Solved

CBAC, ACL's, Watchguard to Cisco Nightmare

Posted on 2010-11-24
2
959 Views
Last Modified: 2012-08-13
I purchased a cisco router for the company I am working for about two weeks back.  I have been working to learn the router as best I can but am having a real hard time especially since we i am under pressure to get it up and going sooner rather than later.  My situation is this:

Originally we owned a watchguard firewall.  I purchased a cisco router and set it up. My goal is remove the cisco firewall and use the router for Firewall and VPN.  The first step though is setting up the acl's which I am having a very hard time doing.  I took them from my watchguard device.  To give you an idea here are some of the rules from the watchguard:


Protocol (Port)          From            To
FTP                            Any             10.0.0.30 (FTP Server)
3389                          Any              10.0.0.10 (SBS 2003 server)
3101                         Any                10.0.0.10
...

I though this was pretty straighforward on the cisco so I created an extended ACL and applied it to the external interface.  Strangely it failed miserably.  Now the few unique things we have are that we have multiple public IP's in use and technically have a DMZ setup (For video conference units).  Below is an example outline of our setup:

x.x.x.1 /27  - Is the public IP (not really
10.0.0.1 /24 is LAN
10.0.10.1 /29 is DMZ

so here is my NAT setup:
10.0.10.3 -> x.x.x.3 = Video conference unit 1
10.0.10.4 -> x.x.x.4 = Video conference unit 1
10.0.10.5 -> x.x.x.5 = Public web server
10.0.0.10 -> x.x.x.22 = Internal SBS server needed for VPN and exchange
10.0.0.1 /24 -> x.x.x.23 = PAT overload

So for my access list I did the following:

access-list 191 permit ip any host x.x.x.3
access-list 191 permit ip any host x.x.x.4
access-list 191 permit ip any host x.x.x.5
access-list 191 permit ip any host x.x.x.23
access-list 191 permit tcp any host x.x.x.22 eq ftp
access-list 191 permit tcp any host x.x.x.22 eq ftp-data
access-list 191 permit tcp any host x.x.x.22 eq 3389
access-list 191 permit tcp any host x.x.x.22 eq 3101
access-list 191 permit tcp any host x.x.x.22 eq 8083
access-list 191 permit tcp any host x.x.x.22 eq 4125
access-list 191 permit tcp any host x.x.x.22 eq 6001
access-list 191 permit tcp any host x.x.x.22 eq 6002
access-list 191 permit tcp any host x.x.x.22 eq 6004
access-list 191 permit tcp any host x.x.x.22 eq 1723
access-list 191 permit gre any host x.x.x.22
access-list 191 permit tcp any host x.x.x.22 eq 443
access-list 191 permit tcp object-group SMTPFilter host x.x.x.22 eq 25

object-group smtpfilter is a list of hosts that due spam filtering for us.  

Anyhow I applied this to the external interface in the "in" direction.  No dice.  The access-list did not allow smtp in, not vpn in, nothing usefull.  Ontop of that it did not allow DNS to work about 1/2 the time.

What I am essentially looking for is some explanation of how I can convert these simple rules from my watchguard and apply them to the cisco.  For some reason I am having a very hard time getting these to work.  Even a tutorial that gave examples of multiple public IP addresses with static nat and nat overload combined would be ideal.  For some reason I can not seem to put these individual components together.

Any help is greatly appreciated.  

Thanks




0
Comment
Question by:Prolumina
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Accepted Solution

by:
jfrizzell earned 500 total points
ID: 34210714
Nat Configuration:
-----------------------------------------------
(x.x.x.# being public)

ip nat inside source static 10.0.10.3 x.x.x.3
ip nat inside source static 10.0.10.4 x.x.x.4
ip nat inside source static 10.0.10.5 x.x.x.5
ip nat inside source static 10.0.10.10 x.x.x.22
ip nat inside source list PAT-TRANSLATION interface atm0 overload (substitute atm0 with your outside interface)

ip access-list extended PAT-TRANSLATION
permit ip 10.0.0.0 0.0.0.255 any

int fa0/0 (whatever your inside interface is)
ip address 10.0.10.1 255.255.255.0
ip nat inside

int atm0 (whatever your outside interface is)
ip address x.x.x.1 255.255.255.248
ip nat outside

show ip nat translations (show command)


ACL Configuration:
-----------------------------------------------

object-group network SMTPFilter
 description SMTP Filter
 host x.x.x.22

ip access-list extended OUTSIDE-IN
permit ip any host x.x.x.3
permit ip any host x.x.x.4
permit ip any host x.x.x.5
permit ip any host x.x.x.23
permit tcp any host x.x.x.22 eq ftp
permit tcp any host x.x.x.22 eq ftp-data
permit tcp any host x.x.x.22 eq 3389
permit tcp any host x.x.x.22 eq 3101
permit tcp any host x.x.x.22 eq 8083
permit tcp any host x.x.x.22 eq 4125
permit tcp any host x.x.x.22 eq 6001
permit tcp any host x.x.x.22 eq 6002
permit tcp any host x.x.x.22 eq 6003
permit tcp any host x.x.x.22 eq 443
permit udp any eq domain any
permit esp any any
permit udp any eq 500 any eq 500
permit udp any any eq non500-isakmp
100 permit udp any any eq isakmp
permit udp any any eq 10000
permit tcp any any eq 1723
permit gre any any
permit tcp any object-group SMTPFilter eq smtp
deny ip any any

You can switch the second any to your gateway external address

int atm0 (whatever your outside interface is)
access-group OUTSIDE-IN in


References:
-----------------------------
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/objecgrp.pdf

Hope this helps,

Jeremy
0
 

Author Comment

by:Prolumina
ID: 34210805
I appreciate that.  It has made an incredible difference, literally just copying most of what you wrote in the access-list worked beautifully.  Still having issues with VPN but I have the feeling that it is a windows issues not acl issue.

I am going to read through the material you posted.  Thank you for the help!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 128
VLAN Question 13 79
List IP by send / recieved size in Fortigate 5 31
TCP Reset from Server 3 90
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question