I'm fighting with my router configuration for several weeks now without much success.
Now I really hope I can find a clever person here, to help me out.
I'm trying to configure
- A DMZ with 8 (6 usable) official IPs, full traffic should be routed to and from WAN (no port forwarding; dedicated servers)
- A LAN witch should be NATed, no WAN->LAN access should be allowed.
- LAN->DMZ should be possisble, the other direction doesn't matter
- do this with a single router
My current configuration is based on a sample configuration found in the dslreports FAQ.
Everything works fine - but DMZ servers response-packets to packets from WAN do not arrive at the initial sender.
LAN can access WAN, LAN can access DMZ without problems.
When I ping a server in the DMZ from WAN or try to open a telnet session to port 80, I can see in the servers firewall logs the incoming packet, and the responding outgoing packet.
But at the sending machine I do not receive the ping-response and cannot create a tcp connection.
PLEASE PLEASE PLEASE if you have a idea, please help me!
My Configuration follows:
A.B.213.73/29: official DMZ IPs, routed to C.D.246.8 (=WAN-Port IP)
Default Gateway: C.D.246.1
Vlan1=LAN
Vlan2=DMZ
Eth4=WAN
I also add some more information witch could be usefull:
any ideas? Thank you very much!
best regards
longdrink
Now I really hope I can find a clever person here, to help me out.
I'm trying to configure
- A DMZ with 8 (6 usable) official IPs, full traffic should be routed to and from WAN (no port forwarding; dedicated servers)
- A LAN witch should be NATed, no WAN->LAN access should be allowed.
- LAN->DMZ should be possisble, the other direction doesn't matter
- do this with a single router
My current configuration is based on a sample configuration found in the dslreports FAQ.
Everything works fine - but DMZ servers response-packets to packets from WAN do not arrive at the initial sender.
LAN can access WAN, LAN can access DMZ without problems.
When I ping a server in the DMZ from WAN or try to open a telnet session to port 80, I can see in the servers firewall logs the incoming packet, and the responding outgoing packet.
But at the sending machine I do not receive the ping-response and cannot create a tcp connection.
PLEASE PLEASE PLEASE if you have a idea, please help me!
My Configuration follows:
A.B.213.73/29: official DMZ IPs, routed to C.D.246.8 (=WAN-Port IP)
Default Gateway: C.D.246.1
Vlan1=LAN
Vlan2=DMZ
Eth4=WAN
Code:
#show running-config
Building configuration...
Current configuration : 5574 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret <snip>
!
no aaa new-model
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-720454128
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-720454128
revocation-check none
rsakeypair TP-self-signed-720454128
!
!
crypto pki certificate chain TP-self-signed-720454128
certificate self-signed 01
<snip>
quit
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name yourdomain.com
ip name-server 195.34.133.21
ip name-server 195.34.133.22
!
!
!
username <snip>
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address C.D.246.8 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
description DMZ Interface
ip address A.B.213.73 255.255.255.248
ip access-group 110 in
ip nat inside
no ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 C.D.246.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 10 interface FastEthernet4 overload
!
logging trap debugging
access-list 10 remark Permit subnets to go out to the internet
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit A.B.213.72 0.0.0.7
access-list 10 permit C.D.246.0 0.0.0.15
access-list 110 remark restricted inside network Access
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip A.B.213.72 0.0.0.7 any
access-list 110 permit ip C.D.246.0 0.0.0.15 any
access-list 111 remark restricted DMZ Access
access-list 111 permit ip A.B.213.72 0.0.0.7 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endI also add some more information witch could be usefull:
Code:
#show version
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)
Technical Support: [URL unfurl="true"]http://www.cisco.com/techsupport[/URL]
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 13-Mar-08 13:50 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
yourname uptime is 7 weeks, 21 minutes
System returned to ROM by power-on
System image file is "flash:c870-advsecurityk9-mz.124-15.T4.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
[URL unfurl="true"]http://www.cisco.com/wwl/export/crypto/tool/stqrg.html[/URL]
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 871 (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory.
Processor board ID FCZ121362QQ
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
Code:
#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp C.D.246.8:1101 192.168.1.105:1101 193.170.75.13:22 193.170.75.13:22
tcp C.D.246.8:1 A.B.213.74:445 79.172.92.39:3916 79.172.92.39:3916
tcp C.D.246.8:1024 A.B.213.74:1521 60.210.179.198:6000 60.210.179.198:6000
icmp C.D.246.8:4699 A.B.213.74:4699 193.170.75.21:4699 193.170.75.21:4699
icmp C.D.246.8:27663 A.B.213.74:27663 74.125.45.100:27663 74.125.45.100:27663
udp C.D.246.8:33250 A.B.213.74:33250 195.34.133.21:53 195.34.133.21:53
udp C.D.246.8:47824 A.B.213.74:47824 195.34.133.21:53 195.34.133.21:53
udp C.D.246.8:50814 A.B.213.74:50814 195.34.133.21:53 195.34.133.21:53
Code:
#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp C.D.246.8:1101 192.168.1.105:1101 193.170.75.13:22 193.170.75.13:22
tcp C.D.246.8:1 A.B.213.74:445 79.172.92.39:3916 79.172.92.39:3916
tcp C.D.246.8:1024 A.B.213.74:1521 60.210.179.198:6000 60.210.179.198:6000
icmp C.D.246.8:4699 A.B.213.74:4699 193.170.75.21:4699 193.170.75.21:4699
icmp C.D.246.8:27663 A.B.213.74:27663 74.125.45.100:27663 74.125.45.100:27663
udp C.D.246.8:33250 A.B.213.74:33250 195.34.133.21:53 195.34.133.21:53
udp C.D.246.8:47824 A.B.213.74:47824 195.34.133.21:53 195.34.133.21:53
udp C.D.246.8:50814 A.B.213.74:50814 195.34.133.21:53 195.34.133.21:53
Code:
001484: *Apr 19 01:29:04.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25513]
001485: *Apr 19 01:29:05.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25514]
001486: *Apr 19 01:29:06.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25515]
001487: *Apr 19 01:29:07.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25516]
001488: *Apr 19 01:29:08.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25517]
001489: *Apr 19 01:29:09.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25518]
001490: *Apr 19 01:29:10.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25519]
001491: *Apr 19 01:29:11.168 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25520]
001492: *Apr 19 01:29:12.172 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25521]
001493: *Apr 19 01:29:13.172 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25522]
001553: *Apr 19 01:32:59.228 Berlin: NAT*: i: icmp (A.B.213.74, 4699) -> (193.170.75.21, 4699) [25748]
001554: *Apr 19 01:32:59.228 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25748]
001555: *Apr 19 01:33:00.228 Berlin: NAT*: i: icmp (A.B.213.74, 4699) -> (193.170.75.21, 4699) [25749]
001556: *Apr 19 01:33:00.228 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25749]
001557: *Apr 19 01:33:01.228 Berlin: NAT*: i: icmp (A.B.213.74, 4699) -> (193.170.75.21, 4699) [25750]
001558: *Apr 19 01:33:01.228 Berlin: NAT*: s=A.B.213.74->C.D.246.8, d=193.170.75.21 [25750]
#no debug ip nat detailedany ideas? Thank you very much!
best regards
longdrink