cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1185
Views
0
Helpful
7
Replies

What is going wrong with this config ??

nemiath76
Level 1
Level 1

Hello guys,

I am busting my head to find out what is going wrong with this config and cant figure it out since i am not an advanced cisco technician.

Problem is that i cant access the 94.70.142.127 server that is supposed to be in a DMZ zone.

I know it is a bit chaotic but would really appreciate any help since i am running on a deadline.

I am building the config step by step and although it seems to be working access to the server all of the sudden is denied.

No idea if its a NAT issue a firewall issue or a security audit issue.

There are 3 vlans.

Vlan 1 is the inside network.

Vlan 2 is the DMZ server

Vlan 3 is the Management Network.

thanks in advance

Building configuration...

Current configuration : 11796 bytes

!

! Last configuration change at 11:28:33 PCTime Fri Jan 4 2013 by admin

! NVRAM config last updated at 11:27:51 PCTime Fri Jan 4 2013 by admin

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname R1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 8

logging message-counter syslog

logging buffered 4096 informational

enable secret 5 $1$oT7y$BwhdEjMJfAaTQI3dzDVwP.

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime 2

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00

!

crypto pki trustpoint TP-self-signed-2567543707

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2567543707

revocation-check none

rsakeypair TP-self-signed-2567543707

!

!

crypto pki certificate chain TP-self-signed-2567543707

certificate self-signed 01

  30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32353637 35343337 3037301E 170D3133 30313032 30383431

  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363735

  34333730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100ABA4 B7FFF4F1 9FBE79D8 2CEBCA68 A14BE3AB DBF770C2 EB35A954 B271AE3E

  F8485837 F2E8566B 66E5EF6B BCFCDFA3 8F6F91F3 FD8E3015 879A67F5 85DD95F5

  C26875C0 2202CA6C CE95888F 545AB4F6 6F708A0E C65E78D1 60967480 5589F5EE

  80505E46 8767CE2C 37C994FE AB555AF0 BA4C4679 63FF7641 34FFF6EF 3EC38006

  46B90203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603

  551D1104 10300E82 0C52312E 646F636E 65742E67 72301F06 03551D23 04183016

  8014F0DE 85318FB3 70C36B4A FEB4B0CA 446025F0 329C301D 0603551D 0E041604

  14F0DE85 318FB370 C36B4AFE B4B0CA44 6025F032 9C300D06 092A8648 86F70D01

  01040500 03818100 5D76D5F4 5FB659C3 1E5B3777 420E1703 CD019889 AE79390D

  A2AA4D26 AD9913B4 B3292277 97ACACDD D7093465 78279B4D 5FAC0A21 EFBF3B74

  6A25BC5B ACFB648F 08F92678 00BB495C 037DEAF7 C5910944 3D2C0643 EA19E9BD

  0AFE5423 AADBB3C2 B2C94296 DABE0D3D 6438F7A8 32B0A92B 3E8E0D26 635070A3

  ACF87E49 65A9E468

      quit

no ip source-route

!

!

ip cef

no ip bootp server

ip domain name docnet.gr

ip name-server 195.170.0.1

no ipv6 cef

!

!

!

!

username admin privilege 15 view root secret 5 $1$Lny5$et1FhWOpIKOOYRUtN89H10

!

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh version 2

!

class-map type inspect match-any WebService

match protocol http

match protocol https

class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1

match class-map WebService

match access-group name WebServer

class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1

match access-group name Spoofing

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any tcp-udp

match protocol http

match protocol https

match protocol dns

match protocol icmp

class-map type inspect match-all ccp-cls--3

match access-group name mng-out

match class-map tcp-udp

class-map type inspect match-all ccp-cls--2

match access-group name mng-self

class-map type inspect match-all ccp-cls--4

match access-group name mng-out-drop

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any http-https-DMZ

match protocol http

match protocol https

class-map type inspect match-all sdm-cls--2

match class-map http-https-DMZ

match access-group name web_server

class-map type inspect match-any MySQLService

match protocol mysql

class-map type inspect match-all sdm-cls--1

match class-map MySQLService

match access-group name DMZtoMySQL

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all sdm-nat-https-1

match access-group 102

match protocol https

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1

  drop

class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1

  inspect

class type inspect sdm-nat-https-1

  inspect

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect CCP-Voice-permit

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1

  inspect

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--1

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--3

class type inspect ccp-cls--3

  inspect

class class-default

  drop

policy-map type inspect sdm-policy-sdm-cls--2

class type inspect sdm-cls--2

  inspect

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--2

class type inspect ccp-cls--2

  inspect

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--5

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone security dmz-zone

zone security mng

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security zp-dmz-to-outside source dmz-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security zp-outside-to-dmz source out-zone destination dmz-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-in-zone-dmz-zone source in-zone destination dmz-zone

service-policy type inspect sdm-policy-sdm-cls--2

zone-pair security sdm-zp-dmz-zone-self source dmz-zone destination self

service-policy type inspect ccp-policy-ccp-cls--1

zone-pair security sdm-zp-mng-self source mng destination self

service-policy type inspect ccp-policy-ccp-cls--2

zone-pair security sdm-zp-mng-out-zone source mng destination out-zone

service-policy type inspect ccp-policy-ccp-cls--3

zone-pair security sdm-zp-out-zone-mng source out-zone destination mng

service-policy type inspect ccp-policy-ccp-cls--5

!

!

!

interface Null0

no ip unreachables

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 3

spanning-tree portfast

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Vlan2

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security dmz-zone

!

interface Vlan3

description $FW_INSIDE$

ip address 10.0.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security mng

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip flow ingress

ip nat outside

ip virtual-reassembly max-reassemblies 64

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname dikt15@otenet.gr

ppp chap password 7 0918425001505245

ppp pap sent-username dikt15@otenet.gr password 7 13511B4B1359417D

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.0.10.0 255.255.255.0 Vlan3

no ip http server

ip http secure-server

!

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static 192.168.0.101 94.70.142.113

ip nat inside source static 192.168.1.102 94.70.142.127

!

ip access-list extended DMZtoMySQL

remark CCP_ACL Category=128

permit ip host 192.168.1.102 host 192.168.0.101

ip access-list extended Spoofing

remark CCP_ACL Category=128

permit ip 10.0.0.0 0.255.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

ip access-list extended VTY_incoming

remark CCP_ACL Category=1

permit ip host 10.0.10.2 any

ip access-list extended WebServer

remark CCP_ACL Category=128

permit ip any host 192.168.1.102

ip access-list extended mng-out

remark CCP_ACL Category=128

permit ip 10.0.10.0 0.0.0.255 any

ip access-list extended mng-out-drop

remark CCP_ACL Category=128

permit ip any any

ip access-list extended mng-self

remark CCP_ACL Category=128

permit ip any any

ip access-list extended web_server

remark CCP_ACL Category=128

permit ip 192.168.0.0 0.0.0.255 host 192.168.1.102

!

logging 10.0.10.2

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 remark VLan 1 Access

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 remark VLan 3 Access

access-list 1 permit 10.0.10.0 0.0.0.255

access-list 1 remark Vlan 2 Access

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.0.101

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

!

control-plane

!

banner login ^CWARNING!!!This is a highly monitored private system. Access is prohibited!!^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class VTY_incoming in

password 7 12292504011C5C162E

login local

transport input ssh

!

scheduler max-task-time 5000

ntp authentication-key 1 md5 10603D29214711255F106B2677 7

ntp authenticate

ntp trusted-key 1

ntp master 2

end

1 Accepted Solution

Accepted Solutions

lol,

Okay at least we know we are good

If you do not have any other question, please mark the question as answered

Remember to rate all of the helpful posts , that works as a thanks for the community users

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello karolos,

Here is the thing.

You said you are trying to access 94.70.142.113 and that is a server on the DMZ but based in your configuration that is not true

ip nat inside source static 192.168.0.101 94.70.142.113

So 192.168.0.101 is on Vlan 1 witch is the in-zone

interface Vlan1

description $FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

security in-zone

If you got confused with  the security zone that the host is assigned to then just add the following and it should work

ip access-list extended WebServer

permit ip any host 192.168.0.101

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

My bad. the correct DMZ server ip address is .127 and not .113

I corrected my original post. sorry for the trouble.

Okay,

They are using the same policy so add what I said and let me know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dont quite follow you..

There is already an entry

ip access-list extended WebServer

remark CCP_ACL Category=128

permit ip any host 192.168.1.102

which is the internal ip of the DMZ server

access to 192.168.0.101 has been removed since it was not not correct.

Yeah, you are right..

Got confused because of the wrong topic.

Okay add the following

ip inspect log drop-pkt

Then try to connect to the server and do

show logging | include 192.168.1.102

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

after a lot of time i discovered that the security audit was causing the problem and specifically the ip unreachables command. No idea why!

lol,

Okay at least we know we are good

If you do not have any other question, please mark the question as answered

Remember to rate all of the helpful posts , that works as a thanks for the community users

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card