Cisco 3640 Router 2

[3t0n1c]

Hi,

Can please someone help me with the following:

I have a 3640 router with 4 fast eth ports on the rear.
I will be using just 2 of them for now to do routing and maybe NAT-ing.
I have a /29 block from my upsteam provider and I have several servers sitting behind this. Several of them need to run services to the outside world.
In other words I need to open ports to certain machines that are being NAT-ed.
The other thing I need to do is specify which machine gets access to which external IP address (out to the Internet) that is.

For example lets say I have 192.168.1.1 as the internal ip on the router, and then 192.168.1.2 - 192.168.1.10 are my servers.
My external subnet is 1.2.3.233 - 1.2.3.237 with default route 1.2.3.238
Lets say I need 192.168.1.3 to go out via 1.2.3.233 and have incomming ports open on that same route and then 192.168.1.5 to go out via 1.2.3.234, etc.
Now, if I need to NAT the entire 192.168.1/24 and poke holes and do port forwarding to some of my internal servers, what's the config? Examples would be awesome, I can easily take it from there.

Also, is there a specific IOS I need to load or just use the latest one I could get my hands on? What's the best one out there for what I need to do?

What kind of throughput should I expect assuming I will be on 100Mbps full duplex?

What are the benefits of adding a flash card of say 128MB to the router? Will it improve anything for my needs?

Any help is greatly appreciated.

 

[unclerico]

doh!! i f-ed up. add this instead:

ip nat pool nat_pool 1.2.3.236 1.2.3.236 prefix-length 29

ip nat inside source list 1 pool nat_pool overload

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

you're going to find that getting out from 1.70, 1.112, and 1.113 won't work because the return traffic will be denied by the deny ip any 1.2.3.233/234/235 ACEs in the ACL. you could get tcp-based flows to work by adding permit tcp any 1.2.3.233/234/235 established, but udp based flows will not work. honestly, the best thing to do would be to load a version of IOS that includes the zone-based firewall and get it setup. this will give you a fully functioning stateful firewall and will give you more flexibility in configuration. just my .02

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Great input unclerico!

I can't wait to try this out later on today.

Is there a way to find out what IOS I need in order to run zone-based firewall?

The router is currently running c3640-is-mz.122-46a
I can't upgrade to newer(larger) IOS because of flash size limitations, so if my current IOS won't cut it, I may need to upgrade my flash. Not so sure how and if I can just add an external flash card to add extra storage.
I'm not very sure how this works.

Thanks

 

[unclerico]

i would most definitely upgrade the firmware if possible. at a minimum you'll need 64MB DRAM/16MB Flash

One of these three IOSs are what I would recommend. The first two are 12.4 train and the last one is 12.2 train. I would definitely aim for one of the 12.4's preferrably the first one:

c3640-ik9o3s-mz.124-25c.bin/IP/FW/IDS PLUS IPSEC 3DES = 128MB DRAM/32MB Flash
c3640-io3-mz.124-25c.bin/IP/FW/IDS = 64MB DRAM/16MB Flash
c3640-ik9o3s-mz.122-46a.bin/IP/FW/IDS PLUS IPSEC 3DES = 64MB DRAM/16MB Flash

Here's a guide for upgrading the system memory and flash memory for the 3600 series routers:

http://www.cisco.com/en/US/docs/routers/access/3600/hardware/notes/3636mem.html

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

I currently have 48DRAM, 16MB flash internal.

Will have to upgrade, however I am not sure if an additional 20MB flash card (external) will do the trick or I just need to have internally 32MB flash. Will it count like 16MB internal + 20MB external on slot0 ? I doubt it...

Either way my DRAM is also insufficient, and if I go ahead and upgrade I figured might as well go to 128/32 and max it out.

I shall take the cover off and see what I need to upgrade it.

Thanks a lot!

 

[3t0n1c]

Anyone want to take a shot at what my config would look like if I were using an IOS with zone-based firewall features?

Meanwhile I am looking into upgrading the ram and flash on this unit.

Thanks

The more you learn, the more you realize how much you don't know.

 

[unclerico]

let me ask you this; did you try the current configuration to see if it will allow you access to the internet (aside from 1.70, 1.112, 1.113)?? we'll want to make sure that it works without the firewall enabled first.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

I'll try to get back to this later on today and post the outcome.

Thanks

The more you learn, the more you realize how much you don't know.

 

[3t0n1c]

unclerico, here's what I did:

I tried the current config as you suggested and the only machines getting access to the internet (rather getting binded from the 233, 234, and 235 ip addresses are my 70, 112, and 113 machines.
ICMP, TCP, and UDP is denied to all other hosts both in and out from the Internet.

Let me know if you have any thoughts.

I had also looked at ip nat translations and it shows how traffic is allowed to the .70, .112, and .113 on specific ports (of course no firewalling)... But no other internet traffic. I can't even ping anything from the router itself either.

Any help is much appreciated.

Thanks

The more you learn, the more you realize how much you don't know.

 

[3t0n1c]

Furthermore, I can access my servers .70, .112, and .113 from a different Internet connections, so things do work just not outbound.

Thanks

The more you learn, the more you realize how much you don't know.

 

[unclerico]

hmmm. it should work. i'll test this in my lab tonight.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Thanks!

If you want me to I can post the exact config I used so that we're on the same page.

Nonetheless I really appreciate all your help!



The more you learn, the more you realize how much you don't know.

 

[unclerico]

yes, please post what you've got.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Here it is. I hope this will shed some light on what is happening.

Thanks



!
! Last configuration change at 15:02:55 UTC Tue Aug 24 2010
! NVRAM config last updated at 15:09:04 UTC Tue Aug 24 2010
!
version 12.2
service timestamps debug uptime
service timestamps log datetime localtime
no service password-encryption
!
hostname Router
!
no logging console
no logging monitor
enable secret 5 XXXXX
enable password XXXXX
!
ip subnet-zero
!
!
no ip domain-lookup
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.2.3.233 255.255.255.248
ip access-group 111 in
ip nat outside
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet1/0
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
!
ip default-gateway 1.2.3.238
ip nat pool nat_pool 1.2.3.236 1.2.3.236 prefix-length 29
ip nat inside source list 1 pool nat_pool overload
ip nat inside source static 192.168.1.70 1.2.3.233
ip nat inside source static 192.168.1.112 1.2.3.234
ip nat inside source static 192.168.1.113 1.2.3.235
ip nat inside source static tcp 192.168.1.70 80 1.2.3.233 80 extendable
ip nat inside source static tcp 192.168.1.70 443 1.2.3.233 443 extendable
ip nat inside source static tcp 192.168.1.70 25 1.2.3.233 25 extendable
ip nat inside source static tcp 192.168.1.70 22 1.2.3.233 11111 extendable
ip nat inside source static tcp 192.168.1.70 110 1.2.3.233 110 extendable
ip nat inside source static tcp 192.168.1.70 53 1.2.3.233 53 extendable
ip nat inside source static udp 192.168.1.70 53 1.2.3.233 53 extendable
ip nat inside source static tcp 192.168.1.112 22 1.2.3.234 11111 extendable
ip nat inside source static udp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 25 1.2.3.234 25 extendable
ip nat inside source static tcp 192.168.1.113 80 1.2.3.235 80 extendable
ip nat inside source static tcp 192.168.1.113 443 1.2.3.235 443 extendable
ip nat inside source static tcp 192.168.1.113 45555 1.2.3.235 45555 extendable
ip nat inside source static tcp 192.168.1.113 47777 1.2.3.235 47777 extendable
ip nat inside source static tcp 192.168.1.113 22 1.2.3.235 11111 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.238
no ip http server
!
logging trap debugging
logging 192.168.1.70
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit tcp any host 1.2.3.233 eq smtp
access-list 111 permit tcp any host 1.2.3.233 eq www
access-list 111 permit tcp any host 1.2.3.233 eq 443
access-list 111 permit tcp any host 1.2.3.233 eq domain
access-list 111 permit udp any host 1.2.3.233 eq domain
access-list 111 permit tcp any host 1.2.3.233 eq pop3
access-list 111 permit tcp any host 1.2.3.233 eq 11111
access-list 111 permit tcp any host 1.2.3.234 eq smtp
access-list 111 permit tcp any host 1.2.3.234 eq domain
access-list 111 permit udp any host 1.2.3.234 eq domain
access-list 111 permit tcp any host 1.2.3.234 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq www
access-list 111 permit tcp any host 1.2.3.235 eq 443
access-list 111 permit tcp any host 1.2.3.235 eq 11111
access-list 111 permit tcp any host 1.2.3.235 eq 45555
access-list 111 permit tcp any host 1.2.3.235 eq 47777
access-list 111 permit icmp any any log
!access-list 111 permit tcp any 1.2.3.233 established
!access-list 111 permit tcp any 1.2.3.234 established
!access-list 111 permit tcp any 1.2.3.235 established
!access-list 111 deny ip any host 1.2.3.233
!access-list 111 deny ip any host 1.2.3.234
!access-list 111 deny ip any host 1.2.3.235
access-list 111 deny tcp any any eq telnet log
access-list 111 deny ip 0.0.0.0 0.255.255.255 any log
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny ip 169.254.0.0 0.0.255.255 any log
access-list 111 deny ip 160.16.0.0 15.0.255.255 any log
access-list 111 deny ip 192.0.2.0 0.0.0.255 any log
access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny ip 224.0.0.0 15.255.255.255 any log
access-list 111 deny ip 240.0.0.0 7.255.255.255 any log
access-list 111 deny ip 248.0.0.0 7.255.255.255 any log
access-list 111 deny ip host 255.255.255.255 any log
access-list 111 permit ip any any log
snmp-server community public RO
snmp-server community CISCO-3640-01 RO
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
password XXXXX
login
!
ntp clock-period 17180028
ntp server 4.2.2.2
end


The more you learn, the more you realize how much you don't know.

 

[unclerico]

ok, so here's my config. you'll notice that i only have a single static nat entry (1.70) and it's because I just didn't have enough extra computers at my disposal to configure all three (1.212 and 1.213); however, the outcome would still be the same in the end.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2610-1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool dhcp_pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254 
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 ip address 1.2.3.233 255.255.255.248
 ip access-group 111 in
 ip nat outside
 ip virtual-reassembly
 clock rate 128000
!
interface Serial0/2
 no ip address
 shutdown
!
interface Serial0/3
 no ip address
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.238
!
!
no ip http server
no ip http secure-server
ip nat pool nat_pool 1.2.3.236 1.2.3.236 prefix-length 29
ip nat inside source list 101 pool nat_pool overload
ip nat inside source static 192.168.1.70 1.2.3.233
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit tcp any host 1.2.3.233 eq www
access-list 111 permit tcp any host 1.2.3.233 eq ftp
access-list 111 permit tcp any host 1.2.3.233 eq ftp-data
access-list 111 permit icmp any any
access-list 111 deny   ip any host 1.2.3.233
access-list 111 permit ip any any
!
!
!
control-plane
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

i was able to successfully connect from the outside to 1.2.3.233 via http and ftp. i was unable to connect from the outside to 1.2.3.233 on any other port due to the acl. i was able to access a web server on the outside from a host on the inside, but i was not able to access anything other than icmp on the outside from 1.70. here's output from my xlate table:

Pro Inside global      Inside local       Outside local      Outside global
tcp 1.2.3.236:52351    192.168.1.1:52351  13.13.13.5:80      13.13.13.5:80
tcp 1.2.3.233:21       192.168.1.70:21    13.13.13.5:3661    13.13.13.5:3661
tcp 1.2.3.233:80       192.168.1.70:80    13.13.13.5:3601    13.13.13.5:3601
icmp 1.2.3.233:512     192.168.1.70:512	  13.13.13.5:512     13.13.13.5:512
--- 1.2.3.233          192.168.1.70       ---                ---

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Ok, let me run with this and see if I can reproduce the results. The only obvious difference is the IOS, which is not the same. I'm running 12.2 and you're running 12.4. It may not matter for what we're doing, but it is just something I noticed.

Thanks a lot! I will return with my findings.

The more you learn, the more you realize how much you don't know.

 

[3t0n1c]

Guys,

Sorry about the absence. Been very busy.

Now, I have flash and ram on order for this unit, and will be loading new IOS once I am able to.

Sorry, did not get a chance to try that config as of yet.
I just wanted to let everyone know this is still ongoing.

Thanks for the patience and understanding.




The more you learn, the more you realize how much you don't know.

 

[3t0n1c]

@unclerico: I tried your config and got similar results with you. I guess we could try to continue to the next step if you would.

Right now the router has 96M ram and 24Mb flash.
It will get 128/32 soon though.

What else can we do/try meanwhile?

What would that zone-based firewall config look like?
Short examples are always a great start.

Considering that I am currently running c3640-ik9o3s-mz.123-26, can I assume that zone-based firewalling should work?

Thank you

The more you learn, the more you realize how much you don't know.

 

[unclerico]

we'll actually need to configure the ios firewall/cbac. it doesn't look like any version of ios for the 3640 supports zbf which is the newer version of the ios firewall.

taking the sample config that i posted earlier, your cbac config would look similar to this:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2610-1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool dhcp_pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254 
!
!
[b]ip inspect name cbac tcp
ip inspect name cbac udp
ip inspect name cbac http
ip inspect name cbac https
ip inspect name cbac smtp
ip inspect name cbac ftp
ip inspect name cbac dns
ip inspect name cbac ntp[/b]
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
ip address 1.2.3.233 255.255.255.248
ip access-group 111 in
ip nat outside
[b]ip inspect cbac out[/b]
ip virtual-reassembly
clock rate 128000
!
interface Serial0/2
no ip address
shutdown
!
interface Serial0/3
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.238
!
!
no ip http server
no ip http secure-server
ip nat pool nat_pool 1.2.3.236 1.2.3.236 prefix-length 29
ip nat inside source list 101 pool nat_pool overload
ip nat inside source static 192.168.1.70 1.2.3.233
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit tcp any host 1.2.3.233 eq www
access-list 111 permit tcp any host 1.2.3.233 eq ftp
access-list 111 permit tcp any host 1.2.3.233 eq ftp-data
access-list 111 permit icmp any any
[b]access-list 111 deny ip any any log
[s]access-list 111 deny ip any host 1.2.3.233[/s]
[s]access-list 111 permit ip any any[/s][/b]
!
!
!
control-plane
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Assuming that this config would indeed work on my hardware (if it's compatible with my IOS), how would I implement the use of .233, .234, and .235 for traffic both inbound and outbound?
Is it enough if I just add proper lines to do static nat and permit them in the access lists?

Basically I need machine 192.168.1.70 to go out via 1.2.3.233 both inbound and outbound.
Then, same with 192.168.1.112 via 1.2.3.234 and 192.168.1.113 via 1.2.3.235, everything else on the 192.168.1.0/24 should use let's say 1.2.3.236 for web browsing, etc.
Even simpler, if I were to even to group say 192.168.1.254 0.0.0.26 and allow them to use 1.2.3.236, that would work too.

I can get this working, however what I hate about the 1-to-1 NAT (the way cisco does it) is that it automatically exposes all the internal ports via the external IP that you're bound to and you can't really filter... At least not without zone-based firewall it seems.
Even when you specifically say "deny" in your access-list if you do a port scan for that specific port from the outside it still shows it as "filtered" instead of really closing it - hence what I would like to have happen.

Any help is always greatly appreciated!

Thank you so much!

The more you learn, the more you realize how much you don't know.