Hi Everyone,
We have a mess and we're sure its with our router script. One of our problems is that so many people have worked on it over the past months.
We now have intermittent problems like some of our PCs on our internal network (which is connected to E0 - the school) can get Real Media content and ping external addresses (e.g. while other systems can't. We also have issues with FTP (e.g. WS_FTP doesn't work) while some of my colleagues get read-only access when FTPing through Internet Explorer.
I believe the problem has something to do with the access-lists and the IP Inspect commands. Can somebody please elaborate for me what their function is? Are they and alternative to ACLs or should be used in conjuntion? Also, i'm a little confused about inbound and outbound direction when it comes to ACLs.
Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GH1
!
enable password <***PASSWORD***>
!
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Internet tcp
ip inspect name Internet udp
ip inspect name Internet ftp
ip inspect name Internet http java-list 99 timeout 300
ip inspect name Internet smtp
ip inspect name Internet realaudio
ip inspect name internet http java-list 99 timeout 300
ip audit notify log
ip audit po max-events 100
!
!
process-max-time 200
!
interface FastEthernet0/0
description connected to school
ip address <IP_ADDRESS> 255.255.255.0
ip access-group 106 out
no ip directed-broadcast
ip accounting output-packets
ip accounting access-violations
ip nat inside
ip inspect Internet in
no cdp enable
!
interface FastEthernet0/1
description connected to art college
ip address <IP_ADDRESS> 255.255.255.0
ip access-group 104 in
no ip directed-broadcast
ip accounting output-packets
ip accounting access-violations
ip nat outside
no ip split-horizon
no cdp enable
!
router ospf 100
network <IP_ADDRESS> 0.0.255.255 area 0
!
ip default-gateway <IP_ADDRESS>
ip nat pool Internet <FIRST_IP_ADDRESS> <LAST_IP_ADDRESS> netmask 255.255.255.0
ip nat inside source list 100 pool Internet
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static tcp <IP_ADDRESS> 25 <IP_ADDRESS> 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
no ip http server
!
access-list 99 permit any
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any eq www
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any range ftp-data ftp
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
access-list 104 deny ip <IP_ADDRESS> 0.255.255.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 deny tcp any any eq telnet
access-list 104 permit ip any any
access-list 106 permit tcp any any eq smtp
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any host <IP_ADDRESS> eq www
no cdp run
!
line con 0
exec-timeout 0 0
password <***PASSWORD***>
login
transport input none
line aux 0
exec-timeout 2 0
password <***PASSWORD***>
login
line vty 0 4
exec-timeout 2 0
password <***PASSWORD***>
login
transport input telnet
!
scheduler interval 500
end
We have a mess and we're sure its with our router script. One of our problems is that so many people have worked on it over the past months.
We now have intermittent problems like some of our PCs on our internal network (which is connected to E0 - the school) can get Real Media content and ping external addresses (e.g. while other systems can't. We also have issues with FTP (e.g. WS_FTP doesn't work) while some of my colleagues get read-only access when FTPing through Internet Explorer.
I believe the problem has something to do with the access-lists and the IP Inspect commands. Can somebody please elaborate for me what their function is? Are they and alternative to ACLs or should be used in conjuntion? Also, i'm a little confused about inbound and outbound direction when it comes to ACLs.
Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GH1
!
enable password <***PASSWORD***>
!
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Internet tcp
ip inspect name Internet udp
ip inspect name Internet ftp
ip inspect name Internet http java-list 99 timeout 300
ip inspect name Internet smtp
ip inspect name Internet realaudio
ip inspect name internet http java-list 99 timeout 300
ip audit notify log
ip audit po max-events 100
!
!
process-max-time 200
!
interface FastEthernet0/0
description connected to school
ip address <IP_ADDRESS> 255.255.255.0
ip access-group 106 out
no ip directed-broadcast
ip accounting output-packets
ip accounting access-violations
ip nat inside
ip inspect Internet in
no cdp enable
!
interface FastEthernet0/1
description connected to art college
ip address <IP_ADDRESS> 255.255.255.0
ip access-group 104 in
no ip directed-broadcast
ip accounting output-packets
ip accounting access-violations
ip nat outside
no ip split-horizon
no cdp enable
!
router ospf 100
network <IP_ADDRESS> 0.0.255.255 area 0
!
ip default-gateway <IP_ADDRESS>
ip nat pool Internet <FIRST_IP_ADDRESS> <LAST_IP_ADDRESS> netmask 255.255.255.0
ip nat inside source list 100 pool Internet
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static tcp <IP_ADDRESS> 25 <IP_ADDRESS> 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
no ip http server
!
access-list 99 permit any
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any eq www
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any range ftp-data ftp
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
access-list 104 deny ip <IP_ADDRESS> 0.255.255.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 deny tcp any any eq telnet
access-list 104 permit ip any any
access-list 106 permit tcp any any eq smtp
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any host <IP_ADDRESS> eq www
no cdp run
!
line con 0
exec-timeout 0 0
password <***PASSWORD***>
login
transport input none
line aux 0
exec-timeout 2 0
password <***PASSWORD***>
login
line vty 0 4
exec-timeout 2 0
password <***PASSWORD***>
login
transport input telnet
!
scheduler interval 500
end