1601 router with new intrustion device 1

[darenw]

I have a 1601R router that I need to pass all traffic to a new firewall/intrusion prevention device. The new firewall will be handling all internal nat to my servers. My current setup is coming from TSU to router then I am using the router to nat any requst for the mail server to the firewall and have setup the firewall to go my mail server. I now need to be able to access the remaining servers and enable the VPN through the router. I am able to setup the nat on the firewall to do the public IP to private IP nat however, I need help with the configuration of the Cisco router just to pass the information to the firewall while still protecting the router from hostile attacks.

 

[JOAMON]

What is the new firewall device you are using?

 

[darenw]

Secure Computing Sidewinder G2 with the latest version

 

[JOAMON]

I would first of all recommend getting rid of the 1601R and replacing it with at least a 1721. 1600 series are end of life and with it's 10-base-t half duplex etherent port is not a very good router. 1721 has two wic slots and one fast ethernet port as well as updated IOS images and more feature sets available for it.

 

[darenw]

While I would love to upgrade the router unfortunately that is not going to happen anytime soon. So I am stuck using the 1601 with IOS 12. Is there any way to write a config that will allow me to pass all the traffic through to the firewall?

 

[JOAMON]

What type of internet connection do you have and how many public IP addresses do you have available?

 

[JOAMON]

Can you post the current config on the 1601?

 

[darenw]

We have a T1 connections with 5 public addresses


Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1
!
boot system flash:c1600-oy-mz.120-25.bin
enable
enable password

ip subnet-zero
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
!
!
!
interface Ethernet0
ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX secondary
ip address 172.1.1.1 255.255.255.0
ip access-group 101 in
no ip unreachables
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Serial0
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip access-group 110 in
no ip unreachables
no ip directed-broadcast
ip nat outside
ip inspect outbound out
no cdp enable
!
ip nat pool GLOBAL XXX.XXX.XX.XX XXX.XXX.XX.XX netmask 255.255.255
ip nat inside source list 1 pool GLOBAL overload
ip nat inside source static 172.1.1.2 XXX.XXX.XXX.187
ip nat outside source static 172.1.1.2 XXX.XXX.XXX.187 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
!
access-list 1 permit 172.1.1.0 0.0.0.255
access-list 100 permit tcp any gt 1023 host XXX.XXX.XXX.187 eq smtp
access-list 100 permit tcp any gt 1023 any eq www
access-list 100 permit tcp any gt 1023 host XXX.XXX.XXX.187 eq pop3
access-list 100 permit tcp any gt 1023 host XXX.XXX.XXX.187 eq 143
access-list 100 permit tcp any gt 1023 host XXX.XXX.XXX.187 eq 443
access-list 100 permit tcp any gt 1023 host XXX.XXX.XXX.187 eq nntp
access-list 100 permit tcp any gt 1023 any eq 7777
access-list 100 permit tcp any gt 1023 any eq 8888
access-list 100 permit tcp any gt 1023 any eq 6667
access-list 100 permit tcp any gt 1023 any eq 7000
access-list 100 deny ip any any
access-list 100 permit tcp any gt 1023 host XXX.XXX.XXX.188 eq ftp
access-list 100 permit tcp any gt 1023 host XXX.XXX.XXX.188 eq ftp-
access-list 100 permit tcp any eq ftp-data host XXX.XXX.XXX.188 gt
access-list 101 permit ip any any
access-list 101 deny ip 58.0.0.0 0.0.0.255 any
access-list 101 deny ip 60.0.0.0 0.0.0.255 any
access-list 101 deny ip 124.0.0.0 0.0.0.255 any
access-list 101 deny ip 126.0.0.0 0.0.0.255 any
access-list 101 deny ip 202.0.0.0 0.0.0.255 any
access-list 101 deny ip 210.0.0.0 0.0.0.255 any
access-list 101 deny ip 218.0.0.0 0.0.0.255 any
access-list 101 deny ip 220.0.0.0 0.0.0.255 any
access-list 101 deny ip 222.0.0.0 0.0.0.255 any
access-list 101 deny ip 169.208.0.0 0.0.0.255 any
access-list 101 deny ip 196.192.0.0 0.0.0.255 any
access-list 101 deny ip 196.23.0.0 0.0.0.255 any
access-list 101 deny ip 196.24.0.0 0.0.0.255 any
access-list 101 deny ip 196.25.0.0 0.0.0.255 any
access-list 101 deny ip 196.26.0.0 0.0.0.255 any
access-list 110 permit ip any any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 58.0.0.0 0.0.0.255 any
access-list 110 deny ip 60.0.0.0 0.0.0.255 any
access-list 110 deny ip 124.0.0.0 0.0.0.255 any
access-list 110 deny ip 126.0.0.0 0.0.0.255 any
access-list 110 deny ip 169.208.0.0 0.0.0.255 any
access-list 110 deny ip 196.23.0.0 0.0.0.255 any
access-list 110 deny ip 196.24.0.0 0.0.0.255 any
access-list 110 deny ip 196.25.0.0 0.0.0.255 any
access-list 110 deny ip 196.26.0.0 0.0.0.255 any
access-list 110 deny ip 196.192.0.0 0.0.0.255 any
access-list 110 deny ip 202.0.0.0 0.0.0.255 any
access-list 110 deny ip 210.0.0.0 0.0.0.255 any
access-list 110 deny ip 218.0.0.0 0.0.0.255 any
access-list 110 deny ip 220.0.0.0 0.0.0.255 any
access-list 110 deny ip 222.0.0.0 0.0.0.255 any
access-list 110 permit tcp 65.166.202.0 0.0.0.240 any
access-list 110 permit tcp host 216.144.7.82 any
access-list 110 deny tcp any any eq telnet
access-list 120 permit tcp any gt 1023 any eq ftp
access-list 120 permit tcp any gt 1023 any eq ftp-data
access-list 120 permit tcp any eq ftp-data any gt 1023
access-list 120 permit tcp any gt 1023 any eq telnet
access-list 120 permit tcp any gt 1023 any eq smtp
access-list 120 permit tcp any gt 1023 any eq www
access-list 120 permit tcp any gt 1023 any eq pop3
access-list 120 permit tcp any gt 1023 any eq 143
access-list 120 permit tcp any gt 1023 any eq 443
access-list 120 permit tcp any gt 1023 any eq nntp
access-list 120 permit tcp any gt 1023 any eq 7777
access-list 120 permit tcp any gt 1023 any eq 8888
access-list 120 permit tcp any gt 1023 any eq 6667
access-list 120 permit tcp any gt 1023 any eq 7000
access-list 120 permit udp any gt 1023 any eq domain
no cdp run
!
line con 0
exec-timeout 0 0
password
login
transport input none
line vty 0 4
password
login
!
end

 

[JOAMON]

As your serial is a /29 I assume there is an ISP device onsite that the serial connects to which is using the first available IP routeable and the 1601 is using the second available IP routeable. Is this correct?

 

[darenw]

The 1601 has the first public IP, the 185 address, the serial device has a serial IP which the router has the second serial IP. I did mistype we do have 6 public address 185-190 I just did not count the first public address since it is being used by the router.

 

[JOAMON]

I am not quite understanding this. I must not seeing this right bacause what you are saying and what I am seeing don't match. Does your serial port have your first public IP because it is listed with a .248 mask. ISP serial addresses are typically a .252 mask. Is the X'd out address on the ethernet port an internal network address?

 

[darenw]

Here is the X out portion of the serial port and the ethernet port

interface Ethernet0
ip address 205.244.13.185 255.255.255.248 secondary
ip address 172.1.1.1 255.255.255.0
ip access-group 101 in
no ip unreachables
no ip directed-broadcast
ip nat inside
no cdp enable

interface Serial0
ip address 144.223.36.50 255.255.255.252
ip access-group 110 in
no ip unreachables
no ip directed-broadcast
ip nat outside
ip inspect outbound out
no cdp enable

 

[JOAMON]

Here is what I would remommend. Configure the 1601 as a pass through device only. See example config:

Example config:

interface Serial0
ip address 144.223.36.50 255.255.255.252
no cdp enable
!
interface Ethernet0
ip address 205.244.13.185 255.255.255.248
no cdp enable
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 144.223.36.49
!
access-list 12 permit 205.244.13.186
no cdp run
!
line con 0
line aux 0
line vty 0 4
access-class 12 in
password 7 XXXXXXXXXXXXXXX
login

You would then assign the .186 address to the sidewinder and use the .185 as the default route.
Access-list 12 will only allow telnet sessions into the 1601 router that come through the sidewinder .186 address.

Something esle to consider is that you can probably eliminate the TSU by adding a WIC-1DSU-T1 and connecting it the the NIU and assiging the .252 address to it.

 

[JOAMON]

You should be able to then configure the sidewinder to extend the mail server and any other server needed to the internet and also setup vpn connections to it.

 

[JOAMON]

Note:
Remember the the etherenet port on the 1601 is 10-base-t half duplex and may have issues with the ethernet port on the sidewinder. You may need to set the sidewinder interface to speed 10 and half duplex so the ports are matched. Do a show interface ethernet0 on the Cisco to check for errors. Collisions are to be expected. There may be initial errors when setting this up. If there are errors do a clear counters and see if they are persistant.

 

[darenw]

Not a problem I have the Cisco router and the Sidewinder plugged into a self adjusting switch to avoid any problems with the speed differences.

 

[JOAMON]

You should try to budget it in some time to get rid of the 1601R and the TSU. You can get a used 1721 with WIC-1DSU-T1 on ebay for less than $500. On the other hand what you have will work and it aint broke so why fix it. If you ever do have problems with either device then would be the upgrade.