help on the Cisco 2611 router and the IOS Firewall setup

Discussion in 'Cisco' started by Michael Huffaker, Apr 11, 2004.

  1. I have a Cisco 2611 installed with the Firewall feature set and I have
    initially configured it for NAT access with none of the Firewall
    features enabled and it has worked fine. I used the Cisco Configmaker
    software (yes, it sucks and I am a wimp) to set up a DMZ with a Web
    server and eventually an exchange server.
    The goals:
    * Office LAN able to access everything on the internet and on the
    DMZ.
    System on the DMZ (207.XXX.XXX.250/29) to be part of the domain where
    the domain controllers (192.168.0.20 and 192.168.0.21) sit on the
    Office LAN, this requires two way communications.
    * Able to telnet into the router from the internet in additon to
    console and local.
    * VPN passthrough to a Microsoft VPN server on the Office LAN
    (192.168.0.20). Config maker does not deal with this so I added the
    GRE and port 1723 statement in the configuration in Access list 100.


    Problems

    1. Cannot telnet in via the internet but can telnet via console and
    from within the Office LAN
    2. POP3 mail comes in fine but outgoing mail is blocked and the mail
    client (outlook express) shows the following error message - "554
    relay access denied"

    Any help on either or both issues would be great, thanks


    The running configuration (sanitized) is below



    2611#sh run
    Building configuration...
    Current configuration : 3104 bytes
    !
    version 12.3
    service config
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname 2611
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$YDAt$LNSUk85gUmICy4UEJD.xu0
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    ip name-server 192.168.0.20
    !
    ip inspect max-incomplete high 1100
    ip inspect one-minute high 1100
    ip inspect name Ethernet_0_1 tcp
    ip inspect name Ethernet_0_1 udp
    ip inspect name Ethernet_0_1 cuseeme
    ip inspect name Ethernet_0_1 ftp
    ip inspect name Ethernet_0_1 h323
    ip inspect name Ethernet_0_1 rcmd
    ip inspect name Ethernet_0_1 realaudio
    ip inspect name Ethernet_0_1 smtp
    ip inspect name Ethernet_0_1 streamworks
    ip inspect name Ethernet_0_1 vdolive
    ip inspect name Ethernet_0_1 sqlnet
    ip inspect name Ethernet_0_1 tftp
    ip inspect name Serial_0_0 tcp
    ip inspect name Serial_0_0 ftp
    ip inspect name Serial_0_0 udp
    ip inspect name Serial_0_0 smtp
    ip audit notify log
    ip audit po max-events 100
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0/0
    description connected to DMZ LAN
    ip address 207.XXX.XXX.249 255.255.255.248
    ip access-group 101 in
    half-duplex
    !
    interface Serial0/0
    description connected to Internet
    ip address 20.XXX.XXX.158 255.255.255.252
    ip access-group 102 in
    ip nat outside
    ip inspect Serial_0_0 in
    !
    interface Ethernet0/1
    description connected to Office LAN
    ip address 192.168.0.1 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip inspect Ethernet_0_1 in
    half-duplex
    !
    router rip
    version 2
    passive-interface Serial0/0
    network 192.168.0.0
    network 207.XXX.XXX.0
    no auto-summary
    !
    ip nat inside source list 1 interface Serial0/0 overload
    ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0
    !
    !
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 deny ip 207.XXX.XXX.248 0.0.0.7 any
    access-list 100 permit ip any any
    access-list 100 permit tcp any host 192.168.0.20 eq 1723
    access-list 100 permit gre any host 192.168.0.20
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any
    access-list 101 permit udp any eq rip any eq rip
    access-list 102 deny ip 207.XXX.XXX.248 0.0.0.7 any
    access-list 102 permit tcp any host 207.XXX.XXX.250 eq telnet
    access-list 102 permit tcp any host 207.XXX.XXX.250 range ftp-data ftp
    access-list 102 permit tcp any host 207.XXX.XXX.250 eq www
    access-list 102 permit udp any host 207.XXX.XXX.250 eq isakmp
    access-list 102 permit tcp any host 207.XXX.XXX.250 eq smtp
    access-list 102 deny ip any host 207.XXX.XXX.250
    access-list 102 permit tcp any 207.XXX.XXX.248 0.0.0.7 eq telnet
    access-list 102 permit icmp any 207.XXX.XXX.248 0.0.0.7
    access-list 102 permit tcp any 207.XXX.XXX.248 0.0.0.7 eq www
    access-list 102 permit tcp any 207.XXX.XXX.248 0.0.0.7 range ftp-data
    ftp
    access-list 102 permit udp any 207.XXX.XXX.248 0.0.0.7 eq domain
    !
    snmp-server community public RO
    snmp-server location Phoenix
    snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXX
    snmp-server enable traps tty
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    password XXXXXXXX
    login
    line aux 0
    line vty 0 4
    password XXXXXXXX
    login
    !
    !
    !
    end
     
    Michael Huffaker, Apr 11, 2004
    #1
    1. Advertising

  2. BTW, I am familiar with the idea that blocking telnet from the outside
    is a good security practice however due to logistical reasons we need
    outside telnet capability.

    (Michael Huffaker) wrote in message news:<>...
    > I have a Cisco 2611 installed with the Firewall feature set and I have
    > initially configured it for NAT access with none of the Firewall
    > features enabled and it has worked fine. I used the Cisco Configmaker
    > software (yes, it sucks and I am a wimp) to set up a DMZ with a Web
    > server and eventually an exchange server.
    > The goals:
    > * Office LAN able to access everything on the internet and on the
    > DMZ.
    > System on the DMZ (207.XXX.XXX.250/29) to be part of the domain where
    > the domain controllers (192.168.0.20 and 192.168.0.21) sit on the
    > Office LAN, this requires two way communications.
    > * Able to telnet into the router from the internet in additon to
    > console and local.
    > * VPN passthrough to a Microsoft VPN server on the Office LAN
    > (192.168.0.20). Config maker does not deal with this so I added the
    > GRE and port 1723 statement in the configuration in Access list 100.
    >
    >
    > Problems
    >
    > 1. Cannot telnet in via the internet but can telnet via console and
    > from within the Office LAN
    > 2. POP3 mail comes in fine but outgoing mail is blocked and the mail
    > client (outlook express) shows the following error message - "554
    > relay access denied"
    >
    > Any help on either or both issues would be great, thanks
    >
    >
    > The running configuration (sanitized) is below
    >
    >
    >
    > 2611#sh run
    > Building configuration...
    > Current configuration : 3104 bytes
    > !
    > version 12.3
    > service config
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > !
    > hostname 2611
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > enable secret 5 $1$YDAt$LNSUk85gUmICy4UEJD.xu0
    > !
    > no aaa new-model
    > ip subnet-zero
    > !
    > !
    > ip name-server 192.168.0.20
    > !
    > ip inspect max-incomplete high 1100
    > ip inspect one-minute high 1100
    > ip inspect name Ethernet_0_1 tcp
    > ip inspect name Ethernet_0_1 udp
    > ip inspect name Ethernet_0_1 cuseeme
    > ip inspect name Ethernet_0_1 ftp
    > ip inspect name Ethernet_0_1 h323
    > ip inspect name Ethernet_0_1 rcmd
    > ip inspect name Ethernet_0_1 realaudio
    > ip inspect name Ethernet_0_1 smtp
    > ip inspect name Ethernet_0_1 streamworks
    > ip inspect name Ethernet_0_1 vdolive
    > ip inspect name Ethernet_0_1 sqlnet
    > ip inspect name Ethernet_0_1 tftp
    > ip inspect name Serial_0_0 tcp
    > ip inspect name Serial_0_0 ftp
    > ip inspect name Serial_0_0 udp
    > ip inspect name Serial_0_0 smtp
    > ip audit notify log
    > ip audit po max-events 100
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > interface Ethernet0/0
    > description connected to DMZ LAN
    > ip address 207.XXX.XXX.249 255.255.255.248
    > ip access-group 101 in
    > half-duplex
    > !
    > interface Serial0/0
    > description connected to Internet
    > ip address 20.XXX.XXX.158 255.255.255.252
    > ip access-group 102 in
    > ip nat outside
    > ip inspect Serial_0_0 in
    > !
    > interface Ethernet0/1
    > description connected to Office LAN
    > ip address 192.168.0.1 255.255.255.0
    > ip access-group 100 in
    > ip nat inside
    > ip inspect Ethernet_0_1 in
    > half-duplex
    > !
    > router rip
    > version 2
    > passive-interface Serial0/0
    > network 192.168.0.0
    > network 207.XXX.XXX.0
    > no auto-summary
    > !
    > ip nat inside source list 1 interface Serial0/0 overload
    > ip http server
    > no ip http secure-server
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0/0
    > !
    > !
    > access-list 1 permit 192.168.0.0 0.0.0.255
    > access-list 100 deny ip 207.XXX.XXX.248 0.0.0.7 any
    > access-list 100 permit ip any any
    > access-list 100 permit tcp any host 192.168.0.20 eq 1723
    > access-list 100 permit gre any host 192.168.0.20
    > access-list 101 deny ip 192.168.0.0 0.0.0.255 any
    > access-list 101 permit udp any eq rip any eq rip
    > access-list 102 deny ip 207.XXX.XXX.248 0.0.0.7 any
    > access-list 102 permit tcp any host 207.XXX.XXX.250 eq telnet
    > access-list 102 permit tcp any host 207.XXX.XXX.250 range ftp-data ftp
    > access-list 102 permit tcp any host 207.XXX.XXX.250 eq www
    > access-list 102 permit udp any host 207.XXX.XXX.250 eq isakmp
    > access-list 102 permit tcp any host 207.XXX.XXX.250 eq smtp
    > access-list 102 deny ip any host 207.XXX.XXX.250
    > access-list 102 permit tcp any 207.XXX.XXX.248 0.0.0.7 eq telnet
    > access-list 102 permit icmp any 207.XXX.XXX.248 0.0.0.7
    > access-list 102 permit tcp any 207.XXX.XXX.248 0.0.0.7 eq www
    > access-list 102 permit tcp any 207.XXX.XXX.248 0.0.0.7 range ftp-data
    > ftp
    > access-list 102 permit udp any 207.XXX.XXX.248 0.0.0.7 eq domain
    > !
    > snmp-server community public RO
    > snmp-server location Phoenix
    > snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXX
    > snmp-server enable traps tty
    > !
    > !
    > !
    > !
    > !
    > line con 0
    > exec-timeout 0 0
    > password XXXXXXXX
    > login
    > line aux 0
    > line vty 0 4
    > password XXXXXXXX
    > login
    > !
    > !
    > !
    > end
     
    Michael Huffaker, Apr 12, 2004
    #2
    1. Advertising

  3. Michael Huffaker

    rowl Guest

    (Michael Huffaker) wrote in message news:<>...
    > > 2. POP3 mail comes in fine but outgoing mail is blocked and the mail
    > > client (outlook express) shows the following error message - "554
    > > relay access denied"


    Must be an issue with "relay_* Features" in sendmail. Relaying is
    disabled by default in Sendmail 8.9 up I believe, as a spam control
    feature. So your senders username's domain component and smtp hosts
    domain component must match.
    ex: can use smtp.b.c but may not be able to send using
    smtp.b.c but only thru smtp.y.z

    Rgrds
    Rahul Sawarkar
     
    rowl, Apr 12, 2004
    #3
  4. Michael Huffaker

    Rod Dorman Guest

    In article <>,
    Michael Huffaker <> wrote:
    >BTW, I am familiar with the idea that blocking telnet from the outside
    >is a good security practice however due to logistical reasons we need
    >outside telnet capability.


    I'd strongly recommend a more secure access proceedure like using SSH.

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Apr 12, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. R0cky
    Replies:
    4
    Views:
    1,274
    R0cky
    May 29, 2004
  2. R0cky
    Replies:
    0
    Views:
    513
    R0cky
    May 30, 2004
  3. Jay Bearden

    Cisco 2611 with IOS 12.3 rel 6a

    Jay Bearden, Jun 3, 2004, in forum: Cisco
    Replies:
    0
    Views:
    549
    Jay Bearden
    Jun 3, 2004
  4. Jay Bearden
    Replies:
    0
    Views:
    803
    Jay Bearden
    Jun 3, 2004
  5. Replies:
    5
    Views:
    9,564
    Walter Roberson
    Jan 2, 2005
Loading...

Share This Page