Solved: Re: Cisco 891f-k9; Able to act as a PPPoE + Gateway routing 5 Static Ip’s - Page 3

fbeye · ‎10-05-2017

I am becoming overwhelmed with the task at hand.

I have vDSL service with 8 Static IP’s (1 Gateway, 1 Netmask 1 DNS (5 usable)). My DSL Router is in bridge mode connecting to my TP-Link. I want to remove that from the equation and use my 891 as the PPPoE Router and use the Gateway as the device/wan IP and assign the 5 static ips to the selected LAN Ports.

2 IP’s will be going straight to my Linux Box on eth0 and eth1 (leaving on separate LAN Ports), 1 will be going to my TP-Link which will then Subnet 192.168.x.x for Home device use, 1 will be for Network Printer and 1 will be unused.

Is is what I am wanting able to be done?

Georg Pauwen · ‎01-08-2018

Hello,

basically you can add any TCP/UDP port you want to your access lists (which will subsequently be inspected by the ZBF). The router doesn't differentiate between 'common' and 'less common' ports. Anything in the range from 0 to 65535 goes.

Not saving your changes is a good strategy, all you need to recover the previous configuration is by reloading your router. The command 'reboot in' is also useful, if you accidentally lock yourself out, the router will reboot in the amount of minutes you have configured (e.g. 'reboot in 3').

fbeye · ‎01-09-2018

So I am starting to ask myself if I really need 3 Zones over the (INSIDE/OUTSIDE).

I just thought that creating a 3rd Zone was redundant when I can specify which Port/IP I want to gives access to within the 2 Zones. Maybe I am totally wrong?
Basically I configured the Router with the prior Config and it seemed to work... But I did not get any throughout until I add a few extra commands, not knowing which one of them actually was the cause. TCP/UDP/DNS and some of the other basic ones you need to access the net; are they not required for what I want? There was no mention of the TCP/UDP/DNS protocols mentioned so would that not hinder my system? Or was it assumed I would have add added them? I just don’t know as a whole, outside of the specific protocols I use, that I need to actually be on the net to it’s fullest, yet protected.
A lot of confusion as well is how do I decide Permit or Inspect.. I would assume permit as I am manually giving commands on what I want.

#zone security INSIDE
#zone security OUTSIDE

#interface Vlan1
#zone-member security INSIDE

#interface Dialer1
#zone-member security OUTSIDE

#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

#ip access-list extended INSIDE-TO-OUTSIDE
#permit tcp 207.108.121.0 0.0.0.255 any eq www
#permit icmp 207.108.121.0 0.0.0.255 any
#permit tcp 207.108.121.0 0.0.0.255 any eq domain
#permit udp 207.108.121.0 0.0.0.255 any eq domain
———Anyone on the Block has OUTGOING ICMP, DNS, Web Browsing
#permit tcp 207.108.121.180 0.0.0.0 any eq smtp
———Allows x.x.x.180 Outgoing Email.
#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
#match access-group name INSIDE-TO-OUTSIDE

#ip access-list extended OUTSIDE-TO-INSIDE
#permit icmp 207.108.121.0 0.0.0.255 any
#permit tcp 207.108.121.0 0.0.0.255 any eq domain
#permit udp 207.108.121.0 0.0.0.255 any eq domain
——— Allows any IP in the Block can get incoming ICMP Requests and DNS
#permit tcp 207.108.121.180 0.0.0.0 any eq imap3
#permit tcp 207.108.121.180 0.0.0.0 any eq imap
———Allows x.x.x.180 Incoming Email.
#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
#match access-group name OUTSIDE-TO-INSIDE

#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
#class type inspect INSIDE-TO-OUTSIDE-CLASS
#inspect
#class class-default
#drop log

#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
#class type inspect OUTSIDE-TO-INSIDE-CLASS
#inspect
#class class-default
#drop log

#zone-pair security IN-TO- OUT source INSIDE destination OUTSIDE
#service- policy type inspect INSIDE-TO-OUTSIDE- POLICY
#zone-pair security OUT- TO-IN source OUTSIDE destination INSIDE
#service- policy type inspect OUTSIDE-TO-INSIDE- POLICY

fbeye · ‎01-11-2018

Update:Current working Configuration.... All seems to work, but too well.

When I run a Portscan on my email IP it shows 25,993 and 143 enabled... All Email Ports. But, in my Cisco I only allow Incoming 993 for IMAP/SSL.

I went into my Linux Firewall and it indeed has 143 Opened, which I wanted. But in LINUX when I remove it from firewall and redo Portscan, it shows closed.

So, I am thinking this configuration is not set up correctly as my Linux Email still depended on itself to close 143

My only suggestion to myself is where I have;

--------------------------------------

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
pass
------------------------------------------

---- is the PASS allowing everything?

class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
pass
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description TPLink Wireless
no ip address
!
interface GigabitEthernet1
description Email Server
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 207.108.121.182 255.255.255.248
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *******
ppp chap password 0 *******
ppp pap sent-username ******* password 0 ******
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INSIDE-TO-OUTSIDE
permit tcp 207.108.121.0 0.0.0.255 any eq www
permit icmp 207.108.121.0 0.0.0.255 any
permit tcp 207.108.121.0 0.0.0.255 any eq domain
permit udp 207.108.121.0 0.0.0.255 any eq domain
permit tcp host 207.108.121.180 any eq smtp
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp 207.108.121.0 0.0.0.255 any
permit tcp 207.108.121.0 0.0.0.255 any eq domain
permit udp 207.108.121.0 0.0.0.255 any eq domain
permit tcp host 207.108.121.180 any eq 993
!
dialer-list 1 protocol ip permit
!
access-list 1 permit 207.101.121.182

Georg Pauwen · ‎01-11-2018

Hello,

you need to drop the default class (if you allow/pass it, everything goes through):

class class-default
drop

fbeye · ‎01-11-2018

I am not sure if my Router just does not like Port 993 Incoming (imap w/ ssl) or if Cisco doesn't like it altogether, or if I have something configured wrong. But nothing I do allows anything from the Internet in. I am at a complete and total loss.. My only doubt about anything, if relevant at all, are when I do a permit, I am saying 0.0.0.0 for host...

It shows as;

permit tcp any host 207.108.121.180 eq 993

but I am trying in;

permit tcp any 207.108.121.180 0.0.0.0 eq 993

So I am not sure if that maybe confuses its route? or if its correct. And, I assume the 0.0.0.0 is the 255.255.255.248?

hostname CiscoHOM
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid C891F-K9 sn FGL212791GJ
!
username <username> privilege 15 password 0 <password>
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description Home Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 207.108.121.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <hostname>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip host 207.108.121.176 any
permit ip host 207.108.121.177 any
permit ip host 207.108.121.178 any
permit ip host 207.108.121.179 any
permit ip host 207.108.121.180 any
permit ip host 207.108.121.181 any
permit ip host 207.108.121.182 any
permit tcp host 207.108.121.180 any
permit tcp host 207.108.121.180 any eq smtp
permit tcp host 207.108.121.180 any eq 993
permit udp host 207.108.121.177 any eq domain
permit udp host 207.108.121.180 any eq domain
permit udp host 207.108.121.182 any eq domain
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any host 207.108.121.176
permit icmp any host 207.108.121.177
permit icmp any host 207.108.121.178
permit icmp any host 207.108.121.179
permit icmp any host 207.108.121.180
permit icmp any host 207.108.121.181
permit icmp any host 207.108.121.182
permit udp any host 207.108.121.180 eq domain
permit udp any host 207.108.121.177 eq domain
permit udp any host 207.108.121.182 eq domain
permit tcp any host 207.108.121.180 eq 993
permit tcp any host 207.108.121.180 eq smtp
!
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!

fbeye · ‎01-11-2018

Based on the topic, I have achieved completion.

The system works flawlessly.

In regards to my incoming connections (IMAP (993), SHH or anything else I enable in order to test, I get no response and a Portscan from outside the Network shows no open ports on any IP address beyond the x.x.x.182, which is my “external” IP (As well as the gateway).

This is leads me to believe that I have an Incoming IP Routing issue or possibly even a NAT (or lack thereof as I currently have NO NAT enabled).

All devices connected do independently have Outgoing www access and have verified as such as I have disabled each IP individually and their access was denied, so I am confident it is an incoming misconfig.

My Google searches are coming up half of what I need, it seems any time anyone refers to STATIC Ip is either the one as the Router IP with a DHCP, NAT setup or they refer to DHCP handing out its LAN IP’s “staticly” and not literally a Block Of 5 STATIC IP’s.

fbeye · ‎01-11-2018

fbeye · ‎01-17-2018

In a DHCP scenario, I open ports on the Gateway (Router) and Forward it (port) to the LAN IP in need..

Though my setup is STATIC and I need no NAT/Forwarding, any traffic in still comes in through the “”Gateway””.

Would this then suggest that I also need to open the same port on the Gateway IP as I do in order to open in on the “LAN” Static IP?