02-20-2007 12:29 PM - edited 03-03-2019 03:50 PM
Hi, We have cisco 1841 router with 2 FE ports, IOS version running on the router is 12.4(3d). I have connected 1 ethernet to internet and other to internal network. To get connected to internet I have created ip nat inside source list <NUMBER> interface fa0/1 overload. I have also added ip nat inside on internal FE and ip nat outside on External FE. I have also added default rotuer 0.0.0.0 0.0.0.0 <next hop>.
I also have a web server on my network so i have created static nat. ip nat inside source static <local Network> <IP Suppliled By ISP>.
This work fine but suddenly users from outside will not be able to reach this server, when i try to ping internet from the server during this period I will not be able to reach but i will be able to do so from the router. To reinitiate connection I will have to reset the Network card on the server.
I only have problem when there is traffice to server.
!
no ip bootp server
ip name-server x.x.x.x
ip name-server x.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address 192.168.20.2 255.255.255.240
ip access-group 115 in
ip access-group 115 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
clock rate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static 10.1.1.2 192.168.20.3
ip nat inside source static 10.1.1.3 192.168.20.4
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq tftp
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 deny icmp any any redirect
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 224.0.0.0 31.255.255.255 any
access-list 115 deny ip host 0.0.0.0 any
access-list 115 permit ip any any
no cdp run
=
02-20-2007 03:53 PM
Hi,
You can check following steps and observe the results.
1)ip http timeout-policy idle 60 life 86400 requests 10000
What is above command does? remove it time being and observe it.
2) Hard set on both interfaces MTU 1500/full duplex. Speed auto Ok.
3) Observe SYSLOG what errors, it is giving before stop responding.
4)Set 100Mbps/full duplex Router interface fa0/0 as well as switch interface.
5) If above all cannot work..... do mirror port on switch, router's fa0/0 with any switch port.
Configure sniffer and capture 1 Day traffic. You will look out if any mallacious or abnormal activity.
You can configure mirror port by following commands
monitor session 1 destination interface (On which you are going to put sniffer machine)
monitor session 1 source remote interface (Router fa0/0 connected).
In this kind of case there is no any thumb rules or judgement... why it is happen. You must have to follow analytical observations.
Regards,
Dharmesh Purohit
02-20-2007 04:33 PM
Hi I have made the changes as suggested lets observe. The other Q is I only need http, https, RDP (Terminal Service), and ICMP to be allowed to this Server so that we can block malicious activity and attacks.
If you notice I have blocked ports used by nachi and blaster worm.
Can you let me know what accesslist should i have?.
Thanks in Advance
RP
02-20-2007 04:49 PM
hi,
I term of mallacious,
I also mentioned " Abnormal " word... it could be only we can analyze after sniffer output analyses.
Follow the same step and give me an output of each step.
That steps should be give some direction of root cause.
Regards,
Dharmesh Purohit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide