Still having issues with my new cisco router setup. Here is the scenario prior to the cisco router we were using a watchguard firewall for our network security. After we got our cisco router I decided to set up our network properly. This entailed creating a DMZ for our publicly available servers and video conference units. I have attached an image comparing our old network to our new network.
Here is our setup on the cisco router. Basically we have two interface on the router. GigabitEthernet0/0 (G0/0) and GigabitEthernet0/1(G0/1). Now interface G0/0 is our public interface. It has the following ip addreses associated with it:
x.x.x.3 - Secondary
x.x.x.4 - Secondary
x.x.x.5 - Secondary
x.x.x.23 - secondary
Now on the second interface I created two sub interfaces. One for the LAN (VLAN ID 1) and the other for the DMZ (VLAN ID 2). The subinterfaces are configured like so:
ip address 10.0.0.1 255.255.255.0
ip address 10.0.10.1 255.255.255.248
my NAT rules are as follows:
ip nat inside source static 10.0.10.3 x.x.x.3
ip nat inside source static 10.0.10.4 x.x.x.4
ip nat inside source static 10.0.10.5 x.x.x.5
ip nat inside source static 10.0.0.10 x.x.x.22 - THIS IS SUPPOSED TO BE 10.0.0.10
ip nat pool ovrldIP x.x.x.23 x.x.x.23 netmask 255.255.255.224
ip nat inside source list 1 pool ovrldIP overload
access-list 1 permit 10.0.0.0 0.0.0.255
Just to explain I have one nat rule for a server on my lan (10.0.0.10) that when I access a public ip x.x.x.22 I want it to access the server on the lan. However I also have nat/pat setup for the public ip x.x.x.23. Not sure if that is bad or not. I think it is the right thing to do but am not 100% sure.
Now finally for my question. After some help I created this access-list:
ip access-list extended externalIN
permit ip any host x.x.x.3
permit ip any host x.x.x.4
permit ip any host x.x.x.5
permit ip any host x.x.x.23
permit tcp any host x.x.x.22 eq telnet
permit tcp any host x.x.x.22 eq ftp
permit tcp any host x.x.x.22 eq ftp-data
permit tcp any host x.x.x.22 eq 3389
permit tcp any host x.x.x.22 eq 3101
permit tcp any host x.x.x.22 eq 8083
permit tcp any host x.x.x.22 eq 4125
permit tcp any host x.x.x.22 eq 444
permit tcp any host x.x.x.22 eq 6001
permit tcp any host x.x.x.22 eq 6002
permit tcp any host x.x.x.22 eq 6004
permit tcp any host x.x.x.22 eq 443
permit tcp any host x.x.x.22 eq 389
permit tcp any host x.x.x.22 eq 636
permit udp any any eq domain
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit tcp any any 1723
permit gre any any
permit tcp object-group SMTPFilter host x.x.x.22 eq smtp
The object group SMTPFilter is a list of hosts and networks that act as our SPAM filter. Therefore we can only received SMTP traffic from specific host's/network's. Now I applied this acl like so:
ip access-group externalIN in
Now this worked, partially. I was elated that I was able to received email which in the past my acl's prevented this. However I was unable to send email strangely. Since I was not sure why I created an ACL like the one below:
ip access-list extended externalOUT
permit ip any any
and applied it to Int g0/0 in the outbound direction. This did not help. What is also annoying is that I cant use vpn either. I am wondering what is going on. I have little experience with cisco router. Infact this is my first time with one and I have literally only been working with it for 1.5 weeks as of now. The ACL's are a bit hard for me to grasp.
Currently i removed the access-group externalIN from int g0/0 and it works fine. But now we are not protected. So I readded the firebox until I resolve this cisco issue. Any help with what to do would be greately appreciated. Any idea as to why I would not be able to send email out if I applied the ACL going in? When i removed the acl I received two system emails stating that my test emails had been delayed. I sent two test emails after applying the acl. Once I removed the acl I was notififed that they had been delayed for exactly the amount of time the acl was applied.
Is it possible that since I have a different IP as my PAT/NAT overload ip and then I have a static IP on the same network there is a problem there? i.e.
10.0.0.1 /24 outbound uses PAT with pub ip of x.x.x.23
10.0.0.10 has static NAT of x.x.x.22
Could this be the issue?
Any help is greatly appreciated.