Connectivity/Configuration Problems

habutti · ‎02-20-2008

Hi, we setup a Cisco 1721 to work with Comcast cable (DHCP address from ISP) in a small SOHO environment. All the clients/host on the LAN are getting an IP address and can ping the gateway but we cannot get to the outside world (Internet). Your help is greatly appreciated as well as all suggestions for performance/security improvements. Non working config is attached due to posting space.

Thanks in advance for your help.

ohassairi · ‎02-21-2008

did you try to debug the dhcp?

Richard Burts · ‎02-21-2008

Charles

There are several issues with the config that you posted. First and most important there are problems with the access lists that you are using. Access list 100 is applied inbound on the public interface. Access list 100 only denies things that you do not want to get through and ends with deny ip any any. So it does not permit anything. There is a similar issue with access list 101 which is applied outbound on the public interface. It has a longer and more detailed list of denies ending with deny ip any any. So nothing goes out and nothing comes in. You need to rework both of these access lists deciding what you want to permit and including that into the logic.

There may be a lesser problem with the address translation. You use access list 110 to control address translation. There are sometimes issues with access lists for address translation which include the parameter any. I would suggest that you could get the same result if you change the address translation to use a standard access list coded like this:

access-list 10 permit 172.16.0.0 0.0.0.255

access-list 10 deny any

Make the changes that I suggest and let us know if it works better.

HTH

Rick

HTH

Rick

habutti · ‎02-21-2008

Hi, I've done major changes to the config and at least now I am getting and IP address on the public interface, but I still cannot gain internet access. Here is the current config:

interface Ethernet0

description WAN Interface to Comcast

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

full-duplex

no cdp enable

!

interface FastEthernet0

description LAN Interface to Private Network

ip address 172.16.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

speed 100

full-duplex

!

ip nat inside source list 1 interface Ethernet0 overload

ip classless

no ip forward-protocol udp tftp

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip forward-protocol udp tacacs

ip route 0.0.0.0 0.0.0.0 Ethernet0

ip route 10.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

no ip http server

no ip http secure-server

!

access-list 1 permit 172.16.0.0 0.0.0.255

access-list 1 deny any

access-list 100 remark Basic Firewall to protect from Internet intruders

access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input

access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input

access-list 100 deny ip host 0.0.0.0 any log-input

access-list 100 deny ip any any log-input

access-list 101 remark Deny Illegitimate Traffic go outbound

access-list 101 deny tcp any any eq 135 log-input

access-list 101 deny tcp any eq 135 any log-input

access-list 101 deny udp any any eq 135 log-input

access-list 101 deny udp any eq 135 any log-input

access-list 101 deny tcp any any range 137 139 log-input

access-list 101 deny tcp any range 137 139 any log-input

access-list 101 deny udp any any range netbios-ns netbios-ss log-input

access-list 101 deny udp any range netbios-ns netbios-ss any log-input

access-list 101 deny tcp any any eq 445 log-input

access-list 101 deny tcp any eq 445 any log-input

access-list 101 deny udp any any eq 445 log-input

access-list 101 deny udp any eq 445 any log-input

access-list 101 deny tcp any any eq 593 log-input

access-list 101 deny tcp any eq 593 any log-input

access-list 101 deny tcp any any eq 707 log-input

access-list 101 deny tcp any eq 707 any log-input

access-list 101 deny tcp any any eq 4444 log-input

access-list 101 deny tcp any eq 4444 any log-input

access-list 101 deny ip host 0.0.0.0 any log-input

access-list 101 deny ip host 255.255.255.255 any log-input

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input

access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input

access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq netbios-dgm

access-list 101 deny udp any any eq netbios-ss

access-list 101 deny ip any any log-input

no cdp run

!

Richard Burts · ‎02-21-2008

Charles

Yes - removing the access lists from the interfaces is a major change and helps the issue considerably. And I believe that the address translation is better now.

I believe that your current issue is most likely the default route that you have configured:

ip route 0.0.0.0 0.0.0.0 Ethernet0

a static route out a LAN interface with no next hop information will force your router to ARP on every destination address. And it is dependent on proxy ARP being enabled on the next hop router. My guess is that the next hop router is not doing proxy ARP. You could verify this by running debug arp on the router. I believe that you will see the router sending ARP requests but not receiving responses. And if you do show arp then I believe that you will see many entries in the ARP table marked as incomplete.

The best way to fix this is to recode the static default route and specify the next hop address of the provider router.

HTH

Rick

HTH

Rick

habutti · ‎02-21-2008

Rick,

First of all many thanks for your help; I was seeing in the ARP table a lot of incomplete. I've modified the config including the ACL (but will not apply them yet, will wait for input), I configured the next hop as well; attached is what the new config looks like. I am able to get out and I am not seeing any incompletes in the ARP table anymore, also I'm able to ping external addresses (google, yahoo) using Fa0 as source, so NAT is working properly; however, speed is slower or as slow as dial-up and when establishing a VPN connection to headquarters, customers are unable to get a permanent connection to the Exchange server (everything else works, cripplingly slow, but works even the intranet), the IP phones are not doing so well, they will connect upon reboot, and soon after disconnect (and I haven't even applied the ACLs yet). I really appreciate your help/suggestions.

Richard Burts · ‎02-21-2008

Charles

The address translation looks better and according to your post it is now working - so that is good.

I also gather that the static default route is working now that it has a next hop address specified.

I see some change in the input access list but not in the outbound access list. And I do not think that you will be happy about the results if you implement these access lists. Access list 100 will be applied inbound (I assume) and now has permits for HTTP, HTTPS, SMTP, FTP (but not the data channel of FTP), and established which will allow inside hosts to initiate TCP to outside. But it does not permit any UDP, any ICMP, or any other TCP. I believe that you need to think about this somewhat more.

Access list 101 which I believe would be applied outbound still does not have any permit statements. This is a severe problem which you should address.

HTH

Rick

HTH

Rick

habutti · ‎02-23-2008

Hi again,

Ok, below is what I've come up with for the ACLs; your input/suggestions are greatly appreciated - Two points:

1.- Do you have any suggestions for improving the speed/performance (this thing is crawling without the ACLs, can't imagine once applied)

2.- Feel free to suggest improvements and point out problems/errors. Thanks again

access-list 1 permit 172.16.0.0 0.0.0.255

access-list 1 deny any

!

access-list 100 remark Basic ACL to protect from Internet Intrusion (In on E0)

access-list 100 permit tcp any any established

access-list 100 permit icmp any any

aceess-list 100 permit udp any any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any log-input

access-list 100 deny ip 172.16.0.0 0.15.255.255 any log-input

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 255.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input

access-list 100 deny ip host 0.0.0.0 any log-input

access-list 100 deny ip any any log-input

!

access-list 101 remark Deny Illegitimate Traffic to Internet (Out on E0)

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq ftp-data

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq 110

access-list 101 permit tcp any any eq smtp

access-list 101 deny tcp any any eq 135 log-input

access-list 101 deny tcp any eq 135 any log-input

access-list 101 deny udp any any eq 135 log-input

access-list 101 deny udp any eq 135 any log-input

access-list 101 deny tcp any any range 137 139 log-input

access-list 101 deny tcp any range 137 139 any log-input

access-list 101 deny udp any any range netbios-ns netbios-ss log-input

access-list 101 deny udp any range netbios-ns netbios-ss any log-input

access-list 101 deny tcp any any eq 445 log-input

access-list 101 deny tcp any eq 445 any log-input

access-list 101 deny udp any any eq 445 log-input

access-list 101 deny udp any eq 445 any log-input

access-list 101 deny tcp any any eq 593 log-input

access-list 101 deny tcp any eq 593 any log-input

access-list 101 deny tcp any any eq 707 log-input

access-list 101 deny tcp any eq 707 any log-input

access-list 101 deny tcp any any eq 4444 log-input

access-list 101 deny tcp any eq 4444 any log-input

access-list 101 deny ip host 0.0.0.0 any log-input

access-list 101 deny ip host 255.255.255.255 any log-input

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input

access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input

access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq netbios-dgm

access-list 101 deny udp any any eq netbios-ss

access-list 101 deny ip any any log-input

Richard Burts · ‎02-24-2008

Charles

Here are my comments about the access lists:

- access list 100 permit tcp established is very good and will allow responses to return for sessions that were initiated from inside.

- access list 100 does not permit any other TCP traffic inbound. If that is what you really want it is fine. But are there things that you might want to allow (would you ever want to SSH to something from outside (TCP 22) or if you have a DNS server on the inside would it ever need to accept a zone transfer (TCP 53) or other kinds of TCP traffic)?

- access list permits all ICMP traffic and all UDP traffic and then goes through several statements to deny traffic from "invalid" source addresses. I would think that you want to deny the invalid addresses before you permit ICMP and UDP.

- access list 101 permits a few specific TCP ports outbound. But it permits no ICMP and no UDP. I find it a bit strange that inbound permits any ICMP and any UDP but outbound does not permit any of them.

HTH

Rick

HTH

Rick

habutti · ‎02-24-2008

Hey Rick,

Excellent points, thank you very much, and yes I do have ssh set up on this router instead of telnet. I will edit the ACLs and post the config for comments.

Thanks again,

Charles

habutti · ‎02-27-2008

Well hello again, so far everything works without ACL 100. Once ACL 100 is applied inbound, the VoIP phones will not work and Cisco VPN sessions initiated from within to HQ are terminated locally by client (error 412) I've also configured the router as a VPN server for a few employees to connect remotely using Microsoft VPN client functionality available with their Windows XP machines. Help is always appreciated.

Thank you very much.

Richard Burts · ‎02-27-2008

Charles

This post looks like there should be an attachment but there is no attachment. So we can not tell what you were trying to show us. But based on your description of the problems there is obviously still a problem and it is most likely a problem with access list 100 applied inbound. I commented earlier that access list 100 was very restrictive and probably needed to permit more things. I believe that these problems demonstrate what I was talking about.

My suggestion is that you go back through the list of what is not working and think about what kind of traffic that would be inbound. Then look in access list 100 and see if it is permitted.

If that does not show you the solution to the problem then I suggest that the next step would be to make the last statement in access list 100 be deny ip any any log. This will create log messages for all traffic that is denied. Look in the log messages for traffic that was denied that is traffic for these things that are not working and figure what else you need to permit in access list 100.

HTH

Rick

HTH

Rick