I hope that somebody could give me some useful info re the following:
We have a cisco 1600 router, which was setup incorrectly - everything was allowed access & the firewall is not being used!
I changed the NAT settings to only allow access on our Webserver & on our Mail server via certain ports. We are having no problems with the Mail Server access, but after about 2 days of running with this config, the reply from our Webserver does not work. You can ping the Webservers IP, yet the homepage is not available. The webpage is still available on our internal network at this stage. Below is our router config:
ip subnet-zero
ip nat inside source list 10 interface Serial0.500 overload
ip nat inside source static tcp xx.xx.xx.xxx 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp xx.xx.xx.xxx 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp xx.xx.xx.xxx 143 xxx.xxx.xxx.xxx 143 extendable
ip nat inside source static tcp xx.xx.xx.xxx 25 xxx.xxx.xxx.xxx 25 extendable
ip domain-name NL.net
ip name-server xxx.xx.xxx.xx
ip name-server xxx.xx.xx.xx
ip inspect name FWALL ftp
ip inspect name FWALL http
ip inspect name FWALL smtp
ip inspect name FWALL tcp timeout 3600
ip inspect name FWALL udp timeout 15
isdn switch-type basic-net3
isdn tei-negotiation first-call
!
interface Ethernet0
ip address xx.xxx.xx.xxx 255.255.255.0
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Serial0
description link UUNET
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
bandwidth 1024
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0.500 point-to-point
ip address xxx.xxx.xxx.xx xxx.xxx.xxx.xxx
ip nat outside
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500
!
interface BRI0
ip address xxx.xxx.xxx.xx xxx.xxx.xxx.xxx
ip nat outside
encapsulation ppp
no keepalive
dialer idle-timeout 2147483
dialer enable-timeout 2
dialer string xxxxxxxxx
dialer hold-queue 20
dialer load-threshold 30 either
dialer-group 1
no fair-queue
no cdp enable
ppp quality 50
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxx password xxxxxxxxxxxx
ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.500
access-list 10 permit xx.xx.xx.0 x.x.x.xxx
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list 100 deny ip any any
no cdp run
dialer-list 1 protocol ip permit
banner motd ^C
Any ideas would be GREAT!
Thanks
We have a cisco 1600 router, which was setup incorrectly - everything was allowed access & the firewall is not being used!
I changed the NAT settings to only allow access on our Webserver & on our Mail server via certain ports. We are having no problems with the Mail Server access, but after about 2 days of running with this config, the reply from our Webserver does not work. You can ping the Webservers IP, yet the homepage is not available. The webpage is still available on our internal network at this stage. Below is our router config:
ip subnet-zero
ip nat inside source list 10 interface Serial0.500 overload
ip nat inside source static tcp xx.xx.xx.xxx 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp xx.xx.xx.xxx 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp xx.xx.xx.xxx 143 xxx.xxx.xxx.xxx 143 extendable
ip nat inside source static tcp xx.xx.xx.xxx 25 xxx.xxx.xxx.xxx 25 extendable
ip domain-name NL.net
ip name-server xxx.xx.xxx.xx
ip name-server xxx.xx.xx.xx
ip inspect name FWALL ftp
ip inspect name FWALL http
ip inspect name FWALL smtp
ip inspect name FWALL tcp timeout 3600
ip inspect name FWALL udp timeout 15
isdn switch-type basic-net3
isdn tei-negotiation first-call
!
interface Ethernet0
ip address xx.xxx.xx.xxx 255.255.255.0
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Serial0
description link UUNET
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
bandwidth 1024
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0.500 point-to-point
ip address xxx.xxx.xxx.xx xxx.xxx.xxx.xxx
ip nat outside
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500
!
interface BRI0
ip address xxx.xxx.xxx.xx xxx.xxx.xxx.xxx
ip nat outside
encapsulation ppp
no keepalive
dialer idle-timeout 2147483
dialer enable-timeout 2
dialer string xxxxxxxxx
dialer hold-queue 20
dialer load-threshold 30 either
dialer-group 1
no fair-queue
no cdp enable
ppp quality 50
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxx password xxxxxxxxxxxx
ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.500
access-list 10 permit xx.xx.xx.0 x.x.x.xxx
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list 100 deny ip any any
no cdp run
dialer-list 1 protocol ip permit
banner motd ^C
Any ideas would be GREAT!
Thanks
