protocolpcs
IS-IT--Management
I couldn't find the words "port forwarding" in the SDM, so after reading online I used the NAT section and added all the ports I wanted to open to the internal Win2000 server which handles VPN and Exchange email. The people that have helped me before on this forum have been great. Could someone look at my config and tell me if I did the ports correct and if the Firewall will overpower and block everything.
Here is my config file:
!This is the running config of the router: 10.0.0.225
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$.ib.$1E3fDsvhDpltndc12K7gu0
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.50
ip dhcp excluded-address 10.0.0.151 10.0.0.254
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
dns-server 10.0.0.1 68.230.242.20
default-router 10.0.0.225
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name hostname.com
ip name-server 10.0.0.1
ip name-server 68.230.242.20
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-550081892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-550081892
revocation-check none
rsakeypair TP-self-signed-550081892
!
!
crypto pki certificate chain TP-self-signed-550081892
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35353030 38313839 32301E17 0D303830 39303331 39353430
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3535 30303831
38393230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B058110C 87475CD1 334913C2 BEA115ED 6838930F 42AFA469 61236207 537808F7
CAA7698D 37D95271 BAC3E175 51D7C2CF 73BF52CF 31B214DC D87E09E4 5E4930C1
6F71F4E3 2363381C C3656538 C52684AF 8393FC3E 9045A471 A9CBB875 48E75F63
1C2C1A9F 80A7E974 08D5E25B 44F9039A 8610128A EA474291 8455C83F 09995223
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821761 6C746465 7369676E 2E616C74 64657369 676E2E63 6F6D301F
0603551D 23041830 168014DF FEBBC362 B34A2423 A1275B9F 263B0874 52898E30
1D060355 1D0E0416 0414DFFE BBC362B3 4A2423A1 275B9F26 3B087452 898E300D
06092A86 4886F70D 01010405 00038181 00074C3E 0E5D3537 D1FD77D2 284A3702
D66140A3 89EF2F2E 36B707B4 0147AF84 D7F477E3 881999B4 A7EBF6CF 79F82128
BE1DAAF8 C362806A 4ECC92B2 B28DAC94 2AFDEA0B CEA3F007 8A1DE105 241D7FCE
00A27F99 10BFF5EA 8BD832E4 B756D267 A0D78F20 EC5D723F A7823933 E6E728FB
43D194AB EB3ADAD7 70E0DC8B 1EFBCD9D 65
quit
username admin privilege 15 secret 5 $1$olX5$1s0iUglEd4qMmkkWsIbTM1
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address X.X.X.X 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.225 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 X.X.X.1 permanent
!
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat outside source static tcp X.X.X.X 25 10.0.0.1 25 extendable
ip nat outside source static tcp X.X.X.X 26 10.0.0.1 26 extendable
ip nat outside source static tcp X.X.X.X 47 10.0.0.1 47 extendable
ip nat outside source static tcp X.X.X.X 80 10.0.0.1 80 extendable
ip nat outside source static tcp X.X.X.X 81 10.0.0.79 80 extendable
ip nat outside source static tcp X.X.X.X 110 10.0.0.1 110 extendable
ip nat outside source static tcp X.X.X.X 143 10.0.0.1 143 extendable
ip nat outside source static tcp X.X.X.X 443 10.0.0.79 443 extendable
ip nat outside source static tcp X.X.X.X 1723 10.0.0.1 1723 extendable
ip nat outside source static tcp X.X.X.X 3389 10.0.0.1 3389 extendable
ip nat outside source static tcp X.X.X.X 50000 10.0.0.252 50000 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.0.0.51
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.0.0.0 0.0.0.255
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip X.X.X.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 68.230.242.20 eq domain host X.X.X.X
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host X.X.X.X echo-reply
access-list 101 permit icmp any host X.X.X.X time-exceeded
access-list 101 permit icmp any host X.X.X.X unreachable
access-list 101 permit tcp any host X.X.X.X eq 443
access-list 101 permit tcp any host X.X.X.X eq 22
access-list 101 permit tcp any host X.X.X.X eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thank you for any helpfull response.
Here is my config file:
!This is the running config of the router: 10.0.0.225
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$.ib.$1E3fDsvhDpltndc12K7gu0
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.50
ip dhcp excluded-address 10.0.0.151 10.0.0.254
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
dns-server 10.0.0.1 68.230.242.20
default-router 10.0.0.225
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name hostname.com
ip name-server 10.0.0.1
ip name-server 68.230.242.20
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-550081892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-550081892
revocation-check none
rsakeypair TP-self-signed-550081892
!
!
crypto pki certificate chain TP-self-signed-550081892
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35353030 38313839 32301E17 0D303830 39303331 39353430
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3535 30303831
38393230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B058110C 87475CD1 334913C2 BEA115ED 6838930F 42AFA469 61236207 537808F7
CAA7698D 37D95271 BAC3E175 51D7C2CF 73BF52CF 31B214DC D87E09E4 5E4930C1
6F71F4E3 2363381C C3656538 C52684AF 8393FC3E 9045A471 A9CBB875 48E75F63
1C2C1A9F 80A7E974 08D5E25B 44F9039A 8610128A EA474291 8455C83F 09995223
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821761 6C746465 7369676E 2E616C74 64657369 676E2E63 6F6D301F
0603551D 23041830 168014DF FEBBC362 B34A2423 A1275B9F 263B0874 52898E30
1D060355 1D0E0416 0414DFFE BBC362B3 4A2423A1 275B9F26 3B087452 898E300D
06092A86 4886F70D 01010405 00038181 00074C3E 0E5D3537 D1FD77D2 284A3702
D66140A3 89EF2F2E 36B707B4 0147AF84 D7F477E3 881999B4 A7EBF6CF 79F82128
BE1DAAF8 C362806A 4ECC92B2 B28DAC94 2AFDEA0B CEA3F007 8A1DE105 241D7FCE
00A27F99 10BFF5EA 8BD832E4 B756D267 A0D78F20 EC5D723F A7823933 E6E728FB
43D194AB EB3ADAD7 70E0DC8B 1EFBCD9D 65
quit
username admin privilege 15 secret 5 $1$olX5$1s0iUglEd4qMmkkWsIbTM1
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address X.X.X.X 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.225 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 X.X.X.1 permanent
!
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat outside source static tcp X.X.X.X 25 10.0.0.1 25 extendable
ip nat outside source static tcp X.X.X.X 26 10.0.0.1 26 extendable
ip nat outside source static tcp X.X.X.X 47 10.0.0.1 47 extendable
ip nat outside source static tcp X.X.X.X 80 10.0.0.1 80 extendable
ip nat outside source static tcp X.X.X.X 81 10.0.0.79 80 extendable
ip nat outside source static tcp X.X.X.X 110 10.0.0.1 110 extendable
ip nat outside source static tcp X.X.X.X 143 10.0.0.1 143 extendable
ip nat outside source static tcp X.X.X.X 443 10.0.0.79 443 extendable
ip nat outside source static tcp X.X.X.X 1723 10.0.0.1 1723 extendable
ip nat outside source static tcp X.X.X.X 3389 10.0.0.1 3389 extendable
ip nat outside source static tcp X.X.X.X 50000 10.0.0.252 50000 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.0.0.51
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.0.0.0 0.0.0.255
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip X.X.X.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 68.230.242.20 eq domain host X.X.X.X
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host X.X.X.X echo-reply
access-list 101 permit icmp any host X.X.X.X time-exceeded
access-list 101 permit icmp any host X.X.X.X unreachable
access-list 101 permit tcp any host X.X.X.X eq 443
access-list 101 permit tcp any host X.X.X.X eq 22
access-list 101 permit tcp any host X.X.X.X eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thank you for any helpfull response.