01-25-2012 06:25 PM - edited 03-07-2019 04:33 AM
I was assigned to configure our 2811 router and i have never worked with IOS before now, so I am very new to this. The below configuration is working right now but it just seems to be a little bit off. I can not ping anything from the LAN and DNS takes a very long time to resolve. I can not seem to figure out how my ACL is working for F0/1, I have done a lot of research on this and still do not understand. Basically I want to only allow port 443 in to the F0/1 interface but I want all outbound traffic to be permitted. Here is the setup I have below. All I really want from this is to allow all outbound traffic and allow no inbound traffic except 443 on f0/1. Then there is one static nat for the 10.10.0.2 and I want to allow 1194 and 443 inbound on that. Can anyone help me figure out what the problem is with my configuration or what the heck it is even doing. Thanks
[LAN] -> f0/0<ROUTER>f0/1 [WAN]
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTIRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
!
no aaa new-model
clock timezone MST -7
clock summer-time MDT recurring
!
!
ip cef
!
!
ip name-server 68.xx.xx.xx
ip name-server 68.xx.xx.xx
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username pthompson secret 5 <removed>
username csnowden secret 5 <removed>
!
!
ip ssh authentication-retries 5
!
!
!
!
!
interface FastEthernet0/0
description LAN Interface
ip address 10.10.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN Interface
ip address 75.xxx.xx.xxx 255.xxx.xxx.xxx
ip access-group IncomingWAN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.xxx.xx.xxx
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.10.0.8 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.10.0.2 443 75.xxx.xx.xxx 443 extendable
ip nat inside source static udp 10.10.0.2 1194 75.xxx.xx.xxx 1194 extendable
!
ip access-list extended IncomingWAN
permit ip 205.xxx.xxx.xxx 0.0.0.255 any
permit udp any any range 5060 5680
permit udp any any range 10000 25000
deny tcp any host 75.xxx.xx.xxx eq 22
permit ip any host 75.xxx.xx.xxx
permit tcp any host 75.xxx.xx.xxx established
permit udp any host 75.xxx.xx.xxx eq 1194
permit tcp any host 75.xxx.xx.xxx eq 443
!
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
privilege level 15
password <removed>
login local
transport preferred ssh
transport input ssh
line vty 5 1180
access-class 1 in
exec-timeout 60 0
privilege level 15
password <removed>
login local
transport preferred ssh
transport input ssh
!
scheduler allocate 20000 1000
!
end
01-26-2012 05:02 AM
If I understand correctly you want to allow all outbound traffic including http port 80 and coming back on https port 443? Is that possible? Or do you want to allow only https(443) traffic outbound and come back on https(443)?
01-26-2012 09:06 AM
Im sorry it may have been confusing what I was explaining before but what I want is this. I want to be able to allow all traffic on all ports 80, 443 etc, going from my LAN network (10.10.0.0) out to the internet WAN. But obviously I do not want to allow ouside connections from the internet to access my LAN network unless I allow it. For example we have a web server that is running on port 443 on the LAN, so I want to allow traffic from the internet into my LAN network so it can reach the web server on port 443. I also want to block all other incoming connections from the internet to my LAN network unless I allow it. In our company we have to be PCI DSS compliant which means we can not have incoming traffic from the internet on unsecured ports like port 80. On my incoming ACL i have "permit tcp any host 75.xxx.xx.xxx established" and what I thought this means was if there was traffic that was established from my LAN to the internet that it would allow the incoming response traffic back in, but only if it established my connection from the LAN. But all this does not seem to be working correctly.
01-26-2012 12:51 PM
Hi,
you should stay away from the tcp established because it is not stateful and can be easily bypassed.
You should be better using either the CBAC or the newer ZBF feature to enable stateful firewall on your router.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Regards.
Alain
01-26-2012 04:44 PM
I see that your statements refers to 75.x.x.x Ip address which I guess is the Fa0/1 interface address.
I see that you try to get traffic from internet to Fa0/1 ip address and then use nat to translate it for you to web server address and send it on.
I suggest you to leave only the first "ip nat inside source list 100 interface Fa0/0 overload" and if that works, then add the other "ip nat ....." statement one by one and test (preferably from a PC) each time you add one and see which one doesn't work.
I also suggest you change two statements in your incomingWAN ACL
permit tcp any host 75.x.x.x established to permit tcp any any established
permit tcp any host 75.x.x.x eg 443 to permit tcp any host 10.10.x.x (web server ip) eg 443
Also add a permit statement to ACL 100 like; permit tcp host 10.10.x.x(web server ip) any eg 443 - webserver will answer only with https not http
The reason I think it doesn't work is that your nat statement try to go directly to outside interface but the hosts inside your LAN have Fa0/0 as default gateway.
Hope this will help you
Eugen
01-27-2012 07:18 AM
Thank you for the excelent suggestions. I did not even know that the ZBF even existed on the 2811 router. Although after researching it a little bit it seems to be a bit complicated but it is a very good idea if I can implement it correctly.
Eugen I also see what you are saying and I also have another question. If I dont implement an ACL on an interface at all does that imply that it will allow all traffic to go through?
"The reason I think it doesn't work is that your nat statement try to go directly to outside interface but the hosts inside your LAN have Fa0/0 as default gateway."
Yes my LAN does have the Fa0/0 as the default gateway. Does this mean that I need to set up another IP route to specify that or does the information you gave me above take care of that?
Thanks
01-27-2012 05:10 PM
Hi Paul,
If you don't implement an ACL on an interface the router will forward all traffic if it has a route in the routing table for the destination network.
ACL for internal host is just to control who talk to who internally or externally.
If everyone is allowed is not necessary to have ACL for inside hosts.
Do you have only a single public ip address 75.x.x.x ?
That could be the problem why nat does work, because that ip address 75.x.x.x is mapped static to web server.
You need another public address to use for nat overload for internal hosts.
Eugen
01-30-2012 09:29 AM
We actaully have several external static IP addresses. For example this is what the config would look like with the example static IP addresses.
interface FastEthernet0/1
description WAN Interface
ip address 75.123.45.67 255.xxx.xxx.xxx
ip access-group IncomingWAN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.123.45.70
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.10.0.8 443 interface FastEthernet0/1 443
ip nat inside source static tcp 10.10.0.2 443 75.123.45.68 443 extendable
ip nat inside source static udp 10.10.0.2 1194 75.123.45.68 1194 extendable
!
ip access-list extended IncomingWAN
permit ip 205.xxx.xxx.xxx 0.0.0.255 any
permit udp any any range 5060 5680
permit udp any any range 10000 25000
deny tcp any host 75.123.45.67 eq 22
permit ip any host 75.123.45.67
permit tcp any host 75.123.45.67 established
permit udp any host 75.123.45.68 eq 1194
permit tcp any host 75.123.45.68 eq 443
So in this example I have my overload on address 75.123.45.67 and my other static IP address (75.123.45.68) attached to my web server. I mean there is just something not working right about this, and I would really like to get the ACL figured out. This is the definition of "In" from Cisco
"In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router."
So for connections comming inbound from the internet I would think the ACL would look somthing like this.
ip access-list extended IncomingWAN
permit ip 205.xxx.xxx.xxx 0.0.0.255 any
permit udp any any range 5060 5680
permit udp any any range 10000 25000
deny tcp any host 10.10.0.0 eq 22
permit ip any host 10.10.0.0
permit tcp any host 10.10.0.0 established
permit udp any host 10.10.0.2 eq 1194
permit tcp any host 10.10.0.2 eq 443
Since from the definition says the traffic arrives on the interface the source (internet) and the destination is where is goes on the OTHER side of the router, which would be my LAN network right? But if I set up the ACL like it is above my LAN has no netowrk connection to the internet outbound or inbound.
01-30-2012 12:38 PM
Hi,
add this to your ACL: deny ip any any log
then go to internet from LAN while you do debug ip nat
tell us if you see a log message and post output of debug.
Do the same from the internet going to the service published.
Regards.
Alain
01-30-2012 03:19 PM
Here is the log from LAN to internet.
NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3050]
NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3051]
NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3052]
NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3053]
NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3054]
NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3056]
NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3057]
NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3060]
NAT*: s=10.10.0.60->75.123.45.67, d=206.225.167.241 [29560]
NAT*: s=10.10.0.60->75.123.45.67, d=206.225.167.241 [29561]
NAT*: s=10.10.0.60->75.123.45.67, d=206.225.167.241 [29576]
NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3062]
NAT*: s=10.10.0.60->75.123.45.67, d=66.151.97.225 [29577]
I could not seem to get it to log anything from internet to LAN. One time the "debug ip nat" crashed the router for some reason.
01-31-2012 02:32 AM
Hi Paul,
On your access list you have "permit ip any host 10.10.0.0", this statement doesn't work because 10.10.0.0 is a network address and not a single host. The way to write is "permit ip any 10.10.0.0 0.0.255.255".
Do you have a 205.x.x.x inside your LAN? What is 205.x.x.x?
Also i see that you are using the 75.x.x.x web seerver ip in the ACL and mapping to some ports. You should remove those from ACL.
Also another suggestion is to remove the 443 port from the ip nat mapping to server and use the ACL to permit only connections to webserver on port 443
Example permit tcp any host 10.10.x.x eg 443 --> 10.10.x.x is webserver
deny tcp any host 10.10.x.x eq 80
Hope this helps
Eugen
PS. I will try the configuration on my lab and then will post you the results if you like
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide