1. Home
  2. Cisco Systems
  3. Firewall+Nat Problems on Cisco2611

Firewall+Nat Problems on Cisco2611

Hello,

I'm facing 2 pbs with my configuration Description of the situation : A cisco2611 (2ethernet ports) with an Adsl modem ethernet(which is permanently authentified by the ISP) on the Ethernet0/1 but the internet address is given to the Cisco2611 by DHCP : the Cisco2611 is a DHCP client for the wan The cisco 2611 is a DHCP server for the Lan and act as a firewall and a nat router to permit access to "all internet" for the lan and protect the lan .

I test this configuration (see below) with the scan port of gibson research and it works pretty well.

BUT (there is always a but...)

1) First problem (you can see after the config file below): To have the ip from the ISP , I must shut the interface ethernet0/1 , do : no ip access-group 102 in no shut the interface and make a : ip access-group 102 in

That's not very cool..... What i am missing in my access-list ?

2)Second pb I want to access with my notebook from internet to the lan : i wan't to use dyndns.org... but it seems that the cisco don't have the ddns feature... How can i do ?

3)Third : I want to open in both sides a specific port to access to a specific host from my laptop from internet. Say for example : I wan't to permit traffic on ports 5555 (tcp and udp) and 6666(tcp and udp) , how must i change my config below to permit it. I tried many various of my access-lists without success. Can you help me ?

Thanks a lot Sam

******** Password: toto.free.fr#show run Building configuration...

Current configuration : 2299 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname toto.free.fr ! boot-start-marker boot-end-marker ! enable password 7 xxxxxxx ! no aaa new-model ip subnet-zero no ip source-route ip cef ! ! no ip domain lookup ip dhcp excluded-address 192.168.0.1 192.168.0.200 ip dhcp excluded-address 192.168.0.210 192.168.0.254 ! ip dhcp pool 1 network 192.168.0.0 255.255.255.0 default-router 192.168.0.244 dns-server 212.27.32.177 194.149.160.9 ! no ip bootp server ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 ftp ip audit notify log ip audit po max-events 100 ip dhcp-client network-discovery informs 2 discovers 2 period 15 no ftp-server write-enable ! ! ! ! interface Null0 no ip unreachables ! interface Ethernet0/0 description connected to EthernetLAN ip address 192.168.0.244 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside half-duplex ! interface Ethernet0/1 description connected to Internet ip address dhcp ip access-group 102 in no ip proxy-arp ip nat outside ip inspect DEFAULT100 out half-duplex no cdp enable ! router rip version 1 passive-interface Ethernet0/1 network 192.168.0.0 no auto-summary ! ip nat inside source list 1 interface Ethernet0/1 overload no ip http server ip classless ! ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 102 permit udp any any eq domain access-list 102 deny ip 192.0.0.0 0.255.255.255 any access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any unreachable snmp-server community public RO 1 snmp-server enable traps tty banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ****** Acces reserve - Deconnectez vous immediatement ****!^C ! line con 0 exec-timeout 0 0 password 7 xxxxxxx login line aux 0 line vty 0 4 access-class 1 in password 7 xxxxxxx login ! ! ! end

toto.free.fr#

00:05:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up toto.free.fr#configure t Enter configuration commands, one per line. End with CNTL/Z. toto.free.fr(config)#interface ethernet0/1 toto.free.fr(config-if)#shut toto.free.fr(config-if)#no shut 00:05:45: %LINK-5-CHANGED: Interface Ethernet0/1, changed state to administratively down toto.free.fr(config-if)#no shut toto.free.fr(config-if)#no ip acc toto.free.fr(config-if)#no ip acce

toto.free.fr(config-if)#no shut

00:05:58: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up 00:05:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed stat toto.free.fr(config-if)#no ip access-group 102 in toto.free.fr(config-if)#shut toto.free.fr(config-if)#no shut toto.free.fr(config-if)# 00:06:55: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/1 assigned DHCP address 62.147.X.X, mask 255.255.255.0, hostname toto.free.fr

toto.free.fr(config-if)#ip acces toto.free.fr(config-if)#ip access-group 102 in toto.free.fr(config-if)#^Z toto.free.fr#

00:07:14: %SYS-5-CONFIG_I: Configured from console by console
Reply to
sam
Loading thread data ...

You need to allow UDP source port 67 (DHCP server) inbound. I don't know enough about the F/W FS to say that it should or shouldn't be looking after that for you. So you might add:

! access-list 102 permit udp any eq 67 any !

If you want to narrow it down you can use "show dhcp lease" to find the address(es) of your DHCP server(s) and change it to:

! access-list 102 permit udp host eq 67 any !

DDNS is a new feature for Cisco in IOS 12.3YA (I think) and only for the

800 series at the moment. Expect to see it move into the mainstream in the future.

For inbound access you need both a static NAT translation and holes in your access-list.

! ip nat inside source static udp 5555 interface Ethernet0/1 5555 ip nat inside source static tcp 5555 interface Ethernet0/1 5555 ip nat inside source static udp 6666 interface Ethernet0/1 6666 ip nat inside source static tcp 6666 interface Ethernet0/1 6666 ! access-list permit udp any any eq 5555 access-list permit tcp any any eq 5555 access-list permit udp any any eq 6666 access-list permit tcp any any eq 6666 !

Reply to
Martin Gallagher

On Tue, 12 Apr 2005 10:20:36 +1000, "Martin Gallagher" wrote:

Ok, the problem is solve

Ok, i'll find a solution with a software

I give upfor the moment with ip inspect commands.... and Firewall

I made this modifications but it still don't work : i can't go to the net ! Where i'm doing wrong ? Thanks again for your help

******************************

! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname toto.free.fr ! boot-start-marker boot-end-marker ! enable password 7 ! no aaa new-model ip subnet-zero no ip source-route ip cef ! ! no ip domain lookup ip dhcp excluded-address 192.168.0.1 192.168.0.200 ip dhcp excluded-address 192.168.0.210 192.168.0.254 ! ip dhcp pool 1 network 192.168.0.0 255.255.255.0 default-router 192.168.0.244 dns-server 212.27.32.177 194.149.160.9 ! no ip bootp server ip audit notify log ip audit po max-events 100 ip dhcp-client network-discovery informs 2 discovers 2 period 15 no ftp-server write-enable ! ! ! ! interface Null0 no ip unreachables ! interface Ethernet0/0 description connected to EthernetLAN ip address 192.168.0.244 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside half-duplex ! interface Ethernet0/1 description connected to Internet ip address dhcp ip access-group 102 in no ip proxy-arp ip nat outside half-duplex no cdp enable ! router rip version 1 passive-interface Ethernet0/1 network 192.168.0.0 no auto-summary ! ip nat inside source list 1 interface Ethernet0/1 overload ip nat inside source static udp 192.168.0.10 5555 interface Ethernet0/1 5555 ip nat inside source static tcp 192.168.0.10 5555 interface Ethernet0/1 5555 ip nat inside source static udp 192.168.0.10 6666 interface Ethernet0/1 6666 ip nat inside source static tcp 192.168.0.10 5664 interface Ethernet0/1 6666 no ip http server ip classless ! ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 102 remark ENTRANT Interface Wan access-list 102 permit udp host 195.83.66.36 eq ntp any eq ntp access-list 102 permit udp any any eq domain access-list 102 permit udp any any eq bootpc access-list 102 permit tcp any any eq 5555 access-list 102 permit udp any any eq 5555 access-list 102 permit tcp any any eq 6666 access-list 102 permit udp any any eq 6666 access-list 102 deny ip 192.0.0.0 0.255.255.255 any access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any unreachable access-list 102 deny ip any any snmp-server community public RO 1 snmp-server enable traps tty banner login Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ****** Acces reserve - Deconnectez vous immediatement ****!

! line con 0 exec-timeout 0 0 password 7 login line aux 0 line vty 0 4 access-class 1 in password 7 login ! ! ! end

Reply to
sam

One of the firewall jobs is putting temporary holes in your ACL for replies to inside initiated traffic. If you turn off the firewall you need to open the ACL yourself.

Add these two lines and it should at least get you browsing:

! access-list 102 permit tcp any any established access-list 102 permit any eq domain any !

Reply to
Martin Gallagher

Thanks again for your help In waiting response to my pb , i tried many possibilities and i make the access-list below , that seems to solve the pb ....but i have to ports open with the scan of

formatting link
: 67 and 123 .

access-list 103 remark ENTRANT Interface Wan access-list 103 permit udp any eq bootpc host 192.168.0.244 eq bootpc access-list 103 deny udp any any eq bootps access-list 103 deny udp any any eq snmp access-list 103 deny udp any any eq snmptrap access-list 103 permit ip any any

How can i make better conf ?

If i use your proposal access-list... where is the better place ?

access-list 102 remark ENTRANT Interface Wan access-list 102 permit udp host 195.83.66.36 eq ntp any eq ntp access-list 102 permit udp any any eq domain access-list 102 permit udp any any eq bootpc access-list 102 permit tcp any any eq 5555 access-list 102 permit udp any any eq 6666 access-list 102 permit tcp any any eq www access-list 102 permit tcp any any eq 5190 access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any unreachable access-list 102 deny ip any any

I'm facing other pbs as my e0/1 is dhcp client You helped me before on that pb ... but every 24hours , the c2611 can't get the new ip .... If you can help me again... :-) (Subject: Cisco2611 : Dhcp client problem.)

And i post a new one for the c2611 as a dhcp server for my lan... (Subject : little problem : C2611 a dhcp server for the lan)

Yes , i know , iask a lot of help , but i'm pretty new to the fascinating wolrd of cisco routers .... :-) Perhaps one day i can help to ....

Thanks again ! Sam

Reply to
sam

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.