Cisco 1841 T1 & Firewall Config HELP!!!!!!!!!

Discussion in 'Cisco' started by googlenews@canthespam.info, Nov 9, 2005.

  1. Guest

    We have a Cisco 1841 Budle with a T1.

    Connection of the T1 to the www works great. We have several servers
    natted to the web for web and email.

    The only way for the servers to be accesible from and to the web is by
    a allow any statement. I need to be able just to allow certian ports in
    and any out. If I remove the any statement, i lose all connectivity
    through the router and firewall for all devices.

    Below is my config. Any help would be greatly appreciated.

    Thanks,
    Eddie

    *********************************************************************
    CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!
    (ACCESS LOGGED)


    User Access Verification

    Username: admin
    Password:
    gateway#en
    gateway#show run
    Building configuration...

    Current configuration : 8603 bytes
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname gateway
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical

    !
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    ip tcp synwait-time 10
    ip dhcp excluded-address 10.0.1.1 10.0.1.60
    !
    ip dhcp pool Local
    network 10.0.1.0 255.255.255.0
    domain-name testus.com
    dns-server 64.251.26.3 64.251.26.2
    default-router 10.0.1.1
    lease 5
    !
    !
    ip ips po max-events 100
    no ip bootp server
    ip domain name testus.com
    ip name-server 67.15.50.136
    ip name-server 67.15.50.134
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description $ETH-LAN$$FW_INSIDE$===Production Subnet===
    ip address 10.0.1.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface FastEthernet0/1
    description ===Office Subnet===
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface Serial0/0/0
    description ===Internet Connection === (Infolink)
    bandwidth 1544
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encapsulation frame-relay
    ip route-cache flow
    no fair-queue
    service-module t1 timeslots 1-24
    no arp frame-relay
    !
    interface Serial0/0/0.402 point-to-point
    description ===Internet Connection===
    ip address 64.251.26.6 255.255.255.252
    ip access-group sdm_serial0/0/0.402_in in
    ip nat outside
    ip virtual-reassembly
    no cdp enable
    no arp frame-relay
    frame-relay interface-dlci 402
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 64.251.26.5
    ip http server
    ip http access-class 1
    ip http authentication local
    ip http secure-server
    ip nat pool Global 69.68.112.200 69.68.112.200 netmask 255.255.255.240
    ip nat pool clients 69.68.112.199 69.68.112.199 netmask 255.255.255.240
    ip nat pool WWW 69.69.112.198 69.69.112.198 netmask 255.255.255.240
    ip nat inside source list 20 pool Global overload
    ip nat inside source static 10.0.1.40 69.68.112.196
    ip nat inside source static 10.0.1.8 69.68.112.197
    ip nat inside source static 10.0.1.5 69.68.112.198
    ip nat inside source static 10.0.1.6 69.68.112.199
    !
    ip access-list extended sdm_serial0/0/0.402_in
    remark SDM_ACL Category=1
    deny tcp any host 69.68.112.196 eq www
    permit tcp any host 69.68.112.199 log
    remark Terminal Server
    permit tcp any host 69.68.112.197 eq 3389 log
    remark FTP
    permit tcp any host 69.68.112.196 range ftp-data ftp log
    permit tcp any host 69.68.112.198 eq smtp log
    permit tcp any host 69.68.112.198 eq www log
    permit icmp any host 69.68.112.200 log
    permit icmp any host 69.68.112.200 time-exceeded
    permit icmp any host 69.68.112.200 unreachable
    permit ip any any log
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
    deny ip any any log
    remark SDM_ACL Category=1
    remark Terminal Server
    permit tcp any eq 3389 host 69.68.112.197 eq 3389 log
    remark FTP
    permit tcp any eq smtp host 69.68.112.198 eq smtp log
    permit tcp any eq www host 69.68.112.198 eq www log
    permit icmp any any log
    !
    logging trap debugging
    access-list 1 remark Auto generated by SDM Management Access feature
    access-list 1 remark SDM_ACL Category=1
    access-list 1 permit 10.0.1.0 0.0.0.127
    access-list 20 remark Oubound NAT
    access-list 20 remark SDM_ACL Category=2
    access-list 20 permit any
    access-list 100 remark Auto generated by SDM Management Access feature
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 69.68.112.0 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit gre any any
    access-list 100 permit ip any any
    access-list 100 remark Auto generated by SDM Management Access feature
    access-list 100 remark SDM_ACL Category=1
    access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq telnet
    access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 22
    access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq www
    access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 443
    access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq cmd
    access-list 100 permit udp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq snmp
    access-list 100 deny tcp any host 10.0.1.1 eq telnet
    access-list 100 deny tcp any host 10.0.1.1 eq 22
    access-list 100 deny tcp any host 10.0.1.1 eq www
    access-list 100 deny tcp any host 10.0.1.1 eq 443
    access-list 100 deny tcp any host 10.0.1.1 eq cmd
    access-list 100 deny udp any host 10.0.1.1 eq snmp
    access-list 101 remark Auto generated by SDM Management Access feature
    access-list 101 permit ip 10.0.1.0 0.0.0.127 any
    access-list 101 remark Auto generated by SDM Management Access feature
    access-list 101 remark SDM_ACL Category=1
    access-list 102 remark Auto generated by SDM Management Access feature
    access-list 102 permit ip 10.0.1.0 0.0.0.127 any
    access-list 102 remark Auto generated by SDM Management Access feature
    access-list 102 remark SDM_ACL Category=1
    access-list 103 remark Auto generated by SDM Management Access feature
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq
    telnet
    access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 22
    access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq www
    access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 443
    access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq cmd
    access-list 103 deny tcp any host 10.0.1.129 eq telnet
    access-list 103 deny tcp any host 10.0.1.129 eq 22
    access-list 103 deny tcp any host 10.0.1.129 eq www
    access-list 103 deny tcp any host 10.0.1.129 eq 443
    access-list 103 deny tcp any host 10.0.1.129 eq cmd
    access-list 103 deny udp any host 10.0.1.129 eq snmp
    access-list 103 permit ip any any
    access-list 103 remark Auto generated by SDM Management Access feature
    access-list 103 remark SDM_ACL Category=1
    access-list 104 remark Auto generated by SDM Management Access feature
    access-list 104 remark SDM_ACL Category=1
    access-list 104 deny tcp any host 64.251.26.6 eq telnet
    access-list 104 deny tcp any host 64.251.26.6 eq 22
    access-list 104 deny tcp any host 64.251.26.6 eq www
    access-list 104 deny tcp any host 64.251.26.6 eq 443
    access-list 104 deny tcp any host 64.251.26.6 eq cmd
    access-list 104 deny udp any host 64.251.26.6 eq snmp
    access-list 104 permit ip any any
    access-list 104 remark Auto generated by SDM Management Access feature
    access-list 104 remark SDM_ACL Category=1
    access-list 120 remark SDM_ACL Category=2
    access-list 120 permit ip any any
    access-list 120 remark SDM_ACL Category=2
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CCAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!
    (ACCESS LOGGED)
    ^C
    !
    line con 0

    !
    scheduler allocate 4000 1000
    end
    , Nov 9, 2005
    #1
    1. Advertising

  2. jdsal Guest

    If this ANY statement is ACL 20 you need that for the global address. To be
    a little more secure you could specify an IP address range like 10.1.0.0
    0.0.255.255. Also I had run into an issue some time ago where I used static
    NATs. Basically none of the hosts specified by the STATIC entries were using
    the address set aside. The resolution was to add DENY entries to the global
    ACL to stop them from using the global address (see below).

    access-list 20 deny 10.1.1.1
    access-list 20 deny 10.1.1.2
    access-list 20 deny 10.1.1.3
    access-list 20 permit 10.1.1.0 0.0.0.255


    <> wrote in message
    news:...
    > We have a Cisco 1841 Budle with a T1.
    >
    > Connection of the T1 to the www works great. We have several servers
    > natted to the web for web and email.
    >
    > The only way for the servers to be accesible from and to the web is by
    > a allow any statement. I need to be able just to allow certian ports in
    > and any out. If I remove the any statement, i lose all connectivity
    > through the router and firewall for all devices.
    >
    > Below is my config. Any help would be greatly appreciated.
    >
    > Thanks,
    > Eddie
    >
    > *********************************************************************
    > CAuthorized access only!
    > Disconnect IMMEDIATELY if you are not an authorized user!
    > (ACCESS LOGGED)
    >
    >
    > User Access Verification
    >
    > Username: admin
    > Password:
    > gateway#en
    > gateway#show run
    > Building configuration...
    >
    > Current configuration : 8603 bytes
    > !
    > version 12.3
    > no service pad
    > service tcp-keepalives-in
    > service tcp-keepalives-out
    > service timestamps debug datetime msec localtime show-timezone
    > service timestamps log datetime msec localtime show-timezone
    > service password-encryption
    > service sequence-numbers
    > !
    > hostname gateway
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > security authentication failure rate 3 log
    > security passwords min-length 6
    > logging buffered 51200 debugging
    > logging console critical
    >
    > !
    > clock timezone PCTime -5
    > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    > mmi polling-interval 60
    > no mmi auto-configure
    > no mmi pvc
    > mmi snmp-timeout 180
    > no aaa new-model
    > ip subnet-zero
    > no ip source-route
    > ip cef
    > !
    > !
    > ip tcp synwait-time 10
    > ip dhcp excluded-address 10.0.1.1 10.0.1.60
    > !
    > ip dhcp pool Local
    > network 10.0.1.0 255.255.255.0
    > domain-name testus.com
    > dns-server 64.251.26.3 64.251.26.2
    > default-router 10.0.1.1
    > lease 5
    > !
    > !
    > ip ips po max-events 100
    > no ip bootp server
    > ip domain name testus.com
    > ip name-server 67.15.50.136
    > ip name-server 67.15.50.134
    > ip ssh time-out 60
    > ip ssh authentication-retries 2
    > no ftp-server write-enable
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > interface FastEthernet0/0
    > description $ETH-LAN$$FW_INSIDE$===Production Subnet===
    > ip address 10.0.1.1 255.255.255.0
    > ip access-group 100 in
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat inside
    > ip virtual-reassembly
    > ip route-cache flow
    > duplex auto
    > speed auto
    > no cdp enable
    > no mop enabled
    > !
    > interface FastEthernet0/1
    > description ===Office Subnet===
    > no ip address
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip route-cache flow
    > shutdown
    > duplex auto
    > speed auto
    > no cdp enable
    > no mop enabled
    > !
    > interface Serial0/0/0
    > description ===Internet Connection === (Infolink)
    > bandwidth 1544
    > no ip address
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > encapsulation frame-relay
    > ip route-cache flow
    > no fair-queue
    > service-module t1 timeslots 1-24
    > no arp frame-relay
    > !
    > interface Serial0/0/0.402 point-to-point
    > description ===Internet Connection===
    > ip address 64.251.26.6 255.255.255.252
    > ip access-group sdm_serial0/0/0.402_in in
    > ip nat outside
    > ip virtual-reassembly
    > no cdp enable
    > no arp frame-relay
    > frame-relay interface-dlci 402
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 64.251.26.5
    > ip http server
    > ip http access-class 1
    > ip http authentication local
    > ip http secure-server
    > ip nat pool Global 69.68.112.200 69.68.112.200 netmask 255.255.255.240
    > ip nat pool clients 69.68.112.199 69.68.112.199 netmask 255.255.255.240
    > ip nat pool WWW 69.69.112.198 69.69.112.198 netmask 255.255.255.240
    > ip nat inside source list 20 pool Global overload
    > ip nat inside source static 10.0.1.40 69.68.112.196
    > ip nat inside source static 10.0.1.8 69.68.112.197
    > ip nat inside source static 10.0.1.5 69.68.112.198
    > ip nat inside source static 10.0.1.6 69.68.112.199
    > !
    > ip access-list extended sdm_serial0/0/0.402_in
    > remark SDM_ACL Category=1
    > deny tcp any host 69.68.112.196 eq www
    > permit tcp any host 69.68.112.199 log
    > remark Terminal Server
    > permit tcp any host 69.68.112.197 eq 3389 log
    > remark FTP
    > permit tcp any host 69.68.112.196 range ftp-data ftp log
    > permit tcp any host 69.68.112.198 eq smtp log
    > permit tcp any host 69.68.112.198 eq www log
    > permit icmp any host 69.68.112.200 log
    > permit icmp any host 69.68.112.200 time-exceeded
    > permit icmp any host 69.68.112.200 unreachable
    > permit ip any any log
    > deny ip host 255.255.255.255 any
    > deny ip host 0.0.0.0 any
    > deny ip any any log
    > remark SDM_ACL Category=1
    > remark Terminal Server
    > permit tcp any eq 3389 host 69.68.112.197 eq 3389 log
    > remark FTP
    > permit tcp any eq smtp host 69.68.112.198 eq smtp log
    > permit tcp any eq www host 69.68.112.198 eq www log
    > permit icmp any any log
    > !
    > logging trap debugging
    > access-list 1 remark Auto generated by SDM Management Access feature
    > access-list 1 remark SDM_ACL Category=1
    > access-list 1 permit 10.0.1.0 0.0.0.127
    > access-list 20 remark Oubound NAT
    > access-list 20 remark SDM_ACL Category=2
    > access-list 20 permit any
    > access-list 100 remark Auto generated by SDM Management Access feature
    > access-list 100 remark SDM_ACL Category=1
    > access-list 100 deny ip 69.68.112.0 0.0.0.255 any
    > access-list 100 deny ip host 255.255.255.255 any
    > access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    > access-list 100 permit gre any any
    > access-list 100 permit ip any any
    > access-list 100 remark Auto generated by SDM Management Access feature
    > access-list 100 remark SDM_ACL Category=1
    > access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq telnet
    > access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 22
    > access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq www
    > access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq 443
    > access-list 100 permit tcp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq cmd
    > access-list 100 permit udp 10.0.1.0 0.0.0.127 host 10.0.1.1 eq snmp
    > access-list 100 deny tcp any host 10.0.1.1 eq telnet
    > access-list 100 deny tcp any host 10.0.1.1 eq 22
    > access-list 100 deny tcp any host 10.0.1.1 eq www
    > access-list 100 deny tcp any host 10.0.1.1 eq 443
    > access-list 100 deny tcp any host 10.0.1.1 eq cmd
    > access-list 100 deny udp any host 10.0.1.1 eq snmp
    > access-list 101 remark Auto generated by SDM Management Access feature
    > access-list 101 permit ip 10.0.1.0 0.0.0.127 any
    > access-list 101 remark Auto generated by SDM Management Access feature
    > access-list 101 remark SDM_ACL Category=1
    > access-list 102 remark Auto generated by SDM Management Access feature
    > access-list 102 permit ip 10.0.1.0 0.0.0.127 any
    > access-list 102 remark Auto generated by SDM Management Access feature
    > access-list 102 remark SDM_ACL Category=1
    > access-list 103 remark Auto generated by SDM Management Access feature
    > access-list 103 remark SDM_ACL Category=1
    > access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq
    > telnet
    > access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 22
    > access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq www
    > access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq 443
    > access-list 103 permit tcp 10.0.1.128 0.0.0.127 host 10.0.1.129 eq cmd
    > access-list 103 deny tcp any host 10.0.1.129 eq telnet
    > access-list 103 deny tcp any host 10.0.1.129 eq 22
    > access-list 103 deny tcp any host 10.0.1.129 eq www
    > access-list 103 deny tcp any host 10.0.1.129 eq 443
    > access-list 103 deny tcp any host 10.0.1.129 eq cmd
    > access-list 103 deny udp any host 10.0.1.129 eq snmp
    > access-list 103 permit ip any any
    > access-list 103 remark Auto generated by SDM Management Access feature
    > access-list 103 remark SDM_ACL Category=1
    > access-list 104 remark Auto generated by SDM Management Access feature
    > access-list 104 remark SDM_ACL Category=1
    > access-list 104 deny tcp any host 64.251.26.6 eq telnet
    > access-list 104 deny tcp any host 64.251.26.6 eq 22
    > access-list 104 deny tcp any host 64.251.26.6 eq www
    > access-list 104 deny tcp any host 64.251.26.6 eq 443
    > access-list 104 deny tcp any host 64.251.26.6 eq cmd
    > access-list 104 deny udp any host 64.251.26.6 eq snmp
    > access-list 104 permit ip any any
    > access-list 104 remark Auto generated by SDM Management Access feature
    > access-list 104 remark SDM_ACL Category=1
    > access-list 120 remark SDM_ACL Category=2
    > access-list 120 permit ip any any
    > access-list 120 remark SDM_ACL Category=2
    > no cdp run
    > !
    > !
    > control-plane
    > !
    > banner login ^CCAuthorized access only!
    > Disconnect IMMEDIATELY if you are not an authorized user!
    > (ACCESS LOGGED)
    > ^C
    > !
    > line con 0
    >
    > !
    > scheduler allocate 4000 1000
    > end
    >
    jdsal, Nov 10, 2005
    #2
    1. Advertising

  3. Guest

    I will try that.

    Thanks,
    Eddie
    , Nov 10, 2005
    #3
  4. Guest

    They are using the static IP maps I have designated. But, all ports are
    still open to these devices although I have specified only the ports I
    need.

    Thanks,
    Eddie
    , Nov 17, 2005
    #4
  5. egray1975

    Joined:
    Jan 7, 2009
    Messages:
    1
    Location:
    Long Beach, CA
    You can have questions like the ones listed above answered quickly if you have smartnet for the cisco 1841 t1.
    egray1975, Jan 7, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. -pau.fr
    Replies:
    0
    Views:
    698
    -pau.fr
    Oct 29, 2006
  2. cwcrawley
    Replies:
    8
    Views:
    5,085
    Darren Green
    Jan 28, 2007
  3. binance
    Replies:
    0
    Views:
    3,797
    binance
    Jul 11, 2007
  4. Replies:
    0
    Views:
    1,893
  5. Bjarne

    Cisco 1841 config

    Bjarne, Sep 1, 2008, in forum: Cisco
    Replies:
    0
    Views:
    559
    Bjarne
    Sep 1, 2008
Loading...

Share This Page