Cisco 1841 T1 & Firewall Config HELP!!!!!!!!!

We have a Cisco 1841 Budle with a T1.

Connection of the T1 to the www works great. We have several servers natted to the web for web and email.

The only way for the servers to be accesible from and to the web is by a allow any statement. I need to be able just to allow certian ports in and any out. If I remove the any statement, i lose all connectivity through the router and firewall for all devices.

Below is my config. Any help would be greatly appreciated.

Thanks, Eddie

********************************************************************* CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user! (ACCESS LOGGED)

User Access Verification

Username: admin Password: gateway#en gateway#show run Building configuration...

Current configuration : 8603 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname gateway ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical

! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero no ip source-route ip cef ! ! ip tcp synwait-time 10 ip dhcp excluded-address 10.0.1.1 10.0.1.60 ! ip dhcp pool Local network 10.0.1.0 255.255.255.0 domain-name testus.com dns-server 64.251.26.3 64.251.26.2 default-router 10.0.1.1 lease 5 ! ! ip ips po max-events 100 no ip bootp server ip domain name testus.com ip name-server 67.15.50.136 ip name-server 67.15.50.134 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! ! ! ! interface FastEthernet0/0 description $ETH-LAN$$FW_INSIDE$===Production Subnet=== ip address 10.0.1.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface FastEthernet0/1 description ===Office Subnet=== no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto no cdp enable no mop enabled ! interface Serial0/0/0 description ===Internet Connection === (Infolink) bandwidth 1544 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation frame-relay ip route-cache flow no fair-queue service-module t1 timeslots 1-24 no arp frame-relay ! interface Serial0/0/0.402 point-to-point description ===Internet Connection=== ip address 64.251.26.6 255.255.255.252 ip access-group sdm_serial0/0/0.402_in in ip nat outside ip virtual-reassembly no cdp enable no arp frame-relay frame-relay interface-dlci 402 ! ip classless ip route 0.0.0.0 0.0.0.0 64.251.26.5 ip http server ip http access-class 1 ip http authentication local ip http secure-server ip nat pool Global 69.68.112.200 69.68.112.200 netmask 255.255.255.240 ip nat pool clients 69.68.112.199 69.68.112.199 netmask 255.255.255.240 ip nat pool WWW 69.69.112.198 69.69.112.198 netmask 255.255.255.240 ip nat inside source list 20 pool Global overload ip nat inside source static 10.0.1.40 69.68.112.196 ip nat inside source static 10.0.1.8 69.68.112.197 ip nat inside source static 10.0.1.5 69.68.112.198 ip nat inside source static 10.0.1.6 69.68.112.199 ! ip access-list extended sdm_serial0/0/0.402_in remark SDM_ACL Category=1 deny tcp any host 69.68.112.196 eq www permit tcp any host 69.68.112.199 log remark Terminal Server permit tcp any host 69.68.112.197 eq 3389 log remark FTP permit tcp any host 69.68.112.196 range ftp-data ftp log permit tcp any host 69.68.112.198 eq smtp log permit tcp any host 69.68.112.198 eq www log permit icmp any host 69.68.112.200 log permit icmp any host 69.68.112.200 time-exceeded permit icmp any host 69.68.112.200 unreachable permit ip any any log deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any deny ip any any log remark SDM_ACL Category=1 remark Terminal Server permit tcp any eq 3389 host 69.68.112.197 eq 3389 log remark FTP permit tcp any eq smtp host 69.68.112.198 eq smtp log permit tcp any eq www host 69.68.112.198 eq www log permit icmp any any log ! logging trap debugging access-list 1 remark Auto generated by SDM Management Access feature access-list 1 remark SDM_ACL Category=1 access-list 1 permit 10.0.1.0 0.0.0.127 access-list 20 remark Oubound NAT access-list 20 remark SDM_ACL Category=2 access-list 20 permit any access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 69.68.112.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit gre any any access-list 100 permit ip any any access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark SDM_ACL Category=1 access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq telnet access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 22 access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq www access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 443 access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq cmd access-list 100 permit udp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq snmp access-list 100 deny tcp any host 10.0.1.1 eq telnet access-list 100 deny tcp any host 10.0.1.1 eq 22 access-list 100 deny tcp any host 10.0.1.1 eq www access-list 100 deny tcp any host 10.0.1.1 eq 443 access-list 100 deny tcp any host 10.0.1.1 eq cmd access-list 100 deny udp any host 10.0.1.1 eq snmp access-list 101 remark Auto generated by SDM Management Access feature access-list 101 permit ip 10.0.1.0 0.0.0.127 any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark SDM_ACL Category=1 access-list 102 remark Auto generated by SDM Management Access feature access-list 102 permit ip 10.0.1.0 0.0.0.127 any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark SDM_ACL Category=1 access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark SDM_ACL Category=1 access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq telnet access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 22 access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq www access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 443 access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq cmd access-list 103 deny tcp any host 10.0.1.129 eq telnet access-list 103 deny tcp any host 10.0.1.129 eq 22 access-list 103 deny tcp any host 10.0.1.129 eq www access-list 103 deny tcp any host 10.0.1.129 eq 443 access-list 103 deny tcp any host 10.0.1.129 eq cmd access-list 103 deny udp any host 10.0.1.129 eq snmp access-list 103 permit ip any any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark SDM_ACL Category=1 access-list 104 remark Auto generated by SDM Management Access feature access-list 104 remark SDM_ACL Category=1 access-list 104 deny tcp any host 64.251.26.6 eq telnet access-list 104 deny tcp any host 64.251.26.6 eq 22 access-list 104 deny tcp any host 64.251.26.6 eq www access-list 104 deny tcp any host 64.251.26.6 eq 443 access-list 104 deny tcp any host 64.251.26.6 eq cmd access-list 104 deny udp any host 64.251.26.6 eq snmp access-list 104 permit ip any any access-list 104 remark Auto generated by SDM Management Access feature access-list 104 remark SDM_ACL Category=1 access-list 120 remark SDM_ACL Category=2 access-list 120 permit ip any any access-list 120 remark SDM_ACL Category=2 no cdp run ! ! control-plane ! banner login ^CCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user! (ACCESS LOGGED) ^C ! line con 0

! scheduler allocate 4000 1000 end

Reply to
googlenews
Loading thread data ...

If this ANY statement is ACL 20 you need that for the global address. To be a little more secure you could specify an IP address range like 10.1.0.0

0.0.255.255. Also I had run into an issue some time ago where I used static NATs. Basically none of the hosts specified by the STATIC entries were using the address set aside. The resolution was to add DENY entries to the global ACL to stop them from using the global address (see below).

access-list 20 deny 10.1.1.1 access-list 20 deny 10.1.1.2 access-list 20 deny 10.1.1.3 access-list 20 permit 10.1.1.0 0.0.0.255

Reply to
jdsal

I will try that.

Thanks, Eddie

Reply to
googlenews

They are using the static IP maps I have designated. But, all ports are still open to these devices although I have specified only the ports I need.

Thanks, Eddie

Reply to
googlenews

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.