Re: 1710 configured as Firewall

samiyengar · ‎11-25-2002

I have configured the 1710 as firewall. Have a Cable to Internet and POP3 Incoming E-mail and SMTP outgoing. When I open up my Outlook and click on Send/Receive gives the Server could not be found. Would like to know

the config to allow 110 (POP3).

My E-Mail: sami@rogers.com

gfullage · ‎11-25-2002

Please provide more information than this to help us help you out. Where is the Outlook client, on the inside or the outside, and where is the SMTP/POP3 server, inside or outside? What configuration do you have applied to the router at the moment?

If the server is on the inside with the client on the outside, you'll probably need a NAT statement assuming the 1710 is just getting an address via DHCP from the cable network. Then you'll need an access-list allowing traffic FROM any TO the DHCP address on port 25 and 110 to go through.

If the client is on the inside and the server is outside, then the firewall feature should automatically open up a hole to allow your return traffic to come back in.

samiyengar · ‎11-26-2002

ip inspect name test tcp

ip inspect name test udp

ip inspect name test cuseeme

ip inspect name test ftp

ip inspect name test h323

ip inspect name test rcmd

ip inspect name test realaudio

ip inspect name test smtp

ip inspect name test streamworks

ip inspect name test vdolive

ip inspect name test sqlnet

interface Ethernet0

description Connection to Internet

ip address dhcp

ip access-group 120 in

no ip redirects

no ip proxy-arp

ip nat outside

no ip mroute-cache

half-duplex

no cdp enable

!

interface FastEthernet0

description Local LAN Connection

ip address 10.1.1.1 255.255.255.0

ip access-group 140 in

no ip redirects

no ip proxy-arp

ip nat inside

ip inspect test in

speed auto

no cdp enable

access-list 120 permit tcp any any established

access-list 120 permit tcp any host 24.153.62.254 eq 22

access-list 120 permit tcp any host 10.1.1.101 eq pop3

access-list 120 permit icmp any 10.1.1.0 0.0.0.255 echo-reply

access-list 120 permit icmp any 10.1.1.0 0.0.0.255 unreachable

access-list 120 permit icmp any 10.1.1.0 0.0.0.255 administratively-prohibited

access-list 120 permit icmp any 10.1.1.0 0.0.0.255 packet-too-big

access-list 120 permit icmp any 10.1.1.0 0.0.0.255 echo

access-list 120 permit icmp any 10.1.1.0 0.0.0.255 time-exceeded

access-list 120 deny ip any any log

access-list 130 permit ip 10.1.1.0 0.0.0.255 any

access-list 140 permit tcp 10.1.1.0 0.0.0.255 any

access-list 140 permit udp 10.1.1.0 0.0.0.255 any

access-list 140 permit icmp 10.1.1.0 0.0.0.255 any

access-list 140 deny ip any any

gfullage · ‎11-26-2002

Hmmm, config looks OK from what I can see. You have the "log" keyword on your ACL 120, so do you see any deny messages or other errors when you hit the Send/Receive button?

samiyengar · ‎11-27-2002

sh log gives the following: I don't know what is that 10.45.128.1 address. This

denied session logs even without clicking send/receive in Outlook. Looks like

nothing gets logged with my Outlook doing send/receive. I just get the error

server could not be found.

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)

Console logging: level debugging, 1955 messages logged

Monitor logging: level debugging, 0 messages logged

Buffer logging: level debugging, 1803 messages logged

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Trap logging: level informational, 1960 message lines logged

Log Buffer (4096 bytes):

list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 6 packets

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 8 packets

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied tcp 24.175.84.212(1475) -> 24.153.62.254(80), 1 packet

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 16 packets

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 6 packets

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied tcp 24.192.95.10(2404) -> 24.153.62.254(80), 1 packet

2d11h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 4 packets

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 12 packets

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 10 packets

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.2

2d14h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 6 packets55(68), 1 packet

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied tcp 64.246.34.180(3389) -> 24.153.62.254(113), 1 packet

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 1 packet

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied tcp 64.246.34.180(1581) -> 24.153.62.254(113), 1 packet

2d12h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d13h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d13h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 12 packets

2d13h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 16 packets

2d13h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 6 packets

2d13h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 4 packets

2d13h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d13h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 4 packets

2d14h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 6 packets

2d14h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 4 packets

2d14h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 2 packets

2d14h: %SEC-6-IPACCESSLOGP: list 120 denied udp 10.45.128.1(67) -> 255.255.255.255(68), 10 packets

samiyengar · ‎11-26-2002

Hi

I have furnished the config on 1710. The Outlook client is inside and the server is outside with the ISP. Basically I have the POP E-mail coount eith the ISP.

gfullage · ‎11-27-2002

OK, so if nothing gets logged then either the router isn't seeing any of your packets, or it's allowing them through properly. If you remove all the access-lists on this router, does it work then? If you put this PC outside this router, does it work then? What is your NAT configuration on this router?

Still can't see anything wrong, so you need to try and pinpoint where the problem is being caused, it may not be this router at all.

samiyengar · ‎11-27-2002

My NAT(PAT) config is as follows:

ip nat inside source route-map nonat interface Ethernet0 overload

access-list 130 permit ip 10.1.1.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

With only NAT(PAT) and no ip access-group 120 & 140 in on thw 2 X interfaces

also I am unable to send/receive. This means there could be a NAT issue and

all the more that I am using PAT. The IOS ver is 12.2(8)T4.

gfullage · ‎11-27-2002

Hmmm, this looks OK too. From the inside PC, can you telnet to the POP3 server on port 110 and get a connection?

Does the ISP running the POP3 server only allow connections from certain IP addresses (unusual, but I have sene it before)?

Before trying to connect, do a "clear ip nat trans *", then after trying to connect to the server, do a "sho ip nat trans". Do you see an entry for your inside PC that is PAT'd to E0's IP address, with a remote address of the POP3 server?

samiyengar · ‎11-28-2002

I did a clear ip nat trans * and than sh ip nat trans. I don't see any entry except

for this.

Pro Inside global Inside local Outside local Outside global

tcp 24.13.62.254:110 10.1.1.2:110 --- ---

This is because I added a static nat as follows:

ip nat inside source static tcp 10.1.1.2 110 24.13.62.254 110 extendable

The Outlook client is configured for Incoming mail(POP3): as pop and Outgoing mail(SMTP): as smtp. I will have to check the IP address for these

names which I have not done.

Does the ISP running the POP3 server only allow connections from certain IP addresses (unusual, but I have sene it before)? Will have to check.

samiyengar · ‎11-28-2002

Found the problem. It was the FQDN for POP3 & SMTP which was the issue.

The ISP had changed it for the dynamic IP which I get for my router. I entered

the right FQDN works ok.

Thanks for the help. It was fun anyways.

samiyengar · ‎11-27-2002

Hi

I did try with the PC outside this router and it works.