Solved: Cisco 1941 Configuration Help - Page 2

swdowsett · ‎10-22-2012

Hello everyone,

I am new to posting to the Cisco Support Community, though I read tips on here regularly because it is quite helpful to understanding common issues with Cisco products. Anyway I am in need of help and am wondering if you guys could help me out, it would be greatly appreciated!

So I am having issues with a clients 1941 router, I did the initital configuration on it and someone else did the rest, though now it will not connect to the internet, more specifically it will not do any NAT translations, will not ping public internet addresses (or allow them to be resolved though that might be from our ACL). Anyways, I have tried a basic configuration to try to eliminate the current one as a potential issue, no dice so far. Oddly enough I can reach it and manage it from its public interface/ip remotely just no traffic can pass through it. In preventing this from being TL;DR here is the current config, for security reasons I omitted certain things and lets say my public ip is 10.0.0.1 for this purpose.

If you could help me out it would be great because I might be overlooking something here.

Config:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname WIN_GW

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

no ipv6 cef

no ip source-route

ip cef

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp

ip inspect name FIREWALL_IN pptp

ip inspect name FIREWALL_IN ipsec-msft

login block-for 30 attempts 4 within 15

login delay 5

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1997974926

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1997974926

revocation-check none

rsakeypair TP-self-signed-1997974926

!

crypto pki certificate chain TP-self-signed-1997974926

certificate self-signed 01

quit

license udi pid CISCO1941/K9 sn FTX1613804K

!

username <omitted> privilege 15 secret 5 <omitted>

!

redundancy

!

no ip ftp passive

ip ssh version 2

!

interface Loopback0

no ip address

shutdown

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description ###CONNECTION TO INTERNET###$FW_OUTSIDE$

ip address 10.0.0.1 255.255.255.0

ip access-group OUTSIDE_IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect FIREWALL_IN in

ip inspect FIREWALL out

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

description ### INTERNAL LAN ###$FW_INSIDE$

ip address 172.1.0.8 255.255.0.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map NAT interface GigabitEthernet0/0 overload

ip nat inside source static tcp 172.1.0.6 25 10.0.0.1 25 extendable

ip nat inside source static tcp 172.1.0.41 443 10.0.0.1 443 extendable

ip nat inside source static tcp 172.1.0.41 465 10.0.0.1 465 extendable

ip nat inside source static tcp 172.1.0.36 1723 10.0.0.1 1723 extendable

ip nat inside source static tcp 172.1.0.36 2080 10.0.0.1 2080 extendable

ip nat inside source static tcp 172.1.0.41 3389 10.0.0.1 45000 extendable

ip nat inside source static tcp 172.1.0.20 3389 10.0.0.1 45001 extendable

ip nat inside source static tcp 172.1.0.58 3389 10.0.0.1 45002 extendable

ip route 0.0.0.0 0.0.0.0 10.0.0.2

ip route 192.168.20.0 255.255.255.0 172.1.0.3

ip route 192.168.35.0 255.255.255.0 172.1.0.3

ip route 192.168.36.0 255.255.255.0 172.1.0.3

ip route 192.168.40.0 255.255.255.0 172.1.0.3

!

ip access-list extended NAT

deny ip 172.1.0.0 0.0.255.255 10.0.0.0 0.255.255.255

deny ip 172.1.0.0 0.0.255.255 172.16.0.0 0.15.255.255

deny ip 172.1.0.0 0.0.255.255 192.168.0.0 0.0.255.255

deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 192.168.35.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 192.168.35.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 192.168.35.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 192.168.36.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 192.168.36.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 192.168.36.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 192.168.40.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 192.168.40.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 172.1.0.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.35.0 0.0.0.255 any

permit ip 192.168.36.0 0.0.0.255 any

permit ip 192.168.40.0 0.0.0.255 any

ip access-list extended OUTSIDE_IN

permit udp host 64.90.182.55 eq ntp host 10.0.0.1 eq ntp

permit udp host 24.56.178.140 eq ntp host 10.0.0.1 eq ntp

permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp

permit udp host 129.6.15.28 eq ntp host 10.0.0.1 eq ntp

permit tcp any host 10.0.0.1 eq telnet

permit tcp any host 10.0.0.1 eq 22

permit tcp any host 10.0.0.1 eq smtp

permit tcp any host 10.0.0.1 eq 8013

permit tcp any host 10.0.0.1 eq 443

permit tcp any host 10.0.0.1 eq 45002

permit tcp any host 10.0.0.1 eq 45001

permit tcp any host 10.0.0.1 eq 45000

permit tcp any host 10.0.0.1 eq 2080

permit tcp any host 10.0.0.1 eq 465

permit tcp any host 10.0.0.1 eq 1723

permit gre any host 10.0.0.1

permit esp any host 10.0.0.1

permit udp any host 10.0.0.1 eq isakmp

!

route-map NAT permit 10

match ip address NAT

!

control-plane

!

line con 0

exec-timeout 30 0

logging synchronous

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 15 0

privilege level 15

logging synchronous

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 24.56.178.140 source GigabitEthernet0/0

ntp server 64.90.182.55 prefer source GigabitEthernet0/0

end

EDIT:

I am wondering if it is the environment, the current firewall/gateway is a linux solution and has no issue contacting our ISP default gateway or getting the users to the internet. The idea was for the Cisco device to replace it because it was a repurposed server that is getting old.

My concerns is the cisco 1941 is defective, but it functions fine when pointed to other firewall (which is to be removed), this lead me to believe it has something to do with the NAT translations...

Thanks in advance for your input!!!!

Message was edited by: Scott Dowsett

cadet alain · ‎10-23-2012

Hi,

with the previous config you used for posting the debugs, can you do a sh ip inspect session detail while pinging 8.8.8.8

from the router with a repeat count of 1( ping 8.8.8.8 rep 1)

Regards.

Alain

Don't forget to rate helpful posts.

swdowsett · ‎10-23-2012

Hello Alain,

I would like to thank you for sticking with me through this and giving suggestions to helping me out!

I figured it out after Jonathan posted his suggestion.

I really appreciate your help in this matter, I will definetly take away better troubleshooting from your suggestions!

Again Thanks to everyone who helped me out

This community rocks!

swdowsett · ‎10-23-2012

Hey guys,

So now my router config is working, but as soon as I enable my OUTSIDE_IN acl to my public interface in the in direction, I lose internet connection and nothing can get through. Is there any reason for this? To my understanding extended access lists go closest to source of packets. It is only in the in direction so will I need to make "established" arguements? I understand there is an implicit deny at the end of all acls however no matter what I do to tweak it just keeps blocking me off entirely.

I do understand ACL concepts but they are not my strong point. Any suggestions?

Thanks so much for your help in advance!!!

Message was edited by: Scott Dowsett

Jonathan Bekkers · ‎10-23-2012

You mention "established" arguments. I can tell you that the "ip inspect" commands essentially do the same thing. "Established" is just the old way of doing it (and only possible for TCP), whereas ip inspect covers UDP/TCP/ICMP/etc. Short answer... this is a red herring. Stick with ip inspect.

Alain is correct. You should be able to run the command "sh ip inspect session" and it should show the connections that the inspect firewall knows about (and is therefore allowing through the OUTSIDE_IN firewall). Just make sure you generate some traffic beforehand (even if it fails).

To quote you:

So now my router config is working, but as soon as I enable my OUTSIDE_IN acl to my public interface in the in direction, I lose internet connection and nothing can get through.

Defining how you confirmed internet connectivity loss is important. Did you run a ping from the router to the internet? Did you ping from remote to the site's public IP? Did you get a user onsite to ping something? Did you try something other than ping (i.e. PPTP/SSH/TELNET/etc)

There is a few ways you could go about this. In my mind I'd prefer to see "ip inspect FIREWALL in" on Gig0/1 rather then Gig0/0. This essentially says "as connections come in on my LAN interface, build a session entry for them and remember to bypass on the way back". Having "ip inspect FIREWALL out" on Gig0/0 says "as connections out of the Internet interface, build a session entry for them and remember to bypass through any firewalls". Since you have OUTSIDE_IN ACL and another ip inspect FIREWALL_IN applied to the same interface... I start to get a bit confused.

Here's what I would do first:

interface GigabitEthernet0/0

description ###CONNECTION TO INTERNET###$FW_OUTSIDE$

ip address 10.0.0.1 255.255.255.0

ip access-group OUTSIDE_IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip inspect FIREWALL_IN in

no ip inspect FIREWALL out

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

description ### INTERNAL LAN ###$FW_INSIDE$

ip address 172.1.0.8 255.255.0.0

ip nat inside

ip virtual-reassembly in

ip inspect FIREWALL in

duplex auto

speed auto

no cdp enable

With ACLs they are processed from top to bottom. What you could do it try add a few lines to the ACL to see whether they are indeed being dropped by the ACL. Don't forget you can run the "show ip access-list OUTSIDE_IN" command to see the number of "hits" on a particular ACL entry.

Good luck.

swdowsett · ‎10-24-2012

Thanks for the reply Jonathan.

I did not configure the ACL or the FIREWALL statements on the interface (that was the other persons responsibility, I kind of inherited this when things didn't function), My comfort in knowledge level is stretched a bit thin in that area. However, in reading your suggestions and how you explained it makes more sense to me, I will correct and see where it takes me, I think I have a pretty good handle on what I need to do to get that functioning. I really appreciate your help on this!

All the best!

Regards,

Scott