Re: Basic Config Question

js358 · ‎04-17-2004

Hello All:

I need put a firewall up behind a 2621 router on a line which will be running several web and mail servers. Just starting out with Cisco routers so I just want to make sure the config is good.

Thanks in Advance

The Firewall Network Config:

LAN IP - 10.0.2.250

WAN IP - 63.138.226.130

GW - 63.138.226.129

Router config:

Current configuration : 2032 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname EMSI-2621

!

logging queue-limit 100

enable secret xxxxx

enable password xxxx

!

ip subnet-zero

Interface FastEthernet0/0

ip address 10.0.2.100 255.255.255.0

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

description NETZOA T1

ip address 63.148.x.x.x.255.252

encapsulation ppp

no ip mroute-cache

no fair-queue

no cdp enable

!

interface FastEthernet0/1

description Firewall WAN

ip address 63.148.x.x.x.255.192

ip route-cache same-interface

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/1

no ip address

no ip mroute-cache

shutdown

no cdp enable

!

router rip

version 2

network 10.0.0.0

!

ip http server

ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

Harold Ritter · ‎04-17-2004

Why would you have your LAN segment connected to the router in front of the FW rather than behind the FW.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

js358 · ‎04-18-2004

Router - Firewall - LAN, what's the problem with that?

Georg Pauwen · ‎04-18-2004

Hello,

the config looks ok, as far as I can see. I assume you want to create a DMZ in your setup, with the firewall put behind, and not in front of, the router ?

Regards,

Georg

js358 · ‎04-18-2004

Thanks, that's the idea. The reason I posted because I did a test of this yesterday and ran into a strange issue, I was able to ping the web server and mail server behind the firewall but could not access web pages from outside nor could I connect to prot 25 on the mail server.

Figured it was rules on the firewall but that wasn't it. rules are pretty straight foreward, allow WAN to LAN, ports 80 and 25 to their respective servers.

Couldn't figure out the issue.

olorunloba · ‎04-18-2004

Are you pinging from outside of the firewall, if so, did your rules allow pings to the servers. Test your rules on the firewall by turning all rules off, i.e. disabling firewall and allowing all traffic.

You might to give the config of the firewall.

Harold Ritter · ‎04-18-2004

The DMZ would normally be connected to the FW, not the external router, right? I'm also intrigued by the fact that he is running RIP on that DMZ. Who are we running RIP with?

My 2 cents,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold Ritter · ‎04-18-2004

What is Fa0/0 then? That is the part that I'm worring about.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

js358 · ‎04-18-2004

FA0/0 was just a matter of convenience for me so I could connect via telnet to the router. From everyone's point of view I'm gathering is that the config looks functional. The issue sits with the firewall.

Is this safe to assume? As mentioned in the first post, not the router expert by no stretch, so i'm sure there are things in the config that could be cleaned up. Just trying to make sure it is not the router causign the issues. That's what I know the least about.

olorunloba · ‎04-18-2004

It might be a type error, the ip address of the firewall and the router are not on the same subnet.

Firewall: 63.138.226.130

Router: 63.148.226.129.

Please confirm or correct.

Do we assume that the rip configuration is for you to be able to telnet into the router?

js358 · ‎04-18-2004

yes both questions, just notice the .138 which should be .148.

Report Inappropriate Content · ‎04-19-2004

As previously mentioned, just check your typo regarding 138 & 148. If all you have your LAN tap is for simple telnet access, you can potentially be better of just using a static route and curbing the use of RIP all together. Since it's simply just one network your broadcasting, it can be pointless to do so when a simple route statement can be inserted into the routing table.

Also if you cannot access the web server from external->DMZ I'm assuming your using an ACL and labling your DMZ to be say port fe0/1, etc... In which case just check your source and destination regarding the actual ACL. It sounds like your just blocking the ports. You can do maybe:

access-list 101 permit tcp any eq 80 eq 80

access-list 101 permit tcp any eq 25 eq 80

!goto external interface config t wise

config-if)#ip access-group 101 in

If you have your basis covered routing wise to your DMZ port and the subsequent servers on it, you should then be able to get the traffic over to the server you need. Otherwise you still may have to potentially address getting a packet on a certain port coming ingress on your external port to your DMZ port to a specific server that is providing say SMTP or HTTP. I'm assuming that may possibly be your issue since I did not see any ACL portion (I'm assuming that's not your complete config you posted, less if it is, then please let us know)

--j2

Report Inappropriate Content · ‎04-19-2004

So to continue a little bit:

Let's say you have your DNS pointing your web site and MX over to

63.138.226.130

This will have your packets comming across as follows:

63.138.226.130:80 for HTTP

63.138.226.130:25 for SMTP

Let's say internally your web server is 10.1.205.2

And your SMTP server is 10.1.205.3

So you still have to get traffic over those ports ingress to the appropriate IP's internally either on your LAN segment, or your DMZ.

I'm not sure if you know how to do so I'll mention that you can just use port fowarding on this one to get the packets were you need them to be:

ip nat inside source static tcp 10.1.205.2 80 63.138.226.130 80

ip nat inside source static tcp 10.1.205.3 25 63.138.226.130 25

!NOTE!! you must lable your external port as:

config-if(external interface))#ip nat outside

config-if(internal interface))#ip nat inside

After that you will definately wanna try running some traffic and monitoring the status of the NAT by doing a "show ip nat translations"

Hope this helps, and best of luck on your config!

--j2

js358 · ‎04-19-2004

Thanks - that's the complete config. I have no ACL's on the router itself, letting the firewall take care of it. I'm also natting from the firewall insead of the router.

So I have FA0/0 63.148.226.129 to my WAN port on the FW (63.148.226.130). Naturally have LAN port on FW to switch.

I have this same setup on a different router and it's working fine. can't figure this one out. Haven't tried again since the post so I'll take all of this in and see what's what.

In the very basic sense though, I cannot see why this simple config didn't work.

saimbt · ‎04-20-2004

I guess you would also need a reverse route on the router pointing to the firewall for traffic from outside to access the LAN.

-Sai.