IOS Firewall with static and dynamic NAT

[xevious2k]

Greetings All,

I need a little expert help. I have a Cisco 26x0 and a Cisco 2514 and am trying to setup the following system. The 2600 is connected to the internet directly and then to a hub. This Hub is the DMZ. The 2514 sits between the DMZ and the internal network LAN. e0 connects to the DMZ and e1 connects to my lan. Below is the Configuration of the 2514. I need to have NAT enabled for outbound traffic to the internet as well as have some holes open for servers that need to be behind the firewall. The outbound portion of the configuration is working fine, but you can't see the servers on the inside from the internet. Here's the config...

===========================================================
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Firewall
!
enable password xxxx
!
ip source-route
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Context-Based Access Control
!
no ip inspect audit-trail
ip inspect tcp synwait-time 30
ip inspect tcp finwait-time 5
ip inspect tcp idle-time 3600
ip inspect udp idle-time 30
ip inspect dns-timeout 5
ip inspect one-minute low 900
ip inspect one-minute high 1100
ip inspect max-incomplete low 900
ip inspect max-incomplete high 1100
ip inspect tcp max-incomplete host 50 block-time 0
!
! IP inspect Ethernet_1
!
no ip inspect name Ethernet_1
ip inspect name Ethernet_1 tcp
ip inspect name Ethernet_1 udp
ip inspect name Ethernet_1 cuseeme
ip inspect name Ethernet_1 ftp
ip inspect name Ethernet_1 h323
ip inspect name Ethernet_1 rcmd
ip inspect name Ethernet_1 realaudio
ip inspect name Ethernet_1 smtp
ip inspect name Ethernet_1 streamworks
ip inspect name Ethernet_1 vdolive
ip inspect name Ethernet_1 sqlnet
ip inspect name Ethernet_1 tftp
!
! IP inspect Ethernet_0
!
no ip inspect name Ethernet_0
ip inspect name Ethernet_0 udp
ip inspect name Ethernet_0 tcp
ip inspect name Ethernet_0 smtp
ip inspect name Ethernet_0 cuseeme
ip inspect name Ethernet_0 ftp
ip inspect name Ethernet_0 h323
ip inspect name Ethernet_0 rcmd
ip inspect name Ethernet_0 realaudio
ip inspect name Ethernet_0 streamworks
ip inspect name Ethernet_0 vdolive
ip inspect name Ethernet_0 sqlnet
ip inspect name Ethernet_0 tftp
!
interface Ethernet 0
no shutdown
description connected to Internet
ip address 205.xxx.xxx.5 255.255.255.0
ip nat outside
ip inspect Ethernet_0 in
ip access-group 101 in
keepalive 10
!
interface Ethernet 1
no shutdown
description connected to EthernetLAN
ip address 200.200.200.5 255.255.255.0
ip nat inside
ip inspect Ethernet_1 in
ip access-group 100 in
keepalive 10
!
interface Serial 0
no description
no ip address
shutdown
!
interface Serial 1
no description
no ip address
shutdown
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 200.200.200.0 0.0.0.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip any any
!
! Access Control List 101
!
no access-list 101
access-list 101 deny udp host 205.xxx.xxx.3 eq domain any
access-list 101 deny tcp host 205.xxx.xxx.51 eq smtp any
access-list 101 deny tcp host 205.xxx.xxx.10 eq smtp any
access-list 101 deny udp host 205.xxx.xxx.2 eq domain any
access-list 101 deny tcp host 205.xxx.xxx.26 eq

http://www any

access-list 101 deny tcp host 205.xxx.xxx.58 eq

http://www any

access-list 101 deny tcp host 205.xxx.xxx.59 eq

http://www any

access-list 101 deny tcp host 205.xxx.xxx.64 eq

http://www any

access-list 101 deny tcp host 205.xxx.xxx.65 eq

http://www any

access-list 101 deny tcp host 205.xxx.xxx.66 eq

http://www any

access-list 101 permit udp any host 205.xxx.xxx.2 eq domain
access-list 101 deny ip any host 205.xxx.xxx.2
access-list 101 permit udp any host 205.xxx.xxx.3 eq domain
access-list 101 deny ip any host 205.xxx.xxx.3
access-list 101 permit tcp any host 205.xxx.xxx.51 eq pop3
access-list 101 permit tcp any host 205.xxx.xxx.51 eq www
access-list 101 permit tcp any host 205.xxx.xxx.51 eq smtp
access-list 101 deny ip any host 205.xxx.xxx.51
access-list 101 deny ip any host 205.xxx.xxx.10
access-list 101 permit tcp any host 205.xxx.xxx.10 eq www
access-list 101 permit tcp any host 205.xxx.xxx.10 eq smtp
access-list 101 permit tcp any host 205.xxx.xxx.26 eq www
access-list 101 deny ip any host 205.xxx.xxx.26
access-list 101 permit tcp any host 205.xxx.xxx.58 eq www
access-list 101 deny ip any host 205.xxx.xxx.58
access-list 101 permit tcp any host 205.xxx.xxx.59 eq www
access-list 101 deny ip any host 205.xxx.xxx.59
access-list 101 deny ip any host 205.xxx.xxx.64
access-list 101 permit tcp any host 205.xxx.xxx.64 eq www
access-list 101 permit tcp any host 205.xxx.xxx.65 eq www
access-list 101 deny ip any host 205.xxx.xxx.65
access-list 101 permit tcp any host 205.xxx.xxx.66 eq www
!
! Static NAT
!
ip nat inside source static tcp 200.200.200.51 25 205.xxx.xxx.51 25 extendable
ip nat inside source static tcp 200.200.200.51 110 205.xxx.xxx.51 110 extendable
ip nat inside source static tcp 200.200.200.51 80 205.xxx.xxx.51 80 extendable
ip nat inside source static tcp 200.200.200.58 80 205.xxx.xxx.58 80 extendable
ip nat inside source static tcp 200.200.200.64 80 205.xxx.xxx.64 80 extendable
ip nat inside source static tcp 200.200.200.65 80 205.xxx.xxx.65 80 extendable
ip nat inside source static tcp 200.200.200.26 80 205.xxx.xxx.26 80 extendable
ip nat inside source static tcp 200.200.200.59 80 205.xxx.xxx.59 80 extendable
ip nat inside source static udp 200.200.200.3 53 205.xxx.xxx.3 53 extendable
ip nat inside source static udp 200.200.200.2 53 205.xxx.xxx.2 53 extendable
ip nat inside source static tcp 200.200.200.10 25 205.xxx.xxx.10 25 extendable
ip nat inside source static tcp 200.200.200.10 80 205.xxx.xxx.10 80 extendable
ip nat inside source static tcp 200.200.200.66 80 205.xxx.xxx.66 80 extendable
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool Firewall-natpool-0 205.xxx.xxx.250 205.xxx.xxx.254 netmask 255.255.255.0
ip nat inside source list 1 pool Firewall-natpool-0 overload
!
router rip
version 2
network 200.200.200.0
passive-interface Ethernet 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Ethernet 0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password xxxx
login
!
line vty 0 4
password xxxx
login
!
end
===========================================================

This config was generated with configmaker. I'm new to the cisco world, so please forgive me if this is something obvious or stupid, but I'm trying to learn here.

Thanks
x2k

 

[xevious2k]

Hello Again All,

OK, after some more testing, I can see that the web sites behind the firewall are now working. When you go to the web site from the outside world (Internet) the web site comes up, but when you go to the site from the inside (NAT), it can't find the server. Is there any way to tell the cisco to go outside and come back in?

Thanks,
x2k

 

[ers5]

You won't be able to hit the external NAT address from an inside NAT interface. I am doing something similar, and the way we got around it was to use a separate internal DNS server with zones that point to the internal server IP addresses.

Another option would be to put the servers in the DMZ instead of on the same network as the internal client machines.