WAN + LAN advice needed

Unanswered Question
Jul 30th, 2007
User Badges:

Hi, this belongs in a new post as it is seperate from my internet connection issue (as now I'm connected)


Basically what I would like to do is build a network out of my 7 machines (macs, pc's, and linux boxes).


Criteria:

I would like to have security in the network for router, wireless interface (encryption, username/password etc), a firewall.


Also because I will be running a web, vnc, and ssh-server I will need to forward ports from the WAN to my LAN.


I would like file/print sharing enabled for my machines to communicate.


I have played about with SDM-Express and have currently got MAC address filtering for my wireless. I'm guessing to forward ports I will need to do that via IP filtering. - I tried this aswell but it didn't work as I think I got the wrong settings.


Also I turned on the firewall via SDM, but it told me that it wasn't going to put it on the ATM interface? I thought the ATM interface was my adsl modem, and that the firewall should be between the LAN and the WAN on a SOHO setup?


Currently I can connect to the internet with machines but I cannot connect them to each other or even ping each other from machine to machine (it works from router though).


Any advise or guides to documentation would be really helpfull.


Thanks




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paolo bevilacqua Mon, 07/30/2007 - 14:15
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


1. stop using SDM that produces confusing results and prevent you from learning


2. Are you sure you need firewall? You have NAT configured, nobody can access anything from outside


3. Suggest you do not use mac address filtering. If you want to protect your wireless, configure a WEP key that is much simpler.


4 what do you want to forward ? the normal command is


ip nat inside source static interface


kayasaman Tue, 07/31/2007 - 03:04
User Badges:

Ok I took all the SDM config off except for the MAC address filter access list which works fine, basically any non-autherized computers can't gain access to services:


access-list 700 permit 000b.6b4b.c5d0 0000.0000.0000

access-list 700 deny 0000.0000.0000 ffff.ffff.ffff


but I will read up about configuring WEP keys aswell even though I don't think it's compatible with my Mac OS9 machines?


If I wanted to forward say www port 80 form WAN to LAN the command would be:


ip nat inside source static tcp 192.x.x.x 80 interface (ATM0 or Dialer0??) 80


And then there's still the problem of my internal network because at the moment I can't use any services like ping or file sharing, netbios (samba) or apple file share. Will I need to configure NAT to open all ports on internal network to achieve this?


Basically like:


ip nat inside source static interface for all ports ranging from 1 to port limit?

kayasaman Thu, 08/02/2007 - 07:50
User Badges:

I managed to forward ports from WAN to LAN using the above advise and everything works fine!


Is there a way to monitor the incoming packets though via logging or show statement, and also see which ports they are associated with?


Also my LAN still needs setting up, as I have no internal network access yet! Do I need to post that in the LAN/Routing part of the forum or is the command similar to that of the above?

paolo bevilacqua Thu, 08/02/2007 - 09:17
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


to see what "forwardings" are active, do show ip nat translation.


What in the lan is not working ?

kayasaman Thu, 08/02/2007 - 11:20
User Badges:

In the LAN, nothing is working. I can't ping other computers within the LAN, or share files, or use any other services which I need.


{From the router I can ping, but from one machine to the other)


I don't know if this is NAT issue or if I need to make an access list?

paolo bevilacqua Thu, 08/02/2007 - 15:47
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


What machines are these? If win XP, be aware there is a firewall you should disable.


Are these using DHCP and getting an ip address correctly ?

kayasaman Thu, 08/02/2007 - 22:19
User Badges:

Hi, at the moment I've just linked my XP machines up not my linux boxes or macs.


They are connected statically even though dhcp on router is set to give addresses between 192....1 and 255


I also disabled the firewall which I put on from SDM but I still haven't even got ping function let alone netbios.

paolo bevilacqua Thu, 08/02/2007 - 22:21
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


router has no role in communications for the systems on the same LAN. So the problem must be due to something else.

Pavel Bykov Thu, 08/02/2007 - 22:47
User Badges:
  • Silver, 250 points or more

First try this:

interface BVI1

no ip access-group 100 in


If that won't enable your local communication, try following:


Can you post your current config please?


When ports of your local machines are in one VLAN, which they are, there is nothing that switch does with packets. Are you connecting PCs over Wired or Wireless?


If you are using wireless, try wired.


Also, try pinging PCs's own IP address


And also, check if you have different MAC addresess on the PCs. I had a problem where Cable connection was cable dependant and all PCs had same MAC, so they could all communicate periodically to the internet, but not to each other.



kayasaman Fri, 08/03/2007 - 03:36
User Badges:

This is current config. Wired and Wireless are bridged - my machines are connected by wireless!


I can ping machine from machine but other machines "request timed out"


I have Zone Alarm firewall on individual machines which I even took down and still same problem?



kayasaman Mon, 08/06/2007 - 07:31
User Badges:

Thinking about the config, could it be something to do with access list 1? - That proper permissions haven't been setup?


Also I am trying to connect my macs to the network and it's fine with OSX, but in OS 9 I can't find any where to enter the base station ssid. I have tried to set the computer to connect to other instead of scanning but it won't give me any dialogs to enter ssid criteria?

paolo bevilacqua Mon, 08/06/2007 - 13:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


No, access list 1 has nothing to do with computers not connecting locally. It might be ACL 700, but that is active for wireless only.


Not sure what you should do for the macs. Sometime these have little hidden places to do the most obvious things.


kayasaman Mon, 08/06/2007 - 15:54
User Badges:

Hi, I managed to fix the mac problem. It was just OS9 being wierd and old!


The ACL 700 is just a MAC layer address list and from what I know just permits services to the "allowed" addresses. I enabled it via the Wireless Management web interface through SDM, but I don't know if IP filtering ties in with it as it is a MAC filter.


I also thought that maybe it was the dhcp config clashing with the static machines, within the dhcp address region?


Using debug can I view what service is being 'allowed' on which IP address with vlan1? Perhaps that may help towards resolving my issue?

kayasaman Mon, 08/06/2007 - 16:23
User Badges:

Thinking about it if indeed the ACL 700 is to blame for my access issues, could it be something to do with the mask?


I read this form the help:


Entering 255.255.255.255 as the mask causes the access point to accept any IP address. If you enter 0.0.0.0, the access point looks for an exact match with the IP address you entered in the IP Address field.


Does it mean that by entering 0000.0000.0000 as I have done I am only limiting myself to acces from the router? By entering 2552.5525.5255 would it mean that I will have access from everyone in the LAN?


I've tried testing it but to no effect and I'm just confused now!

paolo bevilacqua Mon, 08/06/2007 - 17:22
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hello,


ACL 700 is based on MAC and cannot use IP mask.


As I mentioned previously, I suggest you remove it and use a WEP or WPA key to control access to wireless.


After, you have no other ACL limiting traffic.



kayasaman Tue, 08/07/2007 - 14:35
User Badges:

I discovered this page: http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.3_8_JA/configuration/guide/p38wep.html


and inserted this line into my config:

bridge# configure terminal


bridge(config)# configure interface dot11radio 0


bridge(config-if)# encryption vlan 1 key 2 size 128 12345678901234567890123456


bridge(config-if)# end


It hasn't taken any effect though as machines without the key in their setup can still connect?


However after removing the ACL, my network services are back online :-)


....But there's no security :-(

paolo bevilacqua Tue, 08/07/2007 - 17:53
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


you also need to configure:

encryption mode ciphers

kayasaman Wed, 08/08/2007 - 06:37
User Badges:

Hi, I added this line:


encryption mode ciphers wep128


and now I'm locked out of my router?


I don't know if I have to put a specific cipher type or if IOS creates a default.


I added the key into my XP machines, although if I select key provided the router will send the key automatically - even though I don't have any services enabled. This is a security risk and I would like the router not to send the key either.


Also which type of key/cipher combination is compatible with mac OS9, which I have to cater for?

paolo bevilacqua Wed, 08/08/2007 - 16:03
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


not sure about what sending you are talking about, the config above is wep with 128 bits static key, you need to configurethe correct key in your PC, else you can't connect. The router is not sending out anything.



kayasaman Wed, 08/08/2007 - 17:31
User Badges:

After these lines were added to my config:


encryption vlan 1 key 2 size 128 12345678901234567890123456

encryption vlan 1 mode ciphers wep128


I went to XP network settings and input wep key into wireless part. There is also a box saying key is provided which I checked without putting the key in and I was still able to connect to router. However similar to before with my mac access list, this config didn't give me any services available. I couldn't browse or telnet to router.


Both methods of key input and key provided resulted in no network?

kayasaman Wed, 08/08/2007 - 17:34
User Badges:

After checking the link above the second line is not complete as there are different types of cipher available - {[aes-ccm | ckip | cmic | ckip-cmic | tkip]}


which ones are compatible with my setup?

paolo bevilacqua Thu, 08/09/2007 - 01:35
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

wep (40 or 128 bits) is already a cypher, is the basic one and ensures the most compatibility and the simpler configuration.

Andyfweih Mon, 08/13/2007 - 02:55
User Badges:

Dear business partners & valued customers :


I am pleased to enclose it for your reference.

We can give you better price depending on the items and Qty.

Large quantity new & used Cisco and networking products that aren't

included in this catalogue. Feel free to contact us with your

requirements.


50% discount of GPL!! (Original new, 1 year warranty)

WS-C3560-24TS-S

WS-C3560-48TS-S

WS-C3560G-24TS-S

WS-C3560G-48TS-S

WS-C3750-24TS-S

WS-C3750-48TS-S

WS-C3750G-12S-S

WS-C3750G-24TS-S

WS-C3750G-24PS-S


60% discount of GPL!! (Original new, 1 year warranty)


WS-C3560-48TS-E

WS-C3560-24TS-E

WS-C3750G-24T-E

WS-C3750G-24TS-E

WS-C3750G-24PS-E

WS-C3750G-48TS-E

WS-C3750G-48PS-E


CISCO1841 $630


Looking forward to receiving your enquiries soon.


Best Regards


Andy Feng

FEDON(INT'L)DEVELOPMENT LTD

MSN:[email protected]

Email:[email protected]

Http://fweih.diytrade.com



Actions

This Discussion