list 101 remark ----==== Serial0/0/0 Incoming Firewall ====----
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny   ip host 66.199.187.181 any log
access-list 101 deny   udp any any range 1025 1028 log
access-list 101 remark ---- Allow Established ----
access-list 101 permit tcp any any established
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any log
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny   ip any 0.0.0.255 255.255.255.0 log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny   tcp any any range 6000 6003 log
access-list 101 deny   tcp any any range 2000 2003 log
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny   tcp any any eq 2049 log
access-list 101 deny   udp any any eq 2049 log
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny   tcp any any eq 138 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny   udp any any log
access-list 101 deny   ip any any log
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 permit ip 10.20.20.0 0.0.0.255 any
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!
!
!

Open in new window

0
 

Author Comment

by:JAMason1182
ID: 22698821
OK, I did some changes. I took out some of my IPs from the external Serial interface. I also hooked up the old laptop to work on my secondary external interface, fe0/0. This interface I use for testing. Usually it isn't even hooked up.

I've attached the configuration as it now stands.

I can now reach the outside world from the servers. BUT I can't access the servers from the outside. (Can't get email, etc., despite the ACLs and NAT configuration as shown below)

Question: Do I need to do anything since my public IPs XXX.XX.XX.81 through 85 are not in the same subnet as my main public IP 78?

!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Secondary interface - External
 ip address 10.20.21.1 255.255.255.0
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.8 255.255.255.0 secondary
 ip address 192.168.2.8 255.255.255.0 secondary
 ip address 10.20.20.1 255.255.255.0
 ip access-group 100 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description External - T1$FW_OUTSIDE$$ES_WAN$
 ip address XXX.XX.XX.78 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 10.20.21.0 255.255.255.0 FastEthernet0/0
!
!
no ip http server
no ip http secure-server
ip nat pool NATPOOL XXX.XX.XX.78 XXX.XX.XX.78 prefix-length 24
ip nat inside source list 106 pool NATPOOL overload
ip nat inside source static tcp 10.20.20.48 53 XXX.XX.XX.81 53 extendable
ip nat inside source static udp 10.20.20.48 53 XXX.XX.XX.81 53 extendable
ip nat inside source static tcp 10.20.20.49 53 XXX.XX.XX.82 53 extendable
ip nat inside source static udp 10.20.20.49 53 XXX.XX.XX.82 53 extendable
ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable
ip nat inside source static tcp 10.20.20.52 80 XXX.XX.XX.83 80 extendable
ip nat inside source static tcp 10.20.20.52 110 XXX.XX.XX.83 110 extendable
ip nat inside source static tcp 10.20.20.52 143 XXX.XX.XX.83 143 extendable
ip nat inside source static tcp 10.20.20.50 80 XXX.XX.XX.84 80 extendable
ip nat inside source static tcp 10.20.20.50 443 XXX.XX.XX.84 443 extendable
!
logging trap warnings
access-list 2 remark ########### Router Configuration Access (local only)#######         ###
access-list 2 permit 10.20.20.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark ########### FastEthernet 0/1 Outgoing Firewall ##########         ###
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq 22
access-list 100 permit tcp 10.20.20.0 0.0.0.255 host 10.20.20.1 eq cmd
access-list 100 deny   tcp any host 10.20.20.1 eq telnet
access-list 100 deny   tcp any host 10.20.20.1 eq 22
access-list 100 deny   tcp any host 10.20.20.1 eq www
access-list 100 deny   tcp any host 10.20.20.1 eq 443
access-list 100 deny   tcp any host 10.20.20.1 eq cmd
access-list 100 deny   udp any host 10.20.20.1 eq snmp
access-list 100 remark --Don't want to be email blocked! so only our server can          send...
access-list 100 permit tcp host 10.20.20.52 any eq smtp
access-list 100 remark --I trust myself, so I can send...
access-list 100 permit tcp host 10.20.20.114 any eq smtp
access-list 100 deny   tcp any any eq smtp
access-list 100 permit ip any any
access-list 101 remark ########### Serial0/0/0 Incoming Firewall  ##############
access-list 101 remark ---- BLACKLIST ----
access-list 101 deny   ip host 66.199.187.181 any log
access-list 101 deny   udp any any range 1025 1028 log
access-list 101 remark ---- Allow Established ----
access-list 101 permit tcp any any established
access-list 101 remark ---- Allow NTP ----
access-list 101 permit udp host 128.194.254.7 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.8 eq ntp any eq ntp
access-list 101 permit udp host 128.194.254.9 eq ntp any eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.7 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.8 eq ntp
access-list 101 permit udp any eq ntp host 128.194.254.9 eq ntp
access-list 101 remark ---- Allow PING ----
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any
access-list 101 remark ---- Allow VPN connection Access ----
access-list 101 permit esp any host XXX.XX.XX.78
access-list 101 permit ahp any host XXX.XX.XX.78
access-list 101 permit udp any eq isakmp host XXX.XX.XX.78 eq isakmp
access-list 101 remark ---- Block local on external and broadcasts ----
access-list 101 deny   ip any 0.0.0.255 255.255.255.0
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 remark ---- Block Erroneous Service Ports ----
access-list 101 deny   tcp any any range 6000 6003
access-list 101 deny   tcp any any range 2000 2003
access-list 101 remark ---- Block NFS Service ----
access-list 101 deny   tcp any any eq 2049
access-list 101 deny   udp any any eq 2049
access-list 101 remark ---- Block NETBIOS/SMB Service ----
access-list 101 deny   tcp any any eq 138
access-list 101 deny   tcp any any eq 445
access-list 101 deny   udp any any eq netbios-ns
access-list 101 deny   udp any any eq netbios-dgm
access-list 101 permit tcp any host XXX.XX.XX.84 eq www
access-list 101 permit tcp any host XXX.XX.XX.84 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq www
access-list 101 permit tcp any host XXX.XX.XX.83 eq 443
access-list 101 permit tcp any host XXX.XX.XX.83 eq pop3
access-list 101 permit tcp any host XXX.XX.XX.83 eq 143
access-list 101 permit tcp any host XXX.XX.XX.83 eq smtp log
access-list 101 permit tcp any host XXX.XX.XX.81 eq domain
access-list 101 permit udp any host XXX.XX.XX.81 eq domain
access-list 101 permit tcp any host XXX.XX.XX.82 eq domain
access-list 101 permit udp any host XXX.XX.XX.82 eq domain
access-list 101 remark ---- Allow UDP DESKTOPS ONLY ----
access-list 101 permit udp any host XXX.XX.XX.78
access-list 101 deny   udp any any log
access-list 101 deny   ip any any log
access-list 106 remark ----==== Serial0/0/0 NAT ACL ====----
access-list 106 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 permit ip 10.20.20.0 0.0.0.255 any
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane

Open in new window

0
 

Author Comment

by:JAMason1182
ID: 22698831
Another quick note:
Doing a traceroute from my house to my ips ends in a loop for the 81-85 addresses... but the 78 address resolves just fine.... is the issue with my NAT or ACL configuration or do I need to contact my ISP to see if anything changed?
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 450 total points
ID: 22698904
Hi,

there's a few things you've done in this config that will simply make your life a lot harder. I would stongly recommend taking a look at configuring the IOS firewall (CBAC) as you can configure an inspection rule that will take care of your UDP traffic flows and pretty much any protocol you can think of. It is much more advanced than the permit with the established keyword.

With regards to the static NATs, if you are using a single IP for each server, there is no need to do a port specific nat. This will just make things more complicated. You can just do:-

ip nat inside source static 10.20.20.48 XXX.XX.XX.81

and use the access list to control which ports are open for that IP address. This will also mean that outgoing traffic from that server will come from this address instead of your 78 address.

The more convoluted your config, the harder it is to troubleshoot!

You mentioned mail before, but there is no static nat on port 25 in our config, which would explain why that is not working.

Also, something to bear in mind about static nats is you need to allow the reply packets through the inside access list. In this case you are as you have a permit ip any any, but it's worth bearing in mind. You can also use an inspect rule in the opposite direction to let this through.

If you set up the nats as above, you should be able to ping / trace route to the servers IPs as the icmp packets will get to the servers. If you still have a loop, I would check with your ISP.

In the example a
0
 

Author Comment

by:JAMason1182
ID: 22700080
First off, thank you for your reply.  I need some info on some things you said, and would like to work towards other things you said.

"... look at configuring the IOS firewall (CBAC) as you can configure an inspection rule that will take care of your UDP traffic flows and pretty much any protocol you can think of..."
Can you help me with this? This sounds fantastic and if it can help me with the UDP traffic as well as the tcp traffic then it is the way to go. So far in the past, I couldn't get the tcp established to allow the traffic from my servers to return back (such as for yum update, etc.)

"...With regards to the static NATs, if you are using a single IP for each server, there is no need to do a port specific nat..."
If you read my original configuration, you'll see that I did use the straight static NATs (not PAT). It worked... with the exception noted above. I couldn't update my servers or even ping out from a server because the UDP and tcp traffic was blocked... UDP since the ACL didn't allow UDP traffic back to the anything but the 78 public IP (ie XXX.XX.XX.81 couldn't ping out or do an HTTP request) and the tcp didn't handle the established tcp traffic... the reply for even a simple HTTP request wouldn't get back trhough the ACL.... and I didn't know how to get it to allow it without opening up additional ports.

"...You mentioned mail before, but there is no static nat on port 25 in our config..."
How about the following line from the post above (the posts earlier NATted the entire IP, not just port 25.)

ip nat inside source static tcp 10.20.20.52 25 XXX.XX.XX.83 25 extendable

I believe you just didn't see that line.. .you sound too intelligent in your response to have seen that and dismissed it.

"...You can also use an inspect rule in the opposite direction to let this through...."
Again I would like your help in getting these "inspect rules" setup so I can better control the traffic without such extravagant ACLs.


(to be continued on next comment...)
0
 

Author Comment

by:JAMason1182
ID: 22700100
(continued from before...)

----the following will be another question after I get this question answered.... but just in case it fits with the current question I'll put it here for now...-----

So how are you on routing as well? Reason why I ask is because I have never been able to get my LAN to be able to access the servers via their public IP... it's as though the router sends out the packets and doesn't get them back. I'm not sure what to do with this... whether it is a loopback interface requirement or something.  Also, I'd like to get my FastEthernet 0/0 interface routed in a way that I can finally get some of my systems separated off.... but still remain fully accessible via the existing private network. For example... ideally, I want to eventually get the servers all on the 10.20.21.0 subnet and leave the 10.20.20.0 subnet as the desktop subnet. BUT I need to make sure that the routing is complete so I don't lose any functionality or connectivity. I know this affect the NATs, but that is OK because once I get this original NAT situation resolved, I just NAT the "new" IP instead of the "old" IP for each server and then the routing/ACLs/"inspect rules" will ensure the traffic goes where it is supposed to.

----Back to my original question... -----

So if I put all my NAT rules as the straight static NATs, can you help me get the kinks worked out and the inspection rules setup?
0
 

Author Comment

by:JAMason1182
ID: 22701929
I did some reading and got the ip inspect rules added, then cleaned up my ACLs.

In about 10 minutes, I'll be calling my ISP to find out if they changed something... it's the only thing I can think of that would explain what is happening since nobody has said anything about my configuration being the definite culprit.
0
 

Author Comment

by:JAMason1182
ID: 22702361
Well, since a few of you helped me work out some kinks in my firewall, I'll be awarding some points to you according to how much help I got out of it.

Turns out my ISP was adding "new customers" and made a mistake and the guy had to reload the configuration... which happened to not be the current configuration so my extra IPs in question (which I added in the last 8 months) were dropped.  Doofus.

Note to self... ALWAYS WRITE THE RUNNING CONFIG TO THE STARTUP CONFIG!

Anyhow, once he added the routes back in it began to work. One good thing to think about is I got the ip inspect rules simplifying my ACLS tremendously... not to mention I'm much more familiar with my own setup!....
0
 

Author Closing Comment

by:JAMason1182
ID: 31505229
While it can be considered purely opinion, separating my static NATs into PATs was a bad idea. However, tweeter514 did convince me to relook how my IPs are assigned to the interface. cstosgale raised some questions that ultimately convinced me that my ISPs were at fault, thus I took much from his answers. Also, it appears he spent more time with my question.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Building small business network 4 89
Cable suggestions 5 72
Home wifi - Does it matter what router? 9 54
Accessing two networks from one PC 30 108
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question