Solved

Configuration Error Cisco 2911 Basic Setup - Access Lists and Default Routes

Posted on 2013-06-10
6
1,779 Views
Last Modified: 2013-06-11
Group,
I have been tasked to configure a 2911 router which I am not familiar with, I am attempting to do a basic setup but have hit a wall I believe with the access-lists not permitting any traffic out from the LAN to the WAN. Relevant information:
Outside IP block is 97.76.78.218-222
Gateway 97.76.78.217
Inside 192.168.10.1 /27
Gi0/0 outside interface
Gi0/1 inside interface
I have the outside IP of .218 programmed for Gi0/0 how would I add the rest of the block 219-222 so I can do some assignments of servers using same ports ie
192.168.10.2  80 & 443 --> 97.76.78.218 80 & 443
192.168.10.3  80 & 443 --> 97.76.78.219 80 & 443

Current config:
Jun 11 00:04:02.651: %SYS-5-CONFIG_I: Configured from console by console[OK]
pl-gw1-tpa#show config
Using 4288 out of 262136 bytes
!
! Last configuration change at 00:04:02 UTC Tue Jun 11 2013
! NVRAM config last updated at 00:04:03 UTC Tue Jun 11 2013
! NVRAM config last updated at 00:04:03 UTC Tue Jun 11 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname pl-gw1-tpa
!
boot-start-marker
boot-end-marker
!
!
logging buffered 12800
enable secret 4 M4/83XEPziebLWoqPYvSFIxAIqClhSEn0bBV5dla8nU
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip dhcp pool LAN_Pool
 network 192.168.10.0 255.255.255.224
 default-router 192.168.10.1
 domain-name platautofinance.com
 dns-server 208.67.220.220 208.67.222.222
 lease 0 8
!
!
no ip domain lookup
ip inspect alert-off
ip inspect max-incomplete low 500
ip inspect max-incomplete high 3000
ip inspect one-minute high 2000
ip inspect one-minute low 800
ip inspect tcp max-incomplete host 800 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect name INET_STATE-FW icmp
ip inspect name INET_STATE-FW dns
ip inspect name INET_STATE-FW ftp
ip inspect name INET_STATE-FW ntp
ip inspect name INET_STATE-FW tftp
ip inspect name INET_STATE-FW pptp
ip inspect name INET_STATE-FW echo
ip inspect name INET_STATE-FW udp
ip inspect name INET_STATE-FW tcp
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3265635853
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3265635853
 revocation-check none
 rsakeypair TP-self-signed-3265635853
!
!
crypto pki certificate chain TP-self-signed-3265635853
 certificate self-signed 01 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO2911/K9 sn FGL162410ZE
license boot module c2900 technology-package securityk9
!
!
username cisco password 7 062B0C225942051610054B585E54
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description INTERNET_UPLINK
 ip address 97.76.78.218 255.255.255.248
 ip access-group INTERNET_IN in
 ip access-group BLOCK_PRIV_ADDRS out
 ip nat outside
 ip inspect INET_STATE-FW out
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.224
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map RMAP-NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
ip route 10.0.0.0 255.0.0.0 Null0 name DENY_RFC1918
ip route 172.16.0.0 255.240.0.0 Null0 name DENY_RFC1918
ip route 192.168.0.0 255.255.0.0 Null0 name DENY_RFC1918
!
ip access-list extended BLOCK_PRIV_ADDRS
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
ip access-list extended INTERNET_IN
 remark *** Allowed Traffic ***
 remark *** Deny Traffic Not Permited By IOS Stateful-Firewall ***
 deny   ip any any
ip access-list extended MGMT
 permit ip 0.0.0.24 255.255.255.224 any
 deny   ip any any
ip access-list extended NAT_ACL
 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any
 deny   ip any any
!
!
!
!
!
route-map RMAP-NAT permit 10
 match ip address NAT_ACL
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class MGMT in
 exec-timeout 30 0
 privilege level 15
 logging synchronous
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
end
0
Comment
Question by:Ross Mccullough
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
There is a problem in your NAT ACL
do it like this: This will allow your LAN block over the internet. Remember ACL is explicitly deny so no need to put so many deny.

ip access-list extended NAT_ACL
  permit ip 192.168.0.0 0.0.0.255 any
 
Since you want to open some specific port you can do like this:

ip access-list extended NAT_ACL
  permit tcp  host 192.168.10.2 eq www 443 host 97.76.78.218 eq www 443
 permit tcp host 192.168.10.3 eq www 443 host 97.76.78.219 eq www 443
  permit ip 192.168.0.0 0.0.0.255 any
0
 

Author Comment

by:Ross Mccullough
Comment Utility
Guptasan,
Thanks so much for the post and your feedback. I have made the following modification to the ACL but I still cannot get clients to access the Internet. What I have found is this:

ip access-list extended NAT_ACL now reads:
permit ip host 192.168.10.0 any

Clients receive IP address OK inside correct netmask
Clients can ping the LAN gateway at 192.168.10.1
Clients can ping outside router interface at 97.76.78.218
Client CANNOT ping the gateway at 97.76.78.217

I suspect perhaps the access-list BLOCK_PRIV_ADDRS being applied to Gi0/0 out is to blame? Thank you again for your input!
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 400 total points
Comment Utility
Very truly I will not agree with your ACLs configs...

so do this:

remove

ip access-list extended BLOCK_PRIV_ADDRS
ip access-list extended INTERNET_IN

where u r using MGMT one?


since your are doing 'ip nat inside' you are already filtering IPs via NAT_ACL thus no need to put multiple ACL on same interface.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Ross Mccullough
Comment Utility
Guptasan,
We are making progress, from the Inet I can ping router outside interface at .218
Clients can ping outside IP at .218 and gateway at .217
Clients cannot ping anything past the gateway. I think maybe it could be the following:
DEFAULT_ROUTE is .217 which is the gateway, should it be .218 outside Gi0/0 address?
overload on Gi0/0 not configured with a pool?
ip route 192.168.0.0 255.255.0.0 Null0 name DENY_RFC1918 routing traffic to null interface?
0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 400 total points
Comment Utility
yes..please remove any static route for now and put only default

ip route 0.0.0.0 0.0.0.0 <<internet gateway IP>>

check you are reaching internet ..

ping 8.8.8.8

ping 8.8.8.8 so <<LAN interface>>

if still there is problem then check whether your internet link is activatedfor internet.

connect link directly to laptop and try www.google.com
0
 

Author Comment

by:Ross Mccullough
Comment Utility
Guptasan,
I removed the lists and was able to get the interface working by isolating one further mistake. In my list for NAT_ACL I have had the action of permitting the network 192.168.10.0 but had a wildcard mask bit of 0 (must match) after changing it to mask bit 1 (dont care) it worked fine. So...

permit NAT_ACL 192.168.10.0/255.255.255.255  any instead of 192.168.10.0/0.0.0.0

THANK YOU!!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now