Cisco Fun

[br0ck]

I have a cisco 1700 series router with a eth1 interface and a serial0 interface that is doing nat to the internet. I am trying to create an access-list set to control traffic inbound and I have 2 static statements ot put servers on the internet
Now here is the tricky part I tested some access-lists on the inbound traffic
access-list 103 permit icmp any any
Access-list 103 permit 53 any any
access-list 103 deny tcp any host PUBIP eq smtp
access-list 103 deny tcp any host PUBIP eq 135
access-list 103 deny tcp any host PUBIP eq 139
access-list 103 deny tcp any host PUBIP eq 445
access-list 103 deny tcp any host PUBIP eq 2301
access-list 103 deny tcp any host PUBIP eq 8080
access-list 103 permit tcp any host SER0IP eq telnet
access-list 103 permit tcp any host PUBIP2 eq 1352
access-list 103 permit udp any host PUBIP2 eq 1352
access-list 103 permit tcp any host PUBIP2 eq smtp
access-list 103 permit tcp any host PUBIP eq 1494
access-list 103 permit udp any host PUBIP eq 1604
access-list 103 permit tcp any host PUBIP eq 3389

ip access-group 103 in

I could not get a response form PUBIP or PUBIP2 so I removed the access group from ser0 interface
I had no problems with the router but it was wide open to the internet (not good)
So I tested some basic access list with access to my services needed

Access-list 103 permit icmp any any
access-list 103 permit tcp any host SER0IP eq telnet
access-list 103 permit tcp any host PUBIP2 eq 1352
access-list 103 permit udp any host PUBIP2 eq 1352
access-list 103 permit tcp any host PUBIP2 eq smtp
access-list 103 permit tcp any host PUBIP eq 1494
access-list 103 permit udp any host PUBIP eq 1604
access-list 103 permit tcp any host PUBIP eq 3389

ip access-group 103 in

still no response
so I ping from the internet ser0 ip got replies
ping PIBIP no response
ping PUBIP2 no response

I then remove access-group 103 form the interface and this should leave it open to the internet

I then ping and port scan the public ip’s and the ser0 interface. i get response from the interface and one public ip but not the other
So I then telnet in to the router and ping the interface good then the PUBIP nope then the PUBIP2 good
What could stop the one nated public ip address from responding ?

Here is osme of the config
interface Ethernet0
ip address 192.168.60.254 255.255.255.0
ip nat inside
no ip route-cache
!
interface Serial0
description Lease Line
ip address 64.80.60.14 255.255.255.XXX
ip access-group 103 in
ip nat outside
no ip route-cache

ip nat inside source list 1 interface Serial0 overload
ip nat inside source static 192.168.200.2 PUBIP1
ip nat inside source static 192.168.200.1 PUBIP2
ip nat inside source static 192.168.60.3 PUBIP
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.2.0 255.255.255.0 192.168.60.253

Any ideas ?
btw i'm using ver 12.1

 

[ChrisAC]

You need to test basic connectivity from PUBIP to the router and then out to the internet before you worry about router security. If you can't ping it from the router then you have a problem.

From PUBIP, how far can you get? Can you ping the router?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[adam108]

Does access-list 1 explicitly deny the addresses of your servers before allowing any host to use the overload? Also, you need a route 192.168.200.0/24 via e0/0 because your router does not know how to get to these two servers and uses the default gateway which is the internet.

 

[br0ck]

access-list 1 is that route
i don't have the config infront of me right now butit's like
access-l 1 ip any 192.168.200 0.0.0.255

don't quote me on that but i'll post it later when i have it in front of me

 

[adam108]

Realizing that you are working off the top of your head. Access-list 1 is a standard access list which only accounts for source address and not destination. I imagine the statement is:

access-list 1 permit 192.168.200.0 0.0.0.255

With this assumption in mind, you need to remove this list with no access-list 1 and create a new access-list 1 which is:

access-list 1 deny 192.168.200.1 0.0.0.0
access-list 1 deny 192.168.200.1 0.0.0.0
access-list 1 permit 192.168.200.0 0.0.0.255

and also add a route
route add 192.168.200.0/24 via ethernet 0.

This will tell the router what to do with this traffic as well as ensure that any outbound traffic from the servers uses the static translation instead of the overload.

Try debug ip icmp and watch the pings pass through to verify.

 

[adam108]

Oops, the second line of that access-list should be 192.168.200.2 to account for the second server.

 

[br0ck]

tell you what i'll post the full config as soon as i can get access to it


by the end of the day


thanks for you help

 

[br0ck]

Building configuration...

Current configuration : 1146 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 1600
!
boot system flash c1600-y-l.121-5.t10.bin
boot system flash
logging rate-limit console 10 except errors
no logging console
enable secret
!
username exit
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
!
!
interface Ethernet0
ip address 192.168.200.254 255.255.255.0
ip nat inside
no ip route-cache
!
interface Serial0
description 128K Lease Line to isp
ip address PUBIP 255.255.255.252
ip nat outside
no ip route-cache
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static 192.168.200.3 CITRIXPUBIP
ip nat inside source static 192.168.200.1 LOTUSPUBIP
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.12.0 255.255.255.0 192.168.200.253
ip http server
!
access-list 1 permit 192.168.200.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password xxx
login
transport input none
line vty 0 4
password xxx
login
!
end

here is the current running config this is now wide open and i need to shut all of the ports except DNS for the full network 1494,1604 to CITRIXPUBIP
and smtp,1352 for LOTUSPUBIP

 

[ChrisAC]

So what IP's are you trying to NAT to? You've only got a /30 IP range, two available IP addresses and I bet that one of those is on the other end of the serial link. So, what is CITRIXPUBIP and LOTUSPUBIP?

Chris.



**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[br0ck]

i got the ping issues worked out (i don't know how but i did) the citrixpubip is registered to a domain name
the lotuspubip is the ip for the mx record


ip nat inside source static 192.168.200.3 CITRIXPUBIP
ip nat inside source static 192.168.200.1 LOTUSPUBIP


these are the statics that put the mail and citrix server on the public ip's but there are wide open

i need to block all ports except lotus, citrix and DNS in bound from the internet (serial0)

 

[ChrisAC]

No, I meant how is the CITRIXIP and LOTUSIP routed? Are they different from PUBIP, being that you only have a /30 range on your external interface.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************