Solved

CBAC, ACL's, Watchguard to Cisco Nightmare

Posted on 2010-11-24
2
945 Views
Last Modified: 2012-08-13
I purchased a cisco router for the company I am working for about two weeks back.  I have been working to learn the router as best I can but am having a real hard time especially since we i am under pressure to get it up and going sooner rather than later.  My situation is this:

Originally we owned a watchguard firewall.  I purchased a cisco router and set it up. My goal is remove the cisco firewall and use the router for Firewall and VPN.  The first step though is setting up the acl's which I am having a very hard time doing.  I took them from my watchguard device.  To give you an idea here are some of the rules from the watchguard:


Protocol (Port)          From            To
FTP                            Any             10.0.0.30 (FTP Server)
3389                          Any              10.0.0.10 (SBS 2003 server)
3101                         Any                10.0.0.10
...

I though this was pretty straighforward on the cisco so I created an extended ACL and applied it to the external interface.  Strangely it failed miserably.  Now the few unique things we have are that we have multiple public IP's in use and technically have a DMZ setup (For video conference units).  Below is an example outline of our setup:

x.x.x.1 /27  - Is the public IP (not really
10.0.0.1 /24 is LAN
10.0.10.1 /29 is DMZ

so here is my NAT setup:
10.0.10.3 -> x.x.x.3 = Video conference unit 1
10.0.10.4 -> x.x.x.4 = Video conference unit 1
10.0.10.5 -> x.x.x.5 = Public web server
10.0.0.10 -> x.x.x.22 = Internal SBS server needed for VPN and exchange
10.0.0.1 /24 -> x.x.x.23 = PAT overload

So for my access list I did the following:

access-list 191 permit ip any host x.x.x.3
access-list 191 permit ip any host x.x.x.4
access-list 191 permit ip any host x.x.x.5
access-list 191 permit ip any host x.x.x.23
access-list 191 permit tcp any host x.x.x.22 eq ftp
access-list 191 permit tcp any host x.x.x.22 eq ftp-data
access-list 191 permit tcp any host x.x.x.22 eq 3389
access-list 191 permit tcp any host x.x.x.22 eq 3101
access-list 191 permit tcp any host x.x.x.22 eq 8083
access-list 191 permit tcp any host x.x.x.22 eq 4125
access-list 191 permit tcp any host x.x.x.22 eq 6001
access-list 191 permit tcp any host x.x.x.22 eq 6002
access-list 191 permit tcp any host x.x.x.22 eq 6004
access-list 191 permit tcp any host x.x.x.22 eq 1723
access-list 191 permit gre any host x.x.x.22
access-list 191 permit tcp any host x.x.x.22 eq 443
access-list 191 permit tcp object-group SMTPFilter host x.x.x.22 eq 25

object-group smtpfilter is a list of hosts that due spam filtering for us.  

Anyhow I applied this to the external interface in the "in" direction.  No dice.  The access-list did not allow smtp in, not vpn in, nothing usefull.  Ontop of that it did not allow DNS to work about 1/2 the time.

What I am essentially looking for is some explanation of how I can convert these simple rules from my watchguard and apply them to the cisco.  For some reason I am having a very hard time getting these to work.  Even a tutorial that gave examples of multiple public IP addresses with static nat and nat overload combined would be ideal.  For some reason I can not seem to put these individual components together.

Any help is greatly appreciated.  

Thanks




0
Comment
Question by:Prolumina
2 Comments
 
LVL 3

Accepted Solution

by:
jfrizzell earned 500 total points
ID: 34210714
Nat Configuration:
-----------------------------------------------
(x.x.x.# being public)

ip nat inside source static 10.0.10.3 x.x.x.3
ip nat inside source static 10.0.10.4 x.x.x.4
ip nat inside source static 10.0.10.5 x.x.x.5
ip nat inside source static 10.0.10.10 x.x.x.22
ip nat inside source list PAT-TRANSLATION interface atm0 overload (substitute atm0 with your outside interface)

ip access-list extended PAT-TRANSLATION
permit ip 10.0.0.0 0.0.0.255 any

int fa0/0 (whatever your inside interface is)
ip address 10.0.10.1 255.255.255.0
ip nat inside

int atm0 (whatever your outside interface is)
ip address x.x.x.1 255.255.255.248
ip nat outside

show ip nat translations (show command)


ACL Configuration:
-----------------------------------------------

object-group network SMTPFilter
 description SMTP Filter
 host x.x.x.22

ip access-list extended OUTSIDE-IN
permit ip any host x.x.x.3
permit ip any host x.x.x.4
permit ip any host x.x.x.5
permit ip any host x.x.x.23
permit tcp any host x.x.x.22 eq ftp
permit tcp any host x.x.x.22 eq ftp-data
permit tcp any host x.x.x.22 eq 3389
permit tcp any host x.x.x.22 eq 3101
permit tcp any host x.x.x.22 eq 8083
permit tcp any host x.x.x.22 eq 4125
permit tcp any host x.x.x.22 eq 6001
permit tcp any host x.x.x.22 eq 6002
permit tcp any host x.x.x.22 eq 6003
permit tcp any host x.x.x.22 eq 443
permit udp any eq domain any
permit esp any any
permit udp any eq 500 any eq 500
permit udp any any eq non500-isakmp
100 permit udp any any eq isakmp
permit udp any any eq 10000
permit tcp any any eq 1723
permit gre any any
permit tcp any object-group SMTPFilter eq smtp
deny ip any any

You can switch the second any to your gateway external address

int atm0 (whatever your outside interface is)
access-group OUTSIDE-IN in


References:
-----------------------------
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/objecgrp.pdf

Hope this helps,

Jeremy
0
 

Author Comment

by:Prolumina
ID: 34210805
I appreciate that.  It has made an incredible difference, literally just copying most of what you wrote in the access-list worked beautifully.  Still having issues with VPN but I have the feeling that it is a windows issues not acl issue.

I am going to read through the material you posted.  Thank you for the help!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now