Cisco 2811 router configuration help

pthompson208 · ‎01-25-2012

I was assigned to configure our 2811 router and i have never worked with IOS before now, so I am very new to this. The below configuration is working right now but it just seems to be a little bit off. I can not ping anything from the LAN and DNS takes a very long time to resolve. I can not seem to figure out how my ACL is working for F0/1, I have done a lot of research on this and still do not understand. Basically I want to only allow port 443 in to the F0/1 interface but I want all outbound traffic to be permitted. Here is the setup I have below. All I really want from this is to allow all outbound traffic and allow no inbound traffic except 443 on f0/1. Then there is one static nat for the 10.10.0.2 and I want to allow 1194 and 443 inbound on that. Can anyone help me figure out what the problem is with my configuration or what the heck it is even doing. Thanks

[LAN] -> f0/0<ROUTER>f0/1 [WAN]

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RTIRouter

!

boot-start-marker

boot-end-marker

!

enable secret 5 <removed>

!

no aaa new-model

clock timezone MST -7

clock summer-time MDT recurring

!

ip cef

!

ip name-server 68.xx.xx.xx

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

voice-card 0

no dspfarm

!

username pthompson secret 5 <removed>

username csnowden secret 5 <removed>

!

ip ssh authentication-retries 5

!

interface FastEthernet0/0

description LAN Interface

ip address 10.10.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description WAN Interface

ip address 75.xxx.xx.xxx 255.xxx.xxx.xxx

ip access-group IncomingWAN in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 75.xxx.xx.xxx

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.10.0.8 443 interface FastEthernet0/1 443

ip nat inside source static tcp 10.10.0.2 443 75.xxx.xx.xxx 443 extendable

ip nat inside source static udp 10.10.0.2 1194 75.xxx.xx.xxx 1194 extendable

!

ip access-list extended IncomingWAN

permit ip 205.xxx.xxx.xxx 0.0.0.255 any

permit udp any any range 5060 5680

permit udp any any range 10000 25000

deny tcp any host 75.xxx.xx.xxx eq 22

permit ip any host 75.xxx.xx.xxx

permit tcp any host 75.xxx.xx.xxx established

permit udp any host 75.xxx.xx.xxx eq 1194

permit tcp any host 75.xxx.xx.xxx eq 443

!

access-list 100 permit ip 10.10.0.0 0.0.0.255 any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 60 0

privilege level 15

password <removed>

login local

transport preferred ssh

transport input ssh

line vty 5 1180

access-class 1 in

exec-timeout 60 0

privilege level 15

password <removed>

login local

transport preferred ssh

transport input ssh

!

scheduler allocate 20000 1000

!

end

ebarticel · ‎01-26-2012

If I understand correctly you want to allow all outbound traffic including http port 80 and coming back on https port 443? Is that possible? Or do you want to allow only https(443) traffic outbound and come back on https(443)?

pthompson208 · ‎01-26-2012

Im sorry it may have been confusing what I was explaining before but what I want is this. I want to be able to allow all traffic on all ports 80, 443 etc, going from my LAN network (10.10.0.0) out to the internet WAN. But obviously I do not want to allow ouside connections from the internet to access my LAN network unless I allow it. For example we have a web server that is running on port 443 on the LAN, so I want to allow traffic from the internet into my LAN network so it can reach the web server on port 443. I also want to block all other incoming connections from the internet to my LAN network unless I allow it. In our company we have to be PCI DSS compliant which means we can not have incoming traffic from the internet on unsecured ports like port 80. On my incoming ACL i have "permit tcp any host 75.xxx.xx.xxx established" and what I thought this means was if there was traffic that was established from my LAN to the internet that it would allow the incoming response traffic back in, but only if it established my connection from the LAN. But all this does not seem to be working correctly.

cadet alain · ‎01-26-2012

Hi,

you should stay away from the tcp established because it is not stateful and can be easily bypassed.

You should be better using either the CBAC or the newer ZBF feature to enable stateful firewall on your router.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Regards.

Alain

Don't forget to rate helpful posts.

ebarticel · ‎01-26-2012

I see that your statements refers to 75.x.x.x Ip address which I guess is the Fa0/1 interface address.

I see that you try to get traffic from internet to Fa0/1 ip address and then use nat to translate it for you to web server address and send it on.

I suggest you to leave only the first "ip nat inside source list 100 interface Fa0/0 overload" and if that works, then add the other "ip nat ....." statement one by one and test (preferably from a PC) each time you add one and see which one doesn't work.

I also suggest you change two statements in your incomingWAN ACL

permit tcp any host 75.x.x.x established to permit tcp any any established

permit tcp any host 75.x.x.x eg 443 to permit tcp any host 10.10.x.x (web server ip) eg 443

Also add a permit statement to ACL 100 like; permit tcp host 10.10.x.x(web server ip) any eg 443 - webserver will answer only with https not http

The reason I think it doesn't work is that your nat statement try to go directly to outside interface but the hosts inside your LAN have Fa0/0 as default gateway.

Hope this will help you

Eugen

pthompson208 · ‎01-27-2012

Thank you for the excelent suggestions. I did not even know that the ZBF even existed on the 2811 router. Although after researching it a little bit it seems to be a bit complicated but it is a very good idea if I can implement it correctly.

Eugen I also see what you are saying and I also have another question. If I dont implement an ACL on an interface at all does that imply that it will allow all traffic to go through?

"The reason I think it doesn't work is that your nat statement try to go directly to outside interface but the hosts inside your LAN have Fa0/0 as default gateway."

Yes my LAN does have the Fa0/0 as the default gateway. Does this mean that I need to set up another IP route to specify that or does the information you gave me above take care of that?

Thanks

ebarticel · ‎01-27-2012

Hi Paul,

If you don't implement an ACL on an interface the router will forward all traffic if it has a route in the routing table for the destination network.

ACL for internal host is just to control who talk to who internally or externally.

If everyone is allowed is not necessary to have ACL for inside hosts.

Do you have only a single public ip address 75.x.x.x ?

That could be the problem why nat does work, because that ip address 75.x.x.x is mapped static to web server.

You need another public address to use for nat overload for internal hosts.

Eugen

pthompson208 · ‎01-30-2012

We actaully have several external static IP addresses. For example this is what the config would look like with the example static IP addresses.

interface FastEthernet0/1

description WAN Interface

ip address 75.123.45.67 255.xxx.xxx.xxx

ip access-group IncomingWAN in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 75.123.45.70

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.10.0.8 443 interface FastEthernet0/1 443

ip nat inside source static tcp 10.10.0.2 443 75.123.45.68 443 extendable

ip nat inside source static udp 10.10.0.2 1194 75.123.45.68 1194 extendable

!

ip access-list extended IncomingWAN

permit ip 205.xxx.xxx.xxx 0.0.0.255 any

permit udp any any range 5060 5680

permit udp any any range 10000 25000

deny tcp any host 75.123.45.67 eq 22

permit ip any host 75.123.45.67

permit tcp any host 75.123.45.67 established

permit udp any host 75.123.45.68 eq 1194

permit tcp any host 75.123.45.68 eq 443

So in this example I have my overload on address 75.123.45.67 and my other static IP address (75.123.45.68) attached to my web server. I mean there is just something not working right about this, and I would really like to get the ACL figured out. This is the definition of "In" from Cisco

"In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router."

So for connections comming inbound from the internet I would think the ACL would look somthing like this.

ip access-list extended IncomingWAN

permit ip 205.xxx.xxx.xxx 0.0.0.255 any

permit udp any any range 5060 5680

permit udp any any range 10000 25000

deny tcp any host 10.10.0.0 eq 22

permit ip any host 10.10.0.0

permit tcp any host 10.10.0.0 established

permit udp any host 10.10.0.2 eq 1194

permit tcp any host 10.10.0.2 eq 443

Since from the definition says the traffic arrives on the interface the source (internet) and the destination is where is goes on the OTHER side of the router, which would be my LAN network right? But if I set up the ACL like it is above my LAN has no netowrk connection to the internet outbound or inbound.

cadet alain · ‎01-30-2012

Hi,

add this to your ACL: deny ip any any log

then go to internet from LAN while you do debug ip nat

tell us if you see a log message and post output of debug.

Do the same from the internet going to the service published.

Regards.

Alain

Don't forget to rate helpful posts.

pthompson208 · ‎01-30-2012

Here is the log from LAN to internet.

NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3050]

NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3051]

NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3052]

NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3053]

NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3054]

NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3056]

NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3057]

NAT*: s=10.10.0.51->75.123.45.67, d=50.16.37.159 [3060]

NAT*: s=10.10.0.60->75.123.45.67, d=206.225.167.241 [29560]

NAT*: s=10.10.0.60->75.123.45.67, d=206.225.167.241 [29561]

NAT*: s=10.10.0.60->75.123.45.67, d=206.225.167.241 [29576]

NAT*: s=10.10.0.51->75.123.45.67, d=74.125.227.159 [3062]

NAT*: s=10.10.0.60->75.123.45.67, d=66.151.97.225 [29577]

I could not seem to get it to log anything from internet to LAN. One time the "debug ip nat" crashed the router for some reason.

ebarticel · ‎01-31-2012

Hi Paul,

On your access list you have "permit ip any host 10.10.0.0", this statement doesn't work because 10.10.0.0 is a network address and not a single host. The way to write is "permit ip any 10.10.0.0 0.0.255.255".

Do you have a 205.x.x.x inside your LAN? What is 205.x.x.x?

Also i see that you are using the 75.x.x.x web seerver ip in the ACL and mapping to some ports. You should remove those from ACL.

Also another suggestion is to remove the 443 port from the ip nat mapping to server and use the ACL to permit only connections to webserver on port 443

Example permit tcp any host 10.10.x.x eg 443 --> 10.10.x.x is webserver

deny tcp any host 10.10.x.x eq 80

Hope this helps

Eugen

PS. I will try the configuration on my lab and then will post you the results if you like