?
Solved

Config of an 1841 router to act as a firewall

Posted on 2008-11-19
5
Medium Priority
?
370 Views
Last Modified: 2012-05-05
Hi,
We're trying to configure an 1841 series cisco router to replace a Cisco PIX firewall...

Internal network is 10.50.0.0 /22, and the router's inside address is 10.50.0.1

I'm attaching its running config.
The VPN config info isn't in the attached file, although some of the access lists might be.  

THE PROBLEM we're having, is, on this config, traffic on port 80 and 25 aren't flowing to the exchange server (10.50.1.7) as it should be.

what are we doing wrong?

thx in advance
!This is the running config of the router: 10.50.0.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hou-fw1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$B1.k$Ncc70u8nURA5/VGUlWtso.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group radius
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 http
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name txdrc.org
ip name-server 68.87.85.98
ip name-server 68.87.69.146
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-368753990
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-368753990
 revocation-check none
 rsakeypair TP-self-signed-368753990
!
!
crypto pki certificate chain TP-self-signed-368753990
 certificate self-signed 01
  30820247 308201B0 A0030201 02021101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69166963 6174652D 33363837 35333939 30301E17 0D303831 31313930 30333835 
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 38373533 
  39393030 819F300D 06192A86 4886F70D 01010105 0003818D 01308189 02818100 
  D912EB0E 59214C67 7D431512 1B532765 023E7060 62BDFD2D 35BBE222 CD8040E2 
  CF6CE3FC EC02FAFF 31143206 ABC9E1C4 BD2CBCD6 7D7B7DBA E9E3EF09 E06B79F0 
  03AE0A7B 214A8657 370549CB CBB33E2A 4AFCD8E6 21F7B44D FFA3CA8F 4F19A11E 
  26C81430 EA55F55F 02222910 E31DBA13 6F0D0E8D F2D9AAD4 D4F9EC19 69F25F9B 
  02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D 
  11041530 13821168 6F752D66 77312E74 78647263 2E6F7267 301F0603 551D2304 
  18301680 14B416B2 CCBC4241 8D07401A 54D5DEB6 6AEF7CEC 31301D06 03551D0E 
  04160414 B416B2CC BC42418D 07401A54 D5DEB66A EF7CEC31 300D0609 2A864886 
  F70D0101 04050003 8181002C 7DFBA072 535D32DF 99FB7F6E 67DA94EB 9AA20946 
  AAB8A4E5 6E7C859F 8176C9C5 64BB629C D7C32991 42A16AD1 779AA1AD 87414462 
  CDBAE8E4 764CCC5B 8EB511D5 6904CB46 4352BE74 8C091A63 0671BAB2 7898EE00 
  63E38131 DE8B8A94 DDF78C57 26D0F13B 510BD294 185B2370 628ACE7A 46D22A0B 
  7F41B969 F8561637 8AB02C
  quit
username admin privilege 15 secret 5 UTcwxRF.1h/
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15
 
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 75.148.231.177 255.255.255.252
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$FW_INSIDE$
 ip address 10.50.0.1 255.255.252.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip local pool SDM_POOL_1 10.50.3.200 10.50.3.250
ip classless
ip route 0.0.0.0 0.0.0.0 75.148.231.178
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.50.1.7 110 interface FastEthernet0/0 110
ip nat inside source static tcp 10.50.0.7 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.50.1.7 443 interface FastEthernet0/0 443
ip nat inside source static tcp 10.50.1.7 25 75.148.231.177 25 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.50.0.0 0.0.3.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.50.1.1 eq 1645 host 10.50.0.1
access-list 100 permit udp host 10.50.1.1 eq 1646 host 10.50.0.1
access-list 100 deny   ip 75.148.231.176 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 75.148.231.177 eq 443
access-list 101 permit tcp any host 75.148.231.177 eq www
access-list 101 permit tcp any host 75.148.231.177 eq pop3
access-list 101 permit tcp any host 75.148.231.177 eq smtp
access-list 101 permit ip host 10.50.3.200 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.201 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.202 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.203 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.204 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.205 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.206 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.207 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.208 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.209 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.210 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.211 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.212 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.213 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.214 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.215 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.216 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.217 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.218 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.219 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.220 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.221 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.222 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.223 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.224 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.225 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.226 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.227 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.228 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.229 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.230 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.231 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.232 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.233 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.234 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.235 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.236 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.237 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.238 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.239 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.240 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.241 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.242 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.243 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.244 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.245 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.246 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.247 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.248 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.249 10.50.0.0 0.0.3.255
access-list 101 permit ip host 10.50.3.250 10.50.0.0 0.0.3.255
access-list 101 permit udp any host 75.148.231.177 eq non500-isakmp
access-list 101 permit udp any host 75.148.231.177 eq isakmp
access-list 101 permit esp any host 75.148.231.177
access-list 101 permit ahp any host 75.148.231.177
access-list 101 permit udp host 68.87.69.146 eq domain host 75.148.231.177
access-list 101 permit udp host 68.87.85.98 eq domain host 75.148.231.177
access-list 101 deny   ip 10.50.0.0 0.0.3.255 any
access-list 101 permit icmp any host 75.148.231.177 echo-reply
access-list 101 permit icmp any host 75.148.231.177 time-exceeded
access-list 101 permit icmp any host 75.148.231.177 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 0.0.0.72 255.255.255.128 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.200
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.201
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.202
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.203
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.204
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.205
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.206
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.207
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.208
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.209
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.210
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.211
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.212
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.213
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.214
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.215
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.216
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.217
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.218
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.219
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.220
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.221
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.222
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.223
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.224
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.225
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.226
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.227
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.228
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.229
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.230
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.231
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.232
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.233
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.234
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.235
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.236
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.237
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.238
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.239
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.240
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.241
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.242
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.243
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.244
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.245
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.246
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.247
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.248
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.249
access-list 103 deny   ip 10.50.0.0 0.0.3.255 host 10.50.3.250
access-list 103 permit ip 10.50.0.0 0.0.3.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
radius-server host 10.50.1.1 auth-port 1645 acct-port 1646 timeout 15 key 7 097C5C37101644185F04
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end

Open in new window

0
Comment
Question by:Mystical_Ice
  • 3
  • 2
5 Comments
 
LVL 15

Assisted Solution

by:bkepford
bkepford earned 200 total points
ID: 22999740

Your problem is hard to find because your router is configured using the SDM which the logic is there it is just done the hard way. It could be either your ACL or NAT .To test NAT remove the  following lines and test.
interface FastEthernet0/0
ip access-group 101 in
!
interface FastEthernet0/1
ip access-group 100 in

If this works after you do this the problem is not in NAT but in the ACL setup. If it still doesn't work then it is a NAT issue.
After you test this let me know.
0
 
LVL 15

Accepted Solution

by:
wingatesl earned 1800 total points
ID: 23010923
Please change these lines

ip nat inside source static tcp 10.50.0.7 80 interface FastEthernet0/0 80
to >
ip nat inside source static tcp 10.50.1.7 80 interface FastEthernet0/0 80
as the ip address was wrong

and
ip nat inside source static tcp 10.50.1.7 25 75.148.231.177 25 extendable
to > 
ip nat inside source static tcp 10.50.1.7 25 interface fastethernet0/0 25

you can also paste this into a telnet session

conf t
no ip nat inside source static tcp 10.50.0.7 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.50.1.7 80 interface FastEthernet0/0 80
noip nat inside source static tcp 10.50.1.7 25 75.148.231.177 25 extendable
ip nat inside source static tcp 10.50.1.7 25 interface fastethernet0/0 25

However I must say that the smtp connection is working fine from the outside
"220 hou-exc1.jwrhouston.org"

You will not me able to check it from inside the network, just in case that is where you are trying.

0
 
LVL 15

Expert Comment

by:bkepford
ID: 23013457
The IP address isn't wrong look at his subnet mask.
 
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 23013519
While that IP address is within the subnet, it is not the ip of the exchange server
"THE PROBLEM we're having, is, on this config, traffic on port 80 and 25 aren't flowing to the exchange server (10.50.1.7) as it should be"

the one listed in the nat statement is 10.50.0.7
0
 
LVL 15

Expert Comment

by:bkepford
ID: 23013573
Oh nevermind your right. I saw that but I saw the subnet mask and just figured they were seperate.
If they are running Outlook web access they will most likely to forward port 443 as well.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question