CISCO SOHO 91 - OPENING PORTS FOR WEBHOSTING AND EMAIL 2

[hugstable]

All,

I currentyl have a soho 91 router/firewall... I would like to open up the following ports so i can host my company site from the office:

25/TCP,UDP - smtp
80/TCP - http
110/TCP - pop3
143/TCP,UDP - imap

on my box with an ip of 10.10.10.2
subnet 255.255.255.0

i have a cable connection with a static IP.
there are 5 more machines on that subnet connected to the router that i DONT want on the web...

i am pretty new to ios so please be gentle!

all help is welcome...

 

[Jimtron26]

Hi hugstable

Static NAT required here:

syntax (from global config)
ip nat inside source static <tcp/udp> <inside ip address of web server> <port number> interface <internet interface> <port number>

eg
ip nat inside source static tcp 10.10.10.2 80 interface serial 0 80

will forward incoming http traffic to 10.10.10.2 on the s0 interface

Repeat as necessary for all required TCP/ UDP ports

Inside interface ie fastethernet0/0 - (config-if)#ip nat inside
Outside interface ie serial 0 - (config-if)#ip nat outside

Dont forget to permit the traffic through any inbound ACLs you have on the serial interface

ie
access-list 101 permit tcp any host 10.10.10.2 eq 80

!!!HOWEVER!!!
If you are permitting hosts on the Internet into a web server on your network but dont want access to other PCs on the same subnet, you may want to think about purchasing a WIC-1ENET, installing into a spare slot on your router and using this to set up a DMZ (DeMilitarized Zone) which is a seperate network on the same router with a firewall between this network and your local LAN

Hope this helps

Jim )
CCNA

 

[Jimtron26]

Spurious comment...!!

"you may want to think about purchasing a WIC-1ENET, installing into a spare slot on your router"

... the SOHO 91 does not have a WIC slot!!

Sorry about that!

Still you may want to think about maybe purchasing another router which will handle DMZ capabilites....

Jim

P

 

[hugstable]

when i start making more cash i want to get a new router... thanks for the help... i will try and get this running...

here is my config:

CONFIG ==============================
========
Current configuration : 1246 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname root
!
no logging buffered
enable secret xxx
!
username xxx privilege 15 password xxx
25053050A010003
username xxx password xxx
no aaa new-model
ip subnet-zero
ip name-server 65.x.241.181
ip name-server 67.x.118.46
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
!
!
!
!
partition flash 2 6 2
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip nat outside
duplex auto
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
==============

 

[KiscoKid]

Jim's advice is spot on - just follow that and substitute the references to serial0 with ethernet1 and you should be fine, i.e.:


ip nat inside source static tcp 10.10.10.2 25 interface ethernet1 25
ip nat inside source static udp 10.10.10.2 25 interface ethernet1 25
ip nat inside source static tcp 10.10.10.2 80 interface ethernet1 80
ip nat inside source static tcp 10.10.10.2 110 interface ethernet1 110
ip nat inside source static tcp 10.10.10.2 143 interface ethernet1 143
ip nat inside source static udp 10.10.10.2 143 interface ethernet1 143

And as already stated apply an inbound ACL on ethernet1 as follows:

access-list 101 permit tcp any host 10.10.10.2 eq 80
access-list 101 permit udp any host 10.10.10.2 eq 25
access-list 101 permit tcp any host 10.10.10.2 eq 25
access-list 101 permit tcp any host 10.10.10.2 eq 110
access-list 101 permit tcp any host 10.10.10.2 eq 143
access-list 101 permit udp any host 10.10.10.2 eq 143

interface ethernet1
ip access-group 101 in


There is one caveat to bear in mind with this access list as it stands. It will block most of your return traffic from the internet to your internal LAN hosts. You can apply additional statements to open up TCP established ports or aany TCP/UDP ports greater than 1023 which typically constitute reply traffic from an external destination.

The best solution however is to either use a firewall for access control or, failing that, enable a function called CBAC (if your cisco IOS supports it - you need a firewall IOS feature set) which opens these ports dynamically and ensures the LAN hosts continue to function normally.


Take a look at the following for an idea of how to setup CBAC:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

 

[hugstable]

where should i put the ip nat inside code? does it get its own section... is there a specific command i should use?

how can i back up my current config in case i blow it up?

 

[Jimtron26]

You need a tftp server programme running on a PC local to the router

Command is #copy start tftp

You then specify the local IP address and the filename. This will back up your router

Alternatively, you can capture a copy of the current config by using Hyperterminal to connect, running the capture option and doing a #show running-config command

If it goes wrong then you can simply delete the startup config, reload the router to start with a blank config and copy and paste the config back into the router )

The ip nat statements are programmed from global config ie Router(config)#

Hope this helps

Jim
CCNA )

 

[hugstable]

new running config has my ip pointing at my router... not my webpage... I SCRE

http://WWWWWED

IT UP...


Current configuration : 3027 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname root
!
logging buffered informational
enable secret 5 $1$WTgl$4ivUMx0texkQGmj5j1SAA/
!
username CRWS_Jaidil privilege 15 password 7 125D5453255A0A256E24752700103212544
25053050A010003
username root password 7 075F37495C05491713
no aaa new-model
ip subnet-zero
ip name-server 65.83.241.181
ip name-server 67.32.118.46
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.21
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
!
partition flash 2 6 2
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.10.10.21 80 interface Ethernet1 80
ip nat inside source static tcp 10.10.10.21 21 interface Ethernet1 21
ip nat inside source static tcp 10.10.10.21 110 interface Ethernet1 110
ip nat inside source static tcp 10.10.10.21 25 interface Ethernet1 25
ip classless
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq smtp
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any log
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

any advice?

 

[Jimtron26]

Hi hugstable

Yes, use the "no" form of the command to remove your static NAT statements

eg (config)#no ip nat inside source static tcp 10.10.10.21 80 interface Ethernet1 80

If you get an error similar to "static entry in use, cannot modify or remove" after you have pressed return, you need to exit back to Priv Exec and type the following:

#clear ip nat translation *

This will clear all current entries in the NAT table and allow you to remove the static NAT lines

Hope this helps

Jim )
CCNA

 

[hugstable]

thanks jim - i will try that...