Cisco 3640 Router 2

[3t0n1c]

Hi,

Can please someone help me with the following:

I have a 3640 router with 4 fast eth ports on the rear.
I will be using just 2 of them for now to do routing and maybe NAT-ing.
I have a /29 block from my upsteam provider and I have several servers sitting behind this. Several of them need to run services to the outside world.
In other words I need to open ports to certain machines that are being NAT-ed.
The other thing I need to do is specify which machine gets access to which external IP address (out to the Internet) that is.

For example lets say I have 192.168.1.1 as the internal ip on the router, and then 192.168.1.2 - 192.168.1.10 are my servers.
My external subnet is 1.2.3.233 - 1.2.3.237 with default route 1.2.3.238
Lets say I need 192.168.1.3 to go out via 1.2.3.233 and have incomming ports open on that same route and then 192.168.1.5 to go out via 1.2.3.234, etc.
Now, if I need to NAT the entire 192.168.1/24 and poke holes and do port forwarding to some of my internal servers, what's the config? Examples would be awesome, I can easily take it from there.

Also, is there a specific IOS I need to load or just use the latest one I could get my hands on? What's the best one out there for what I need to do?

What kind of throughput should I expect assuming I will be on 100Mbps full duplex?

What are the benefits of adding a flash card of say 128MB to the router? Will it improve anything for my needs?

Any help is greatly appreciated.

 

[unclerico]

Is it enough if I just add proper lines to do static nat and permit them in the access lists?

yep. that should be pretty much it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Can you please help me understand what these lines do?
ip inspect name cbac

Are these the ones that prevent my internal ports from being exposed via the external IPs unless specifically "allowed" ?

I need to grasp what everything does, then I can take it to the next step on my own...I hope

Thanks

The more you learn, the more you realize how much you don't know.

 

[Quadratic]

Those are stateful inspection rules. For example, "ip inspect name cbac tcp" will watch for TCP traffic on the port the inspection rule is applied to (in this case, it's watching for outbound traffic on the port facing the public network). If it sees such traffic, the router will track that session and add a dynamic "permit" statement to the inbound ACL that would otherwise deny the return traffic from the public network.

That way, traffic is denied if the outside world tries to get in, unless your inside network originated the connection. "cbac" in this case is the name of the inspection rule, but it also stands for "context-based access control". Basically you're turning the router into a stateful firewall.

CCNP, CCDP

 

[3t0n1c]

Ok, I understand what cbac does, but I would have to first implement it later on tonight and see it in action. It's all a little confusing at this time.

I still don't know if there is a way to prevent my external IP from exposing internal IP's ports that it has been bonded to.
For instance if I have 4-5 lines like this:
ip nat inside source static 192.168.1.70 1.2.3.233
do static NAT to specific machines, and let's say machine 192.168.1.70 runs www, smtp, and mysql services but I only want to allow port 80 and port 25 to be accessible via 1.2.3.233. The above line exposes ALL the ports on my machine including mysql (which I don't want to be accessible via 1.2.3.233). I know I could use ACL to deny access to each specific port, BUT there has got to be a better way that would take care of my problem yet still allow me to (if using machine 192.168.1.70 to surf the web) be seen as connecting from 1.2.3.233.
Not to mention if I have 1000 ports that I need to close for each external IP, that would be a nightmare.

I still don't know how to really "close" a port rather than filtering it.

Is it possible that cbac would do exactly what I want?

Sorry to be repetitive...

Thanks for all your help!

The more you learn, the more you realize how much you don't know.

 

[unclerico]

so an acl for cisco implicitly denies traffic. for example, if you say:

access-list 111 permit tcp any host 1.2.3.233 eq 80
access-list 111 permit tcp any host 1.2.3.233 eq smtp

then only http and smtp traffic will be permitted inbound to 1.2.3.233 <-> 192.168.1.70. if someone tries to get to tcp 1433 or tcp 443 then it will be denied (for example). you don't need to explicitly deny traffic. this is of course assuming that you don't have ACEs further down the ACL that will permit the traffic.

does this answer your question??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Sort of...

It doesn't seem to be a matter of denying or permitting traffic. It is just a matter of exposing ports, even though they are "filtered" or denied if you will.
I would much rather have the "denied" ports appear "closed", as opposed to "filtered" - thus still listed as potentially passing traffic.

Even port 23 (inbound) telnet to the router itself, of course has been denied on the external interface, still shows up as filtered on the outbound interface. Why is that? The fact that the ports are being denied logically is one thing, yet the ports being exposed is another.

I hope this helps.

Thanks

The more you learn, the more you realize how much you don't know.

 

[Quadratic]

I don't think I'm understanding what you mean by "exposed". If traffic destined for those ports gets blocked immediately when it tries to enter the network, how is the port exposed? Is it just the wording that's creating the worry?

CCNP, CCDP

 

[3t0n1c]

By exposed I mean "listed" as an active port. By that I don't mean "open", just active.
When you do a portscan on a specific IP it lists 3 states for every port scanned: open, filtered, or closed.
If the port is open, then it accepts the packets, filtered means that there may be something potentially running on that port, and then closed is when the port is dead.
When a port is really closed, as in "no service" available on that port, then it lists it as closed (which is what it should do) I think.

Let me give you an example. If I were hypothetically speaking able to completely turn off the telnet service on the router and then remotely do a port scan on its external IP, port 23 would be listed as closed.
Given the fact that I can't completely disable telnet, if I do the port scan on port 23 (after denying it via acl) it lists the port as filtered - aka there is still something running, but can't get to it.

To a potential attacker form the outside, this could be something you may not want him/her to know about. The less they know, the better. That's all.

The more you learn, the more you realize how much you don't know.

 

[3t0n1c]

Just a quick follow-up, I am in the midst of finalizing this config and locking it down.

During tests, I realized that lines such as
ip inspect name cbac https fail to load pointing to "https".
^
Obviously the syntax is correct, but this may not be accepted because of my IOS version. Is that possible?

I have yet to receive the flash I ordered, but ram is in. So now it's sporting 128M ram and 24M flash.

Any replies are always welcome.

Thanks to all who responded!

The more you learn, the more you realize how much you don't know.

 

[3t0n1c]

Ok, to all who replied I just wanted to say thank you.
I have upgraded the router to 128/32 and now it's running great.

Finally got it down to where it does exactly what I wanted it to do.

Thanks.

The more you learn, the more you realize how much you don't know.

 

[unclerico]

sweetness my man!! feels great doesn't it??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

It sure does my friend!

Let me ask one more question though. What do you guys recommend as the better tool to manage and update the IOS on a router. Is there even a free one out there that has a built in editor and tftp server?
What about for monitoring the router?
I have seen some but they're pretty crappy.
Any Cisco products you recommend?

Thanks

The more you learn, the more you realize how much you don't know.

 

[unclerico]

Most people will use TeraTerm as their terminal emulation software. As for tftp you can get tftpd or solarwinds. As for monitoring the router, the best thing is to use Netflow, but you need a reciever to get the stats. Nbar is pretty good, but it's limited in the number of flows it can track. SDM will give you graphical output of certain vitals such as CPU usage, memory usage, etc.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Thank you so much!

The more you learn, the more you realize how much you don't know.