Connection Drops

Unanswered Question
Feb 20th, 2007

Hi, We have cisco 1841 router with 2 FE ports, IOS version running on the router is 12.4(3d). I have connected 1 ethernet to internet and other to internal network. To get connected to internet I have created ip nat inside source list <NUMBER> interface fa0/1 overload. I have also added ip nat inside on internal FE and ip nat outside on External FE. I have also added default rotuer 0.0.0.0 0.0.0.0 <next hop>.

I also have a web server on my network so i have created static nat. ip nat inside source static <local Network> <IP Suppliled By ISP>.

This work fine but suddenly users from outside will not be able to reach this server, when i try to ping internet from the server during this period I will not be able to reach but i will be able to do so from the router. To reinitiate connection I will have to reset the Network card on the server.

I only have problem when there is traffice to server.

!

no ip bootp server

ip name-server x.x.x.x

ip name-server x.x.x.x

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

ip address 192.168.20.2 255.255.255.240

ip access-group 115 in

ip access-group 115 out

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

clock rate 2000000

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.20.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static 10.1.1.2 192.168.20.3

ip nat inside source static 10.1.1.3 192.168.20.4

!

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

access-list 115 deny udp any any eq tftp

access-list 115 deny udp any any eq netbios-ns

access-list 115 deny udp any any eq netbios-dgm

access-list 115 deny tcp any any eq 139

access-list 115 deny udp any any eq netbios-ss

access-list 115 deny tcp any any eq 445

access-list 115 deny tcp any any eq 593

access-list 115 deny tcp any any eq 4444

access-list 115 deny icmp any any redirect

access-list 115 deny ip 127.0.0.0 0.255.255.255 any

access-list 115 deny ip 224.0.0.0 31.255.255.255 any

access-list 115 deny ip host 0.0.0.0 any

access-list 115 permit ip any any

no cdp run

=

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
purohit_810 Tue, 02/20/2007 - 15:53

Hi,

You can check following steps and observe the results.

1)ip http timeout-policy idle 60 life 86400 requests 10000

What is above command does? remove it time being and observe it.

2) Hard set on both interfaces MTU 1500/full duplex. Speed auto Ok.

3) Observe SYSLOG what errors, it is giving before stop responding.

4)Set 100Mbps/full duplex Router interface fa0/0 as well as switch interface.

5) If above all cannot work..... do mirror port on switch, router's fa0/0 with any switch port.

Configure sniffer and capture 1 Day traffic. You will look out if any mallacious or abnormal activity.

You can configure mirror port by following commands

monitor session 1 destination interface (On which you are going to put sniffer machine)

monitor session 1 source remote interface (Router fa0/0 connected).

In this kind of case there is no any thumb rules or judgement... why it is happen. You must have to follow analytical observations.

Regards,

Dharmesh Purohit

rajendraprasad_bh Tue, 02/20/2007 - 16:33

Hi I have made the changes as suggested lets observe. The other Q is I only need http, https, RDP (Terminal Service), and ICMP to be allowed to this Server so that we can block malicious activity and attacks.

If you notice I have blocked ports used by nachi and blaster worm.

Can you let me know what accesslist should i have?.

Thanks in Advance

RP

purohit_810 Tue, 02/20/2007 - 16:49

hi,

I term of mallacious,

I also mentioned " Abnormal " word... it could be only we can analyze after sniffer output analyses.

Follow the same step and give me an output of each step.

That steps should be give some direction of root cause.

Regards,

Dharmesh Purohit

Actions

This Discussion