Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 1841 T1 & Firewall Config HELP!!!!!!!!!

Reply
Thread Tools

Cisco 1841 T1 & Firewall Config HELP!!!!!!!!!

 
 
googlenews@canthespam.info
Guest
Posts: n/a
 
      11-09-2005
We have a Cisco 1841 Budle with a T1.

Connection of the T1 to the www works great. We have several servers
natted to the web for web and email.

The only way for the servers to be accesible from and to the web is by
a allow any statement. I need to be able just to allow certian ports in
and any out. If I remove the any statement, i lose all connectivity
through the router and firewall for all devices.

Below is my config. Any help would be greatly appreciated.

Thanks,
Eddie

************************************************** *******************
CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
(ACCESS LOGGED)


User Access Verification

Username: admin
Password:
gateway#en
gateway#show run
Building configuration...

Current configuration : 8603 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical

!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp excluded-address 10.0.1.1 10.0.1.60
!
ip dhcp pool Local
network 10.0.1.0 255.255.255.0
domain-name testus.com
dns-server 64.251.26.3 64.251.26.2
default-router 10.0.1.1
lease 5
!
!
ip ips po max-events 100
no ip bootp server
ip domain name testus.com
ip name-server 67.15.50.136
ip name-server 67.15.50.134
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$===Production Subnet===
ip address 10.0.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description ===Office Subnet===
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0/0
description ===Internet Connection === (Infolink)
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
no fair-queue
service-module t1 timeslots 1-24
no arp frame-relay
!
interface Serial0/0/0.402 point-to-point
description ===Internet Connection===
ip address 64.251.26.6 255.255.255.252
ip access-group sdm_serial0/0/0.402_in in
ip nat outside
ip virtual-reassembly
no cdp enable
no arp frame-relay
frame-relay interface-dlci 402
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.251.26.5
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat pool Global 69.68.112.200 69.68.112.200 netmask 255.255.255.240
ip nat pool clients 69.68.112.199 69.68.112.199 netmask 255.255.255.240
ip nat pool WWW 69.69.112.198 69.69.112.198 netmask 255.255.255.240
ip nat inside source list 20 pool Global overload
ip nat inside source static 10.0.1.40 69.68.112.196
ip nat inside source static 10.0.1.8 69.68.112.197
ip nat inside source static 10.0.1.5 69.68.112.198
ip nat inside source static 10.0.1.6 69.68.112.199
!
ip access-list extended sdm_serial0/0/0.402_in
remark SDM_ACL Category=1
deny tcp any host 69.68.112.196 eq www
permit tcp any host 69.68.112.199 log
remark Terminal Server
permit tcp any host 69.68.112.197 eq 3389 log
remark FTP
permit tcp any host 69.68.112.196 range ftp-data ftp log
permit tcp any host 69.68.112.198 eq smtp log
permit tcp any host 69.68.112.198 eq www log
permit icmp any host 69.68.112.200 log
permit icmp any host 69.68.112.200 time-exceeded
permit icmp any host 69.68.112.200 unreachable
permit ip any any log
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
remark SDM_ACL Category=1
remark Terminal Server
permit tcp any eq 3389 host 69.68.112.197 eq 3389 log
remark FTP
permit tcp any eq smtp host 69.68.112.198 eq smtp log
permit tcp any eq www host 69.68.112.198 eq www log
permit icmp any any log
!
logging trap debugging
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.0.1.0 0.0.0.127
access-list 20 remark Oubound NAT
access-list 20 remark SDM_ACL Category=2
access-list 20 permit any
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 69.68.112.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit gre any any
access-list 100 permit ip any any
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq telnet
access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 22
access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq www
access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 443
access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq cmd
access-list 100 permit udp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq snmp
access-list 100 deny tcp any host 10.0.1.1 eq telnet
access-list 100 deny tcp any host 10.0.1.1 eq 22
access-list 100 deny tcp any host 10.0.1.1 eq www
access-list 100 deny tcp any host 10.0.1.1 eq 443
access-list 100 deny tcp any host 10.0.1.1 eq cmd
access-list 100 deny udp any host 10.0.1.1 eq snmp
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 permit ip 10.0.1.0 0.0.0.127 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 permit ip 10.0.1.0 0.0.0.127 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq
telnet
access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 22
access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq www
access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 443
access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq cmd
access-list 103 deny tcp any host 10.0.1.129 eq telnet
access-list 103 deny tcp any host 10.0.1.129 eq 22
access-list 103 deny tcp any host 10.0.1.129 eq www
access-list 103 deny tcp any host 10.0.1.129 eq 443
access-list 103 deny tcp any host 10.0.1.129 eq cmd
access-list 103 deny udp any host 10.0.1.129 eq snmp
access-list 103 permit ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 deny tcp any host 64.251.26.6 eq telnet
access-list 104 deny tcp any host 64.251.26.6 eq 22
access-list 104 deny tcp any host 64.251.26.6 eq www
access-list 104 deny tcp any host 64.251.26.6 eq 443
access-list 104 deny tcp any host 64.251.26.6 eq cmd
access-list 104 deny udp any host 64.251.26.6 eq snmp
access-list 104 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 120 remark SDM_ACL Category=2
access-list 120 permit ip any any
access-list 120 remark SDM_ACL Category=2
no cdp run
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
(ACCESS LOGGED)
^C
!
line con 0

!
scheduler allocate 4000 1000
end

 
Reply With Quote
 
 
 
 
jdsal
Guest
Posts: n/a
 
      11-10-2005
If this ANY statement is ACL 20 you need that for the global address. To be
a little more secure you could specify an IP address range like 10.1.0.0
0.0.255.255. Also I had run into an issue some time ago where I used static
NATs. Basically none of the hosts specified by the STATIC entries were using
the address set aside. The resolution was to add DENY entries to the global
ACL to stop them from using the global address (see below).

access-list 20 deny 10.1.1.1
access-list 20 deny 10.1.1.2
access-list 20 deny 10.1.1.3
access-list 20 permit 10.1.1.0 0.0.0.255


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> We have a Cisco 1841 Budle with a T1.
>
> Connection of the T1 to the www works great. We have several servers
> natted to the web for web and email.
>
> The only way for the servers to be accesible from and to the web is by
> a allow any statement. I need to be able just to allow certian ports in
> and any out. If I remove the any statement, i lose all connectivity
> through the router and firewall for all devices.
>
> Below is my config. Any help would be greatly appreciated.
>
> Thanks,
> Eddie
>
> ************************************************** *******************
> CAuthorized access only!
> Disconnect IMMEDIATELY if you are not an authorized user!
> (ACCESS LOGGED)
>
>
> User Access Verification
>
> Username: admin
> Password:
> gateway#en
> gateway#show run
> Building configuration...
>
> Current configuration : 8603 bytes
> !
> version 12.3
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname gateway
> !
> boot-start-marker
> boot-end-marker
> !
> security authentication failure rate 3 log
> security passwords min-length 6
> logging buffered 51200 debugging
> logging console critical
>
> !
> clock timezone PCTime -5
> clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
> mmi polling-interval 60
> no mmi auto-configure
> no mmi pvc
> mmi snmp-timeout 180
> no aaa new-model
> ip subnet-zero
> no ip source-route
> ip cef
> !
> !
> ip tcp synwait-time 10
> ip dhcp excluded-address 10.0.1.1 10.0.1.60
> !
> ip dhcp pool Local
> network 10.0.1.0 255.255.255.0
> domain-name testus.com
> dns-server 64.251.26.3 64.251.26.2
> default-router 10.0.1.1
> lease 5
> !
> !
> ip ips po max-events 100
> no ip bootp server
> ip domain name testus.com
> ip name-server 67.15.50.136
> ip name-server 67.15.50.134
> ip ssh time-out 60
> ip ssh authentication-retries 2
> no ftp-server write-enable
> !
> !
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
> description $ETH-LAN$$FW_INSIDE$===Production Subnet===
> ip address 10.0.1.1 255.255.255.0
> ip access-group 100 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> ip route-cache flow
> duplex auto
> speed auto
> no cdp enable
> no mop enabled
> !
> interface FastEthernet0/1
> description ===Office Subnet===
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> shutdown
> duplex auto
> speed auto
> no cdp enable
> no mop enabled
> !
> interface Serial0/0/0
> description ===Internet Connection === (Infolink)
> bandwidth 1544
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> encapsulation frame-relay
> ip route-cache flow
> no fair-queue
> service-module t1 timeslots 1-24
> no arp frame-relay
> !
> interface Serial0/0/0.402 point-to-point
> description ===Internet Connection===
> ip address 64.251.26.6 255.255.255.252
> ip access-group sdm_serial0/0/0.402_in in
> ip nat outside
> ip virtual-reassembly
> no cdp enable
> no arp frame-relay
> frame-relay interface-dlci 402
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 64.251.26.5
> ip http server
> ip http access-class 1
> ip http authentication local
> ip http secure-server
> ip nat pool Global 69.68.112.200 69.68.112.200 netmask 255.255.255.240
> ip nat pool clients 69.68.112.199 69.68.112.199 netmask 255.255.255.240
> ip nat pool WWW 69.69.112.198 69.69.112.198 netmask 255.255.255.240
> ip nat inside source list 20 pool Global overload
> ip nat inside source static 10.0.1.40 69.68.112.196
> ip nat inside source static 10.0.1.8 69.68.112.197
> ip nat inside source static 10.0.1.5 69.68.112.198
> ip nat inside source static 10.0.1.6 69.68.112.199
> !
> ip access-list extended sdm_serial0/0/0.402_in
> remark SDM_ACL Category=1
> deny tcp any host 69.68.112.196 eq www
> permit tcp any host 69.68.112.199 log
> remark Terminal Server
> permit tcp any host 69.68.112.197 eq 3389 log
> remark FTP
> permit tcp any host 69.68.112.196 range ftp-data ftp log
> permit tcp any host 69.68.112.198 eq smtp log
> permit tcp any host 69.68.112.198 eq www log
> permit icmp any host 69.68.112.200 log
> permit icmp any host 69.68.112.200 time-exceeded
> permit icmp any host 69.68.112.200 unreachable
> permit ip any any log
> deny ip host 255.255.255.255 any
> deny ip host 0.0.0.0 any
> deny ip any any log
> remark SDM_ACL Category=1
> remark Terminal Server
> permit tcp any eq 3389 host 69.68.112.197 eq 3389 log
> remark FTP
> permit tcp any eq smtp host 69.68.112.198 eq smtp log
> permit tcp any eq www host 69.68.112.198 eq www log
> permit icmp any any log
> !
> logging trap debugging
> access-list 1 remark Auto generated by SDM Management Access feature
> access-list 1 remark SDM_ACL Category=1
> access-list 1 permit 10.0.1.0 0.0.0.127
> access-list 20 remark Oubound NAT
> access-list 20 remark SDM_ACL Category=2
> access-list 20 permit any
> access-list 100 remark Auto generated by SDM Management Access feature
> access-list 100 remark SDM_ACL Category=1
> access-list 100 deny ip 69.68.112.0 0.0.0.255 any
> access-list 100 deny ip host 255.255.255.255 any
> access-list 100 deny ip 127.0.0.0 0.255.255.255 any
> access-list 100 permit gre any any
> access-list 100 permit ip any any
> access-list 100 remark Auto generated by SDM Management Access feature
> access-list 100 remark SDM_ACL Category=1
> access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq telnet
> access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 22
> access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq www
> access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 443
> access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq cmd
> access-list 100 permit udp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq snmp
> access-list 100 deny tcp any host 10.0.1.1 eq telnet
> access-list 100 deny tcp any host 10.0.1.1 eq 22
> access-list 100 deny tcp any host 10.0.1.1 eq www
> access-list 100 deny tcp any host 10.0.1.1 eq 443
> access-list 100 deny tcp any host 10.0.1.1 eq cmd
> access-list 100 deny udp any host 10.0.1.1 eq snmp
> access-list 101 remark Auto generated by SDM Management Access feature
> access-list 101 permit ip 10.0.1.0 0.0.0.127 any
> access-list 101 remark Auto generated by SDM Management Access feature
> access-list 101 remark SDM_ACL Category=1
> access-list 102 remark Auto generated by SDM Management Access feature
> access-list 102 permit ip 10.0.1.0 0.0.0.127 any
> access-list 102 remark Auto generated by SDM Management Access feature
> access-list 102 remark SDM_ACL Category=1
> access-list 103 remark Auto generated by SDM Management Access feature
> access-list 103 remark SDM_ACL Category=1
> access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq
> telnet
> access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 22
> access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq www
> access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 443
> access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq cmd
> access-list 103 deny tcp any host 10.0.1.129 eq telnet
> access-list 103 deny tcp any host 10.0.1.129 eq 22
> access-list 103 deny tcp any host 10.0.1.129 eq www
> access-list 103 deny tcp any host 10.0.1.129 eq 443
> access-list 103 deny tcp any host 10.0.1.129 eq cmd
> access-list 103 deny udp any host 10.0.1.129 eq snmp
> access-list 103 permit ip any any
> access-list 103 remark Auto generated by SDM Management Access feature
> access-list 103 remark SDM_ACL Category=1
> access-list 104 remark Auto generated by SDM Management Access feature
> access-list 104 remark SDM_ACL Category=1
> access-list 104 deny tcp any host 64.251.26.6 eq telnet
> access-list 104 deny tcp any host 64.251.26.6 eq 22
> access-list 104 deny tcp any host 64.251.26.6 eq www
> access-list 104 deny tcp any host 64.251.26.6 eq 443
> access-list 104 deny tcp any host 64.251.26.6 eq cmd
> access-list 104 deny udp any host 64.251.26.6 eq snmp
> access-list 104 permit ip any any
> access-list 104 remark Auto generated by SDM Management Access feature
> access-list 104 remark SDM_ACL Category=1
> access-list 120 remark SDM_ACL Category=2
> access-list 120 permit ip any any
> access-list 120 remark SDM_ACL Category=2
> no cdp run
> !
> !
> control-plane
> !
> banner login ^CCAuthorized access only!
> Disconnect IMMEDIATELY if you are not an authorized user!
> (ACCESS LOGGED)
> ^C
> !
> line con 0
>
> !
> scheduler allocate 4000 1000
> end
>



 
Reply With Quote
 
 
 
 
googlenews@canthespam.info
Guest
Posts: n/a
 
      11-10-2005
I will try that.

Thanks,
Eddie

 
Reply With Quote
 
googlenews@canthespam.info
Guest
Posts: n/a
 
      11-17-2005
They are using the static IP maps I have designated. But, all ports are
still open to these devices although I have specified only the ports I
need.

Thanks,
Eddie

 
Reply With Quote
 
egray1975 egray1975 is offline
Junior Member
Join Date: Jan 2009
Location: Long Beach, CA
Posts: 1
 
      01-07-2009
You can have questions like the ones listed above answered quickly if you have smartnet for the cisco 1841 t1.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco 1841 config Bjarne Cisco 0 09-01-2008 01:10 PM
[Cisco 1841] Being desperate with wireless config JeroenOss1977@gmail.com Cisco 0 03-25-2008 01:27 PM
PPPoE config for cisco 1841 routers binance Cisco 0 07-11-2007 01:52 PM
Cisco 1841 Config Problems with BT Broadband cwcrawley Cisco 8 01-28-2007 03:04 PM
Config for cisco 1841 with one adsl for internet and one adsl for vpn jmf@iutbayonne.univ-pau.fr Cisco 0 10-29-2006 08:31 AM



Advertisments