topic Cisco Nat or Firewall Issue in Network Security

Cisco Nat or Firewall Issue

nemiath76 — Mon, 11 Mar 2019 23:50:31 GMT

Hello,

I have an issue with my 1841. I am trying to access an internal web server with the ip 192.168.0.253 from the internet but

connection gets refused.

I am not certain if its a nat issue or a firewall issue.

Can anyone provide me with some issue?

I am attaching part of the confuguration.

interface Dialer1

mtu 1492

ip address negotiated

ip access-group ADSL_Firewall in

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ipv6 traffic-filter ADSL_Firewall_v6 in

ppp authentication chap pap callin

ppp chap hostname kkouts

ppp chap password 7 000816010B095B5656

ppp pap sent-username kkouts password 7 10420C1E0A45425B55

ppp ipcp dns request accept

interface Dialer11

no ip address

no ip proxy-arp

no cdp enable

interface BVI1

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ipv6 address 2001:470:1F13:DA5::1/64

ip forward-protocol nd

ip http authentication local

ip dns server

ip nat inside source static tcp 192.168.0.253 80 interface Dialer1 80

ip nat inside source static udp 192.168.0.1 60000 interface Dialer1 60000

ip nat inside source route-map NAT_DIALER interface Dialer1 overload

ip nat inside source route-map NAT_MIKROTIK interface FastEthernet0/0 overload

ip default-network 91.132.1.0

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.0.0.0 255.0.0.0 10.2.101.1

ip access-list extended ADSL_Firewall

permit udp any host 91.132.216.248 eq domain

permit tcp any host 91.132.216.248 eq www log

deny ip 127.0.0.0 0.255.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny udp any any eq snmp

deny ip 192.168.0.0 0.0.0.255 any

deny ip 172.16.0.0 0.0.255.255 any

deny ip 10.0.0.0 0.0.0.255 any

deny tcp any any lt 1024

permit gre any any

deny udp any any lt 1024

permit ip any any

ip access-list extended Telnet_VTY

permit tcp 192.168.0.0 0.0.0.255 any eq 22

deny ip any any

logging esm config

access-list 1 permit 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

route-map NAT_MIKROTIK permit 10

match ip address 1

route-map NAT_DIALER permit 10

match ip address 1

match interface Dialer1

Cisco Nat or Firewall Issue

Julio Carvajal — Wed, 05 Sep 2012 19:09:06 GMT

Hello Karolos,

I would guess 91.132.216.248 is interface dialer1

If you do a show access-list ADSL_Firewall

Do you see any hits on the ACL?

Cisco Nat or Firewall Issue

nemiath76 — Thu, 06 Sep 2012 19:27:31 GMT

This is what i get ..

As you can see there are matches to the first rule which is the correct one.

I verified that the matches increment when i reload the page of an outside internet connected device.

Does this mean its a routing / nat issue?

10 permit tcp any host 91.132.216.248 eq www (86 matches)

30 permit udp any host 91.132.216.248 eq domain

70 deny ip 127.0.0.0 0.255.255.255 any

80 deny ip 224.0.0.0 15.255.255.255 any

90 deny udp any any eq snmp

100 deny ip 192.168.0.0 0.0.0.255 any

110 deny ip 172.16.0.0 0.0.255.255 any

120 deny ip 10.0.0.0 0.0.0.255 any

130 deny tcp any any lt 1024 (17 matches)

140 permit gre any any

146 permit ip any any (3350 matches)

150 deny udp any any lt 1024 (5 matches)

Cisco Nat or Firewall Issue

Julio Carvajal — Thu, 06 Sep 2012 19:34:00 GMT

Hello Karolos,

It means that the router is doing it's job so it could be a Server issue.

In order to make sure this is the case lets do a capture

ip access-list extended to_server-in

permit tcp any host 192.168.0.253 eq 80

permit ip any any

ip access-list extended server_to_out

permit tcp host 192.168.0.253 eq 80 any

permit ip any any

interface BVI1

ip access-group to_server-in out

ip access-group server_to_out in

Then attemtp to connect and provide me the following

show access-list to_server-in

show access-list server_to_out

Regards,

Remember to rate all the helpful posts, that is as important as a thanks

Cisco Nat or Firewall Issue

nemiath76 — Fri, 07 Sep 2012 11:33:11 GMT

Thanks again for your valuable assistance... below is the output of the show access-list in and out directives after modifying the config as you requested.

Aeon#show access-lists to_server_in

Extended IP access list to_server_in

10 permit tcp any host 192.168.0.253 eq www (3 matches)

20 permit ip any any (168 matches)

Aeon#show access-lists to_server_out

Extended IP access list to_server_out

10 permit tcp host 192.168.0.253 eq www any

20 permit ip any any (464 matches)

Also a trace from my workstation. (web server has also established and tested connectivity to the web).

Translating "www.in.gr"...domain server (91.132.4.4) [OK]

Type escape sequence to abort.

Tracing the route to www.in.gr (212.205.159.143)

1 * * *

2 91.132.2.122 36 msec 32 msec 32 msec

3 otenet.gr-ix.gr (83.212.8.4) 32 msec 32 msec 32 msec

4 athe-crsa-athe7609k1-1.backbone.otenet.net (79.128.227.17) 32 msec 36 msec 32 msec

5 nyma-crsa-athe-crsa-1.backbone.otenet.net (79.128.224.34) 36 msec 36 msec 36 msec

6 maro7609b-nyma-crsa-1.backbone.otenet.net (79.128.226.38) 32 msec 32 msec 32 msec

7 79.128.252.222 32 msec 32 msec 32 msec

8 79.128.252.222 !A * *

Cisco Nat or Firewall Issue

nemiath76 — Fri, 07 Sep 2012 11:40:22 GMT

You where correct. It was a server issue. The server is a NAS device. After serching the security features i found that there was an allow only 192.168.0.0/24 option in the connection settings thus preventing any connection comming from outside the router to be established.

Thanks for your guidance and efford again.

Cisco Nat or Firewall Issue

Julio Carvajal — Fri, 07 Sep 2012 16:21:23 GMT

Hello Karolos,

Yes, after checking the ACL's I could see the packets going out the inside interface to the server but no reply.

Check the ACL hits so you can troubleshoot that for the nex time.

Remember to rate all of the answers, for the community that is as important as a thanks

Glad I could help

Julio