Problems with Cisco Router config and ACLs

[twillstera]

Ok, here's my setup.

Internet ---- Cable Modem ------ Cisco 1721 ----- Cisco VPN Router ------ Computer
              172.17.2.1       72.17.2.5 (ext)      10.10.10.2
              (pub IP)         10.10.10.1 (int)

I'm working on the Cisco 1721. I'm trying to set up some pretty restrictive ACLs that will only allow certain traffic in and out via specific IPs. Here's the config I've got currently that is not working.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.12.08 15:51:38 =~=~=~=~=~=~=~=~=~=~=~=

Building configuration...

Current configuration : 4383 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$gB8c$EYmW6DqwhG6TnT1GQ2l9B/
enable password 7 13081619021805
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
! 
no crypto isakmp enable
!
!
interface FastEthernet0
 ip address 172.17.2.5 255.255.255.248
 ip access-group 101 in
 ip nat outside
 speed auto
 full-duplex
!
interface FastEthernet1
 switchport access vlan 15
 no ip address
 vlan-id dot1q 15
  exit-vlan-config
 !
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan15
 ip address 10.10.10.1 255.255.255.248
 ip access-group 102 in
 ip nat inside
!
ip default-gateway 172.17.2.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.2.1
!
no ip http server
no ip http secure-server
ip nat inside source static 10.10.10.2 interface FastEthernet0
!
!
access-list 101 permit ip host 170.209.0.2 host 172.17.2.5 log;
access-list 101 permit ip host 170.209.0.3 host 172.17.2.5 log;
access-list 101 permit tcp any host 10.10.10.2 established log;
access-list 101 permit tcp any host 96.31.27.12 established log;
access-list 101 permit icmp host 204.146.172.230 host 172.17.2.5 log;
access-list 101 permit icmp host 12.129.203.103 host 172.17.2.5 log;
access-list 101 permit udp any host 255.255.255.255 log;
access-list 101 deny   ip any any log;
access-list 102 permit ip host 10.10.10.2 host 170.209.0.3 log;
access-list 102 permit ip host 10.10.10.2 host 170.209.0.2 log;
access-list 102 permit icmp host 10.10.10.2 host 204.146.172.230 log;
access-list 102 permit icmp host 10.10.10.2 host 12.129.203.103 log;
access-list 102 deny   ip any any log
!
!
control-plane
!
!
!
!
!
!
!
banner motd ^C
**********************************************************************
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without authorization,
or in excess of their authorization, are subject to having all their
activity on this computer network system monitored and recorded by
system personnel.  To protect the computer network system from
unauthorized use and to ensure the computer network systems is
functioning properly, system administrators monitor this system.
Anyone using this computer network system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
conduct of criminal activity, system personnel may provide the
evidence of such activity to law enforcement officers.
!
Access is restricted to authorized users only. Unauthorized access is
a violation of state and federal, civil and criminal laws.
**********************************************************************^C
!
line con 0
 password 7 151F0A070D3E2A
 login
 transport preferred none
line aux 0
 password 7 151F0A070D3E2A
line vty 0 4
 password 7 04560A0D06354D
 login
!
no scheduler allocate
end

router#

I want to only allow certain external IPs in (for VPN traffic) to my internal VPN device. Other external IPs should be able to ping the same internal device to verify that it is alive. I also want any traffic that was established from the internal address to be allowed back in as well. I know I have something hosed up in my ACL and also possibly in my interface configuration.

The 4 port ethernet card I have in is a switchport card so that's why I have to use the vlans. A more simple configuration without the ACLs seems to work fine.

One of the other catches is this, my ISP said I was "leaking" my 10.10.10.0/24 addresses to their network so they disabled my cable modem because it was causing problems with their VoIP customers which use the same IP subnet as my internal addresses.

Any help would be appreciated. I'm bordering on being able to grasp the ACLs and routing but i'm just not quite there.

Thanks,
Adam

 

[tphethai]

ip local pool Remote_VPN xxx.xx.xx.xx xxx.xxx.xxx.xx
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxx

 

[twillstera]

Thanks for your input tphethai.

I think I figured it out at the end of the week last week.

I ended up setting my access group in/out both on the Fa0 instead of on vlan 15. Did some testing with ICMP traffic and got the rest sorted out after that. Also, since I was natting my internal ip of 10.10.10.2 to my Fa0 IP, I changed my access lists to reflect the public IP on Fa0 instead of 10.10.10.2.

We'll see if my ISP sees any traffic from 10.10.10.x subnet and go from there.

Thanks again

 

[twillstera]

Ok, so just found out from my ISP that my cisco is still throwing IP addresses out. I'm at a loss. Here's their proof.

CMTS:7A#show cable modem 001a.dea8.be3c hosts
Intf  Prim   Prim   Prim  Connect    Timing RxPwr Ip Address      Mac Address
Cable DS     US     Sid   State      Offset dBmV
2/1  13D5C0 U6C0L0 8449  online(pt) 6541   0.1   X.X.X.X     001a.dea8.be3c
List of CPE MAC and IP addresses
000c.308e.afcf -> 10.10.10.0
000c.308e.afcf -> 72.17.2.5
000c.308e.afcf -> 10.10.10.3
001e.e5ed.e73d -> 72.17.2.156 (this is another router that is not behind or in front of my cisco 1700.  It can be ignored)
Number of Hosts = 4
CMTS:7A#

Here's the current config that I've got on it.

Building configuration...

Current configuration : 4383 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gB8c$EYmW6DqwhG6TnT1GQ2l9B/
enable password 7 13081619021805
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
no crypto isakmp enable
!
!
interface FastEthernet0
 ip address 172.17.2.5 255.255.255.0
 ip access-group 101 in
 ip access-group 102 out
 ip nat outside
 speed auto
 full-duplex
!
interface FastEthernet1
 switchport access vlan 15
 no ip address
 vlan-id dot1q 15
  exit-vlan-config
 !
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan15
 ip address 10.10.10.1 255.255.255.248
 ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.2.1
!
no ip http server
no ip http secure-server
ip nat inside source static 10.10.10.2 172.17.2.5
!
!
access-list 101 permit ip host 170.209.0.2 host 172.17.2.5 log;
access-list 101 permit ip host 170.209.0.3 host 172.17.2.5 log;
access-list 101 permit tcp any host 172.17.2.5 established log;
access-list 101 permit icmp host 204.146.172.230 host 172.17.2.5 log;
access-list 101 permit icmp host 204.146.166.107 host 172.17.2.5 log;
access-list 101 deny   ip any any log;
access-list 102 permit ip host 172.17.2.5 host 170.209.0.3 log;
access-list 102 permit ip host 172.17.2.5 host 170.209.0.2 log;
access-list 102 permit icmp host 172.17.2.5 host 204.146.172.230 log;
access-list 102 permit icmp host 172.17.2.5 host 204.146.166.107 log;
access-list 102 deny   ip any any log
!
!
control-plane
!
!
banner motd ^C
**********************************************************************
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without authorization,
or in excess of their authorization, are subject to having all their
activity on this computer network system monitored and recorded by
system personnel.  To protect the computer network system from
unauthorized use and to ensure the computer network systems is
functioning properly, system administrators monitor this system.
Anyone using this computer network system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
conduct of criminal activity, system personnel may provide the
evidence of such activity to law enforcement officers.
!
Access is restricted to authorized users only. Unauthorized access is
a violation of state and federal, civil and criminal laws.
**********************************************************************^C
!
line con 0
 password 7 151F0A070D3E2A
 login
 transport preferred none
line aux 0
 password 7 151F0A070D3E2A
line vty 0 4
 password 7 04560A0D06354D
 login
!
no scheduler allocate
end

router#

The goofiest thing is that I don't have any 10.10.10.3 hosts plugged into the router or any interfaces configured with that IP so I'm not sure where that is coming from. And you can see that I don't have DHCP set up on the router either. We swapped out one 1700 for a completely different one and the only similarity is the 4 nic switchport interface card on it.

Any ideas from anyone now?

tphethai, i looked at your post again and it doesn't make much sense to me. From what I've read, the ip forward-protocol nd only deals with some sort of network disk protocol which isn't used anymore by anyone afaik. Can you expand on the other two lines?

Thanks

 

[burtsbees]

I see 72.17.2.5 as your public to which the inside is supposed to be NATted? But your fa0 is 172.17.2.5...coinkidink or is this wrong??

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[burtsbees]

which would mean you're NATting private to private.

Also, why not use the 1721 as the VPN router?

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[twillstera]

Sorry, I changed my public IPs to dummy IPs to minimize my potential for attack. When typing I forgot the 1 in front of the 72 so you can read that 'show cable modem' output as 172.17.2.5.

As far as using the 1721 as the VPN router, it's a Federal Reserve VPN router so they control the VPN router itself. Our 1721 is simply a middle-man for the VPN router. I didn't make that decision, I was told to jump and I asked how high.

 

[twillstera]

One addition. We're planning on replacing the WIC-4ESW with a WIC-1ENET interface card to take the switchport and vlans out of the config. Not sure that that will fix the problem, but it should reduce the complexity.