Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1042
Views
0
Helpful
6
Replies

Cisco Nat or Firewall Issue

Go to solution
nemiath76
Level 1
Level 1

‎09-05-2012 11:51 AM - edited ‎03-11-2019 04:50 PM

Hello,

I have an issue with my 1841. I am trying to access an internal web server with the ip 192.168.0.253 from the internet but

connection gets refused.

I am not certain if its a nat issue or a firewall issue.

Can anyone provide me with some issue?

I am attaching part of the confuguration.

interface Dialer1

mtu 1492

ip address negotiated

ip access-group ADSL_Firewall in

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ipv6 traffic-filter ADSL_Firewall_v6 in

ppp authentication chap pap callin

ppp chap hostname kkouts

ppp chap password 7 000816010B095B5656

ppp pap sent-username kkouts password 7 10420C1E0A45425B55

ppp ipcp dns request accept

!

interface Dialer11

no ip address

no ip proxy-arp

no cdp enable

interface BVI1

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ipv6 address 2001:470:1F13:DA5::1/64

!

ip forward-protocol nd

ip http authentication local

!

!

ip dns server

ip nat inside source static tcp 192.168.0.253 80 interface Dialer1 80

ip nat inside source static udp 192.168.0.1 60000 interface Dialer1 60000

ip nat inside source route-map NAT_DIALER interface Dialer1 overload

ip nat inside source route-map NAT_MIKROTIK interface FastEthernet0/0 overload

ip default-network 91.132.1.0

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.0.0.0 255.0.0.0 10.2.101.1

!

ip access-list extended ADSL_Firewall

permit udp any host 91.132.216.248 eq domain

permit tcp any host 91.132.216.248 eq www log

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 224.0.0.0 15.255.255.255 any

deny   udp any any eq snmp

deny   ip 192.168.0.0 0.0.0.255 any

deny   ip 172.16.0.0 0.0.255.255 any

deny   ip 10.0.0.0 0.0.0.255 any

deny   tcp any any lt 1024

permit gre any any

deny   udp any any lt 1024

permit ip any any

ip access-list extended Telnet_VTY

permit tcp 192.168.0.0 0.0.0.255 any eq 22

deny   ip any any

!

logging esm config

access-list 1 permit 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

!

route-map NAT_MIKROTIK permit 10

match ip address 1

!

route-map NAT_DIALER permit 10

match ip address 1

match interface Dialer1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to nemiath76

‎09-06-2012 12:34 PM

Hello Karolos,

It means that the router is doing it's job so it could be a Server issue.

In order to make sure this is the case lets do a capture

ip access-list extended to_server-in

permit tcp any host 192.168.0.253 eq 80

permit ip any any

ip access-list extended server_to_out

permit tcp host 192.168.0.253 eq 80 any

permit ip any any

interface BVI1

ip access-group to_server-in  out

ip access-group server_to_out in

Then attemtp to connect and provide me the following

show access-list to_server-in

show access-list server_to_out

Regards,

Remember to rate all the helpful posts, that is as important as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-05-2012 12:09 PM

Hello Karolos,

I would guess  91.132.216.248 is interface dialer1

If you do a show access-list ADSL_Firewall

Do you see any hits on the ACL?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
nemiath76
Level 1
Level 1
In response to Julio Carvajal

‎09-06-2012 12:27 PM

This is what i get ..

As you can see there are matches to the first rule which is the correct one.

I verified that the matches increment when i reload the page of an outside  internet connected device.

Does this mean its a routing / nat issue?

10 permit tcp any host 91.132.216.248 eq www (86 matches)

    30 permit udp any host 91.132.216.248 eq domain

    70 deny ip 127.0.0.0 0.255.255.255 any

    80 deny ip 224.0.0.0 15.255.255.255 any

    90 deny udp any any eq snmp

    100 deny ip 192.168.0.0 0.0.0.255 any

    110 deny ip 172.16.0.0 0.0.255.255 any

    120 deny ip 10.0.0.0 0.0.0.255 any

    130 deny tcp any any lt 1024 (17 matches)

    140 permit gre any any

    146 permit ip any any (3350 matches)

    150 deny udp any any lt 1024 (5 matches)

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to nemiath76

‎09-06-2012 12:34 PM

Hello Karolos,

It means that the router is doing it's job so it could be a Server issue.

In order to make sure this is the case lets do a capture

ip access-list extended to_server-in

permit tcp any host 192.168.0.253 eq 80

permit ip any any

ip access-list extended server_to_out

permit tcp host 192.168.0.253 eq 80 any

permit ip any any

interface BVI1

ip access-group to_server-in  out

ip access-group server_to_out in

Then attemtp to connect and provide me the following

show access-list to_server-in

show access-list server_to_out

Regards,

Remember to rate all the helpful posts, that is as important as a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
nemiath76
Level 1
Level 1
In response to Julio Carvajal

‎09-07-2012 04:33 AM

Thanks again for your valuable assistance... below is the output of the show access-list in and out directives after modifying the config as you requested.

Aeon#show access-lists to_server_in

Extended IP access list to_server_in

    10 permit tcp any host 192.168.0.253 eq www (3 matches)

    20 permit ip any any (168 matches)

Aeon#show access-lists to_server_out

Extended IP access list to_server_out

    10 permit tcp host 192.168.0.253 eq www any

    20 permit ip any any (464 matches)

Also a trace from my workstation. (web server has also established and tested connectivity to the web).

Translating "www.in.gr"...domain server (91.132.4.4) [OK]

Type escape sequence to abort.

Tracing the route to www.in.gr (212.205.159.143)

  1  *  *  *

  2 91.132.2.122 36 msec 32 msec 32 msec

  3 otenet.gr-ix.gr (83.212.8.4) 32 msec 32 msec 32 msec

  4 athe-crsa-athe7609k1-1.backbone.otenet.net (79.128.227.17) 32 msec 36 msec 32 msec

  5 nyma-crsa-athe-crsa-1.backbone.otenet.net (79.128.224.34) 36 msec 36 msec 36 msec

  6 maro7609b-nyma-crsa-1.backbone.otenet.net (79.128.226.38) 32 msec 32 msec 32 msec

  7 79.128.252.222 32 msec 32 msec 32 msec

  8 79.128.252.222 !A  *  *

0 Helpful

Go to solution
nemiath76
Level 1
Level 1
In response to Julio Carvajal

‎09-07-2012 04:40 AM

You where correct. It was a server issue. The server is a NAS device. After serching the security features i found that there was an allow only 192.168.0.0/24 option in the connection settings thus preventing any connection comming from outside the router to be established.

Thanks for your guidance and efford again.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to nemiath76

‎09-07-2012 09:21 AM

Hello Karolos,

Yes, after checking the ACL's I could see the packets going out the inside interface to the server but no reply.

Check the ACL hits so you can troubleshoot that for the nex time.

Remember to rate all of the answers, for the community that is as important as a thanks

Glad I could help

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card