Cisco 3640 Router 2

[3t0n1c]

Hi,

Can please someone help me with the following:

I have a 3640 router with 4 fast eth ports on the rear.
I will be using just 2 of them for now to do routing and maybe NAT-ing.
I have a /29 block from my upsteam provider and I have several servers sitting behind this. Several of them need to run services to the outside world.
In other words I need to open ports to certain machines that are being NAT-ed.
The other thing I need to do is specify which machine gets access to which external IP address (out to the Internet) that is.

For example lets say I have 192.168.1.1 as the internal ip on the router, and then 192.168.1.2 - 192.168.1.10 are my servers.
My external subnet is 1.2.3.233 - 1.2.3.237 with default route 1.2.3.238
Lets say I need 192.168.1.3 to go out via 1.2.3.233 and have incomming ports open on that same route and then 192.168.1.5 to go out via 1.2.3.234, etc.
Now, if I need to NAT the entire 192.168.1/24 and poke holes and do port forwarding to some of my internal servers, what's the config? Examples would be awesome, I can easily take it from there.

Also, is there a specific IOS I need to load or just use the latest one I could get my hands on? What's the best one out there for what I need to do?

What kind of throughput should I expect assuming I will be on 100Mbps full duplex?

What are the benefits of adding a flash card of say 128MB to the router? Will it improve anything for my needs?

Any help is greatly appreciated.

 

[Quadratic]

With that config, and *with* ip routing enabled, what are the results of "show ip route" and "show ip nat translation"?

Also, are you running these ping tests from your workstations, or from the router?

CCNP, CCDP

 

[3t0n1c]

Quadratic,

I had resolved that issue. Now I have other more delicate ones...

I have to admit, I have learned a lot about Cisco routers this past week.

Can you please explain this to me if you could so that I can get a grasp on what is going on? Examples are always great!

What's happening now is this:

I want to be able to export just specified services and ports to specific external IP's and also allow servers to offer these services out on specific external IP's also.
More over, I want each server to get out to the internet on specified external IP's.

I got most of it running correctly as far as specifying ports, etc. The problem I am seeing is that when I use
"ip nat inside source static 192.168.1.2 1.2.3.234" to bind that internal server to that external ip, what happens is all my server ports are exposed to the outside world on that 1.2.3.234 ip. How can I prevent that?
All the functionality is there except I don't want it to expose all my "internal server ports" via the external IP.
I just want the server (if you were to browse the internet from the server itself) to be seen as connecting from 1.2.3.234. Can that be done? I assume it can.

Also, what's the simplest safest way to disable telnet on the external IP ?

What's an easy way to block ports/services as per ip or per interface basis?
How would you block say, port 25 (preventing spam) on all or some ip's?

Thanks Q!

 

[Quadratic]

That problem can be solved by access lists, similar to the other examples, but in this case you'll also need to apply them as access groups to interfaces.

For example, if you only want the outside world to be able to talk to your web server (lets say it's a web server) with an IP of 1.2.3.234, you could do something like this, where Fa0/0 is the "outside" NAT interface:

---
Router(config)#access-list 100 permit tcp any host 1.2.3.234 eq 80
Router(config)#access-list 100 deny ip any host 1.2.3.234
Router(config)#access-list 100 permit ip any any
Router(config)#int fa0/0
Router(config-if)#ip access-group 100 in
---

And the simplest way to disable telnet is to make a tweak to that same access list. It's applied to the interface facing the outside world, so you could change the above config to something like this:

---
access-list 100 permit tcp any host 1.2.3.234 eq 80
access-list 100 deny ip any host 1.2.3.234 eq 80
access-list 100 deny tcp any any eq 23
access-list 100 permit ip any any
---

That will stop any telnet traffic on the interface it's applied to, and it will block all but port 80 for the web server access.

I should note, though, that while that is the easiest way, the more modern way would be via stateful inspection rules. The idea would be to have an access list deny almost all traffic types from the WAN interface, and create inspection rules on the inside interfaces to look for specific traffic types and permit them by adding dynamic entries to the access list facing the WAN. The idea is to allow only traffic that originates from inside the network, except in cases where externally-originated traffic is needed (which you'd add as static "permit" statements in that same WAN-side access list.

If your router does support stateful firewall inspection, that would be the recommended way to do it, but the access list method does work for this too.

CCNP, CCDP

 

[3t0n1c]

Great input!

Let me work this into my config and see what happens.

Thanks so much Q !

 

[3t0n1c]

In conjunction to these lines:

access-list 100 permit tcp any host 1.2.3.234 eq 80
access-list 100 deny ip any host 1.2.3.234 eq 80
access-list 100 deny tcp any any eq 23
access-list 100 permit ip any any

Where will this following line go ? Should I use same list number (100)? I know the order is very important...
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Thanks Quadratic!!!

 

[Quadratic]

That list should be its own unique number, separate from the one that controls NAT itself. You'll need to make it an extended ACL, so choose a unique in the 100's and you'll be fine. The order I listed it in should work.

The order is important because the router checks them in order, and stops as soon as it has a match. In this case, line 2 will deny *any* traffic going to the web server, so it's important for real web traffic to be matches against the first permit line before getting denied by that second one. The order changes the meaning.

Oh, and that second line should read "deny ip any host 1.2.3.234" without the "eq" statement. I wrote that line properly in the first example. Terrible typo on my part there the second time. :/

CCNP, CCDP

 

[3t0n1c]

Quadratic,

Please have a look at my ACL. It's driving me nuts.
I get no connection at all, can't ping anything on the outside

access-list 111 permit tcp any host 1.2.3.233 eq 25
access-list 111 permit tcp any host 1.2.3.233 eq 80
access-list 111 permit tcp any host 1.2.3.233 eq 443
access-list 111 permit tcp any host 1.2.3.233 eq 53
access-list 111 permit udp any host 1.2.3.233 eq 53
access-list 111 permit tcp any host 1.2.3.233 eq 110
access-list 111 permit tcp any host 1.2.3.233 eq 11111
access-list 111 permit tcp any host 1.2.3.234 eq 25
access-list 111 permit tcp any host 1.2.3.234 eq 53
access-list 111 permit udp any host 1.2.3.234 eq 53
access-list 111 permit tcp any host 1.2.3.234 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq 80
access-list 111 permit tcp any host 1.2.3.235 eq 443
access-list 111 permit tcp any host 1.2.3.235 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq 45555
access-list 111 permit tcp any host 1.2.3.235 eq 47777
access-list 111 deny ip any host 1.2.3.233
access-list 111 deny ip any host 1.2.3.234
access-list 111 deny ip any host 1.2.3.235
access-list 111 deny tcp any any eq 23
access-list 111 permit ip any any

 

[Quadratic]

You can't ping anything because you're denying ICMP traffic. Something like "permit icmp any any" is needed before the denials if you want wan-side ping, or add an "eq" to just allow echos and echo replies.

CCNP, CCDP

 

[3t0n1c]

Quadratic,

I did that and now I can ping. You were correct, however still none of my internal machines can access the internet(other than ping).

Any thoughts?

Do I still need to specifically allow something?

Thanks!

 

[unclerico]

no ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 1 1.1.1.236 overload

this ACE

access-list 111 deny ip any host 1.2.3.233

is denying all traffic into 1.2.3.233 other than what you are explicitly permitting in ACEs above. you can add a permit tcp any 1.2.3.233 established, but this will only work for tcp-based flows. the best thing to do is either what i specified above which will use 1.2.3.236 as the source ip for all traffic not assigned in a static nat rule or do as quadratic says and use the ZBF to enable stateful filtering.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

unclerico, it did not make a difference.

I removed the line
ip nat inside source list 1 interface FastEthernet0/0 overload
and then added
ip nat inside source list 1 1.1.1.236 overload
Still no dice.

Let me ask you guys this:

Given my current ACL and without explicitly allowing traffic,
the line deny ip host 1.2.3.233 would block all traffic to that IP. How do I allow outbound traffic though?

What I really want is to have say ip 192.168.1.70 bind to 1.2.3.233, yet only export port 25,53,80, etc
Same thing with 192.168.1.112 bind to 1.2.3.234 and export only port 25, 53, and etc.
If I do a port scan I want to only be able to see the ports that I am allowing to be exported, not all the ports that are currently open on the 192.168.1.70/192.168.1.112 server for instance.

On top of that if I am on host 192.168.1.112 and I surf the web, I want it to go out through 1.2.3.234.

Like I said, I got these working partially. When one thing works, the other dies, etc.

Here's my current config and again, thank you all for your input:



!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXX
!
ip subnet-zero
!
!
no ip domain-lookup
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.2.3.233 255.255.255.248
ip access-group 111 in
ip nat outside
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet1/0
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
!
ip default-gateway 1.2.3.238
!
ip nat inside source list 101 interface FastEthernet0/0 overload
!ip nat inside source list 101 1.2.3.237 overload
ip nat inside source static tcp 192.168.1.70 80 1.2.3.233 80 extendable
ip nat inside source static tcp 192.168.1.70 443 1.2.3.233 443 extendable
ip nat inside source static tcp 192.168.1.70 25 1.2.3.233 25 extendable
ip nat inside source static tcp 192.168.1.70 22 1.2.3.233 11111 extendable
ip nat inside source static tcp 192.168.1.70 110 1.2.3.233 110 extendable
ip nat inside source static tcp 192.168.1.70 53 1.2.3.233 53 extendable
ip nat inside source static udp 192.168.1.70 53 1.2.3.233 53 extendable
!
ip nat inside source static tcp 192.168.1.112 22 1.2.3.234 11111 extendable
ip nat inside source static udp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 25 1.2.3.234 25 extendable
!
ip nat inside source static tcp 192.168.1.113 80 1.2.3.235 80 extendable
ip nat inside source static tcp 192.168.1.113 443 1.2.3.235 443 extendable
ip nat inside source static tcp 192.168.1.113 45555 1.2.3.235 45555 extendable
ip nat inside source static tcp 192.168.1.113 47777 1.2.3.235 47777 extendable
ip nat inside source static tcp 192.168.1.113 22 1.2.3.235 11111 extendable
!
!ip nat inside source static 192.168.1.70 1.2.3.233
!ip nat inside source static 192.168.1.112 1.2.3.234
!ip nat inside source static 192.168.1.113 1.2.3.235
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.238
no ip http server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit tcp any host 1.2.3.233 eq 25
access-list 111 permit tcp any host 1.2.3.233 eq 80
access-list 111 permit tcp any host 1.2.3.233 eq 443
access-list 111 permit tcp any host 1.2.3.233 eq 53
access-list 111 permit udp any host 1.2.3.233 eq 53
access-list 111 permit tcp any host 1.2.3.233 eq 110
access-list 111 permit tcp any host 1.2.3.233 eq 11111
access-list 111 permit tcp any host 1.2.3.234 eq 25
access-list 111 permit tcp any host 1.2.3.234 eq 53
access-list 111 permit udp any host 1.2.3.234 eq 53
access-list 111 permit tcp any host 1.2.3.234 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq 80
access-list 111 permit tcp any host 1.2.3.235 eq 443
access-list 111 permit tcp any host 1.2.3.235 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq 45555
access-list 111 permit tcp any host 1.2.3.235 eq 47777
access-list 111 permit icmp any any
!access-list 111 deny ip any host 1.2.3.233
!access-list 111 deny ip any host 1.2.3.234
!access-list 111 deny ip any host 1.2.3.235
!access-list 111 deny ip any host 1.2.3.236
!access-list 111 deny ip any host 1.2.3.237
access-list 111 deny tcp any any eq 23
! BLOCK ILLEGAL BROADCASTS - START
access-list 111 deny ip 0.0.0.0 0.255.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 169.254.0.0 0.0.255.255 any
access-list 111 deny ip 172.16.0.0 15.0.255.255 any
access-list 111 deny ip 192.0.2.0 0.0.0.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip 224.0.0.0 15.255.255.255 any
access-list 111 deny ip 240.0.0.0 7.255.255.255 any
access-list 111 deny ip 248.0.0.0 7.255.255.255 any
access-list 111 deny ip 255.255.255.255 0.0.0.0 any
! BLOCK ILLEGAL BROADCASTS - END
access-list 111 permit ip any any
snmp-server community public RO
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
password XXXXXXXXXXXXXXXXX
login
!
end

 

[unclerico]

do these actually exist in your acl and you've just commented them out in the output??

!access-list 111 deny ip any host 1.2.3.233
!access-list 111 deny ip any host 1.2.3.234
!access-list 111 deny ip any host 1.2.3.235
!access-list 111 deny ip any host 1.2.3.236
!access-list 111 deny ip any host 1.2.3.237

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Correct, they are commented because otherwise I can't reach the Internet.

Thanks

 

[unclerico]

and that makes sense because your permit ip any any comes after those five ACEs above which are denying all inbound traffic.
make a backup of your current config, erase start, reload, and then cut/paste this into your router (after you substitute proper credentials for the xxxxxx in the config):

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXX
!
ip subnet-zero
!
!
no ip domain-lookup
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.2.3.233 255.255.255.248
ip access-group 111 in
ip nat outside
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet1/0
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
!
ip nat inside source list 101 1.2.3.236 overload
!
ip nat inside source static 192.168.1.70 1.2.3.233
ip nat inside source static 192.168.1.112 1.2.3.234
ip nat inside source static 192.168.1.113 1.2.3.235
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.238
no ip http server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit tcp any host 1.2.3.233 eq 25
access-list 111 permit tcp any host 1.2.3.233 eq 80
access-list 111 permit tcp any host 1.2.3.233 eq 443
access-list 111 permit tcp any host 1.2.3.233 eq 53
access-list 111 permit udp any host 1.2.3.233 eq 53
access-list 111 permit tcp any host 1.2.3.233 eq 110
access-list 111 permit tcp any host 1.2.3.233 eq 11111
access-list 111 permit tcp any host 1.2.3.234 eq 25
access-list 111 permit tcp any host 1.2.3.234 eq 53
access-list 111 permit udp any host 1.2.3.234 eq 53
access-list 111 permit tcp any host 1.2.3.234 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq 80
access-list 111 permit tcp any host 1.2.3.235 eq 443
access-list 111 permit tcp any host 1.2.3.235 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq 45555
access-list 111 permit tcp any host 1.2.3.235 eq 47777
access-list 111 permit icmp any any
access-list 111 deny ip any host 1.2.3.233
access-list 111 deny ip any host 1.2.3.234
access-list 111 deny ip any host 1.2.3.235
access-list 111 deny tcp any any eq 23
access-list 111 remark BLOCK ILLEGAL BROADCASTS - START
access-list 111 deny ip 0.0.0.0 0.255.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 169.254.0.0 0.0.255.255 any
access-list 111 deny ip 172.16.0.0 15.0.255.255 any
access-list 111 deny ip 192.0.2.0 0.0.0.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip 224.0.0.0 15.255.255.255 any
access-list 111 deny ip 240.0.0.0 7.255.255.255 any
access-list 111 deny ip 248.0.0.0 7.255.255.255 any
access-list 111 deny ip 255.255.255.255 0.0.0.0 any
access-list 111 remark BLOCK ILLEGAL BROADCASTS - END
access-list 111 permit ip any any
!
snmp-server community public RO
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
password XXXXXXXXXXXXXXXXX
login
!
end

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Let me try this out and get back.

Thanks

 

[3t0n1c]

unclerico, guess what?

No dice. I loaded the exact config you posted, edited my passwords in. The router rebooted and had no internet connectivity whatsoever - not even ping to the outside gateway.

All your help is much appreciated!

 

[unclerico]

no way!!!! this should work. the ip's in the config are correct??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

It didn't work. I replaced 1.2.3 with the real octets of course. The router reloaded correctly, checked the running-config, looked good. No outbound internet access whatsoever.

Thanks though.

 

[unclerico]

Post your nat translation table like I asked so we can get this thing fixed.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

unclerico,

I will post the translation table later on today. I don't have access to the router right now.

One thing I found odd yesterday was this line:

ip nat inside source list 101 1.2.3.236 overload
^
The router won't accept it, thus no wonder it didn't work. Could it be the culprit? I believe it says the issue is "and points" to the first octet of the IP address.

I hope this may be the issue until I can post the translation table.

Thanks for all your help.