871 Config issues

phillip · ‎01-04-2013

Ok I dont know if its just staring at me ridiculing me but I am feeling like an idiot here... I have an 871 and all I need to do is some basic rules..

Here is the config I am having the issue with...

I need these statics:

.227 opened and forwarded to these ports:

10.0.0.240 80 tcp
10.0.0.241 81 tcp
10.0.0.242 82 tcp
10.0.0.243 83 tcp
10.0.0.244 84 tcp
10.0.0.9 3389 tcp

then .228 forwarded and allports opened to 10.0.0.15

Right now its working for the .228 but the .227 is blocking everything.. If I remove the lines for the 10.0.0.15 *.*.*.228 then everything works for the .227 statics and ports..

What is wrong here???

s run

Building configuration...

Current configuration : 4747 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname ******

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

clock timezone MST -7

ip cef

!

ip name-server *.*.*.65

ip inspect log drop-pkt

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp router-traffic

ip inspect name SDM_LOW udp router-traffic

ip inspect name SDM_LOW vdolive

!

crypto pki trustpoint TP-self-signed-974215006

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-974215006

revocation-check none

rsakeypair TP-self-signed-974215006

!

crypto pki certificate chain TP-self-signed-974215006

certificate self-signed 01

30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 39373432 31353030 36301E17 0D313330 31303231 35333430

315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 34323135

30303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

CE70D924 A69C5408 AF2DC7DF CD6C4FB4 6FF8B3A7 04380A8B AC07B63F DF47B76C

9269256B 2D166D76 DFEEB4A1 A7F3CD14 87018C5E 00957EE5 233F76EE 8D0EB13E

D33FE972 77661DF2 B2BBC711 E09CF82F 7FC907DF 5591C326 CF80D599 09017B23

AB6F3589 A983AC80 2C92D62D E15FF75B 14241C9B 394BED17 69F2BE7F 69BB21EF

02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D

11041030 0E820C52 69766965 72615F6D 65736130 1F060355 1D230418 30168014

8F9D3891 FB866320 C9C2FA5B 7AEE8A53 91F495DD 301D0603 551D0E04 1604148F

9D3891FB 866320C9 C2FA5B7A EE8A5391 F495DD30 0D06092A 864886F7 0D010104

05000381 81005F45 DD5BBAE3 960E8930 1C88ACEC 4D190FEC C8C6FA71 48FB8CB8

969BD344 1FC0E8C6 98C4ED1D B559A772 1A3ED3D9 1C75D143 BE642414 B049118C

858422D5 E84617E9 018B1B66 341E928D EAE0E568 923424C4 BF31DFFF E7E5A490

B24D2DBC CE5DC6FF 306EC1C2 BD4DDC04 4AE70B0B 5CFE9426 21B5F83E CA6D28E0

3B93DCA9 015E

quit

username****** privilege 15 secret 5 34yweth2453723475

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$

ip address *.*.*.226 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description $FW_INSIDE$

ip address 10.0.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 *.*.*.225

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool outside_ip_pool *.*.*.227 *.*.*.230 netmask 255.255.255.24 8

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 10.0.0.240 80 *.*.*.227 80 extendable

ip nat inside source static tcp 10.0.0.241 81 *.*.*.227 81 extendable

ip nat inside source static tcp 10.0.0.242 82 *.*.*.227 82 extendable

ip nat inside source static tcp 10.0.0.243 83 *.*.*.227 83 extendable

ip nat inside source static tcp 10.0.0.244 84 *.*.*.227 84 extendable

ip nat inside source static tcp 10.0.0.9 3389 *.*.*.227 3389 extendable

ip nat inside source static 10.0.0.15 *.*.*.228

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_4##

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip *.*.*.224 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 permit ip any host *.*.*.228

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Jouni Forss · ‎01-04-2013

Hi,

I'm not really familiar with the Router Firewalls but I'd just point out what caught my eye (even though there might not be anything wrong about them)

You have ACL 101 attached to outside interface and it only allow traffic to .228
You have some outside_ip_pool configuration line that includes the IPs you're going to use for both Static NAT and Port Forward. Shouldnt you leave the .227 and .228 out of the Pool range?

- Jouni