Cisco 1841 nat and firewall rules 1

[Cyberknox]

I have a cisco 1841 with 12.4 IOS with the advanced ip services. I am passing traffic from internal to external without issues. I have searched for a while without a solid solution to my issue. I am sure that those who know Cisco well will spot my mistake right away, but I clearly do not know enough yet to pinpoint my error yet. Here is my current config...

Current configuration : 4963 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname wormwall
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password 7 xxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.65.10.1 10.65.10.99
ip dhcp excluded-address 10.65.10.111 10.65.10.254
!
ip dhcp pool client1
import all
network 10.65.10.0 255.255.255.0
dns-server 1.2.3.4 11.22.33.44
default-router 10.65.10.10
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2718619645
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2718619645
revocation-check none
rsakeypair TP-self-signed-2718619645
!
!
crypto pki certificate chain TP-self-signed-2718619645
certificate self-signed 01
long string of #'s ....
quit
!
!
!
!
!
!
interface FastEthernet0/0
description WAN$ETH-WAN$$FW_OUTSIDE$
ip address 128.2.1.4 255.255.252.0
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN$ETH-LAN$$FW_INSIDE$
ip address 10.65.10.10 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.5
!
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static udp 10.65.10.1 8767 128.2.1.4 8767 extendable
!
ip access-list extended sdm_fastethernet0/0_in
remark SDM_ACL Category=1
permit icmp any host 128.2.1.4 echo-reply
!
logging trap critical
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.65.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 128.2.0.0 0.0.3.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 10.65.10.1 eq 8767 log
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.65.10.0 0.0.0.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 095B1F13181713
login
!
end

What I want to do is pass udp traffic on port 8767 from my outside interface to internal ip 10.65.10.1 8767

I have other services I would like to allow, but I will tackle them once I get this one working. If I should start over and not use SDM I am fine with using the CLI if that will be better, but since I am still learning I figured SDM would be ok as I use both CLI and it. Any insight would be greatly appreciated!

 

[North323]

how do you know you are not? what does this point to? ip route 0.0.0.0 0.0.0.0 xx.xx.xx.5

 

[Cyberknox]

That points to our gateway to the internet (which is another internal router to the outside world) which is working. That port is for teamspeak and if I try to connect to my 1841's outside IP it fails to connect stating it cannot see the server.

 

[North323]

so there is no route statement from the outside interface to the internal IP?

 

[Cyberknox]

Correct I do not have any other route other than ip route 0.0.0.0 0.0.0.0 xx.xx.xx.5 going outside. What would I need to add then without opening up more than I need to?

 

[North323]

this is a catch all: ip route 0.0.0.0 0.0.0.0 xx.xx.xx.5 you would have to do some type or route based policy

 

[Cyberknox]

So could I remove that line and add

ip route 10.65.10.0 0.0.0.0 xx.xx.xx.5

to get my traffic from internal out and then add another line to route what I need incoming into the 10.65.10.0 network?

ex 128.2.0.0 255.255.0.0 10.65.10.10 ?

 

[North323]

yes but then you wont have a gatway of last resort which would be bad. best to do route based policy and no you cant have two gateways of last resort (unless you are load balancing)

 

[Cyberknox]

You make a valid point. Thanks for pointing me in the right direction! Checking out docs on it now.

 

[Cyberknox]

I would like to understand this more. I started from scratch and it works without any acl's at the moment or the IOS firewall enabled. Is the reason you are stating I need the route based policy due to the firewall or because of both the firewall and acl's?

 

[burtsbees]

This statement

access-list 100 deny ip 128.2.0.0 0.0.3.255 any

denies the static translation from happening. If you put the config back in, and do a sh access-list and look for matches on line 10 of acl 100 and 101, you would find a match on 100 (the deny) but not 101 (the permit). You could also have done a sh ip nat trans static and found that the translation was not happening.

I will double check all of this, as I am 1/2 asleep, but that's what I see right off top...

Burt

 

[burtsbees]

In other words, acl 100 (or at least that line) should be applied inbound to the WAN interface, not the LAN interface.

Burt

 

[Cyberknox]

Sadly I should have caught that, but thank you very much. One of these days I'll get it figured out. I have added that to the acl for my WAN interface and now I just have to get a good working outbound acl. I truly appreciate the help!

 

[burtsbees]

Well, the statement definitely is a good anti-spoofing idea.

Burt

 

[Cyberknox]

I initially used the SDM and that is what assigned the acl to the internal interface. I have the config back, but I removed the acl from my LAN interface and added what was in 100 to the WAN acl. So if I assigned an inbound acl to my LAN interface would I have to mimic the inbound for it also. As in create the rules for access internal the same as I would the WAN?

 

[burtsbees]

If you want to filter traffic going through the router, i.e. if you had different networks/vlans, then you would put an acl in/out on the LAN interface. If there is only one LAN, then no traffic goes through the router---all traffic on the single LAN is switched only. To filter traffic that goes to a single LAN in this case, an acl would be placed inbound on the WAN only.

/

 

[Cyberknox]

Alright, slowly but surely I'll get it. That makes sense and would only be logical. Anyway, thank you very much again!