Announcement

Collapse
No announcement yet.

Cisco 877 Port Forwarding & ACL ISSUES

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 877 Port Forwarding & ACL ISSUES

    Been bashing my head round this... I am setting up an 877w Router for a Small business in UK, I have setup port forwarding but it simply does not want to work...

    Even remote dial VPN & remote SSH etc... nothing works. Locally these services do work (I can ssh into the router from the LAN, and dial VPN).

    I am setting this router up for deployment in UK. But before I deploy I need it working here hence the two dialer interfaces in the below config.

    The router will be deployed in a small business with a couple of servers. Exchange, DNS, ftp etc...

    I need port forwarding for the services RDP (servers), SSH (Router), VPN (router), Http (Exchange), https (Exchange) etc... going to the individual hosts on the network.
    I have also tryed removing those statements ip access-group DMZ_ACL in & ip inspect DMZ_CBAC infrom th BVI1 and dialer 2 interfaces still cant SSH into router or VPN in remotely.
    Basically I want to achieve is as follows:
    Unrestricted web usage on the DMZ + NO ACCESS to the CORP Lan (BVI1) from the DMZ Lan (BVI2). And Visa Versa
    Restricted usage on the Internal (Corp Network 192.168.2.0/24)
    Port forwarding to the appropriate hosts
    SSH access to the Router

    The traffic I want to allow coming in and out of the corp lan is as follows
    10 permit tcp 20
    20 permit tcp 21
    30 permit tcp eq smtp
    40 permit tcp eq 443
    50 permit tcp eq 80
    60 permit tcp eq 9035
    70 permit tcp eq pop3
    80 permit tcp eq 3388
    90 permit tcp eq 3389
    100 permit udp eq tftp
    120 permit tcp eq 22
    130 permit tcp any any established
    Could any one of you guys tell me what I have to do to achieve this, maybe an example of how my ACLs should be (I think I am writing them correctly), in what direction and on which interface?
    config below
    SilkR1#sh run
    Building configuration...

    Current configuration : 9522 bytes
    !

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !

    hostname SilkR1
    !

    boot-start-marker
    boot-end-marker
    !

    no logging buffered
    enable secret 5 $1$.DKw$1W7yKThc.K6NBhm/8Slwp1
    !

    no aaa new-model
    clock timezone zone 1
    clock summer-time GMT date Mar 25 2012 1:00 Oct 30 2012 1:00
    crypto pki token default removal timeout 0
    !

    crypto pki trustpoint TP-self-signed-973792425
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-973792425
    revocation-check none
    rsakeypair TP-self-signed-973792425
    !

    !
    crypto pki certificate chain TP-self-signed-973792425
    certificate self-signed 01

    quit
    dot11 syslog
    !

    dot11 ssid SILK CORP
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 03544D58145E714D4A48
    !

    dot11 ssid SILK DMZ
    vlan 10
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 13364643002857243F257972
    !

    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.211.1 192.168.211.100
    ip dhcp excluded-address 192.168.211.200 192.168.211.254
    ip dhcp excluded-address 192.168.2.1 192.168.2.100
    ip dhcp excluded-address 192.168.2.200 192.168.2.254
    !

    ip dhcp pool DMZ_Addresses
    import all
    network 192.168.211.0 255.255.255.0
    default-router 192.168.211.254
    dns-server 194.72.9.38 194.72.9.34 194.74.65.68 194.74.65.69 194.72.0.98 194.72.0.114 62.6.40.162 62.6.40.178
    lease 3
    !

    ip dhcp pool Corp_Addresses
    import all
    network 192.168.2.0 255.255.255.0
    default-router 192.168.2.254
    dns-server 194.158.37.196 194.158.37.211
    domain-name silk.local
    lease 3
    !

    !
    ip inspect udp idle-time 20
    ip inspect tcp idle-time 120
    ip inspect tcp synwait-time 15
    ip inspect name internal_CBAC smtp audit-trail on
    ip inspect name internal_CBAC ftp
    ip inspect name internal_CBAC http
    ip inspect name internal_CBAC https
    ip inspect name internal_CBAC realaudio
    ip inspect name internal_CBAC tcp
    ip inspect name internal_CBAC udp
    ip inspect name internal_CBAC icmp
    ip inspect name DMZ_CBAC smtp audit-trail on
    ip inspect name DMZ_CBAC http
    ip inspect name DMZ_CBAC tcp
    ip inspect name DMZ_CBAC udp
    ip inspect name external_CBAC smtp audit-trail on
    ip inspect name external_CBAC ftp
    ip inspect name external_CBAC http
    ip inspect name external_CBAC realaudio
    ip inspect name external_CBAC tcp
    ip inspect name external_CBAC udp
    ip inspect name external_CBAC icmp
    ip domain name silk.local
    !

    vpdn enable
    !

    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !

    !
    !

    username XXXXX privilege 15 password 7 070C285F4D06
    username XXXXX privilege 15 password 7 096B6E1D4A12370B4A
    username XXXXX privilege 10 password 7 121A0C041104
    username XXXXX privilege 10 password 7 082C435B1A1C5445414A
    username XXXXX privilege 15 password 7 02130A521D031D324D42
    !

    !
    archive
    log config
    hidekeys
    !

    !
    ip ssh version 2
    !

    bridge irb
    !

    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !

    interface ATM0.1 point-to-point
    description BT Internet Connection
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !

    interface ATM0.2 point-to-point
    description Go internet connection
    pvc 8/35
    pppoe-client dial-pool-number 3
    !
    !

    interface FastEthernet0
    no cdp enable
    !

    interface FastEthernet1
    no cdp enable
    !

    interface FastEthernet2
    no cdp enable
    !

    interface FastEthernet3
    description DMZ LAN
    switchport access vlan 10
    no cdp enable
    !

    interface Virtual-Template1
    description VPN Interface
    ip unnumbered Vlan1
    peer default ip address pool clients
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2 chap mschap
    ppp ipcp dns 192.168.2.1 192.168.2.2
    !

    interface Dot11Radio0
    no ip address
    no ip route-cache cef
    no ip route-cache
    !
    encryption vlan 1 mode ciphers tkip
    !
    encryption vlan 10 mode ciphers tkip
    !
    encryption mode ciphers tkip
    !
    ssid SILK CORP
    !
    ssid SILK DMZ
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    rts threshold 2312
    !

    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !

    interface Dot11Radio0.10
    encapsulation dot1Q 10
    no ip route-cache
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    !

    interface Vlan1
    description Corporate Vlan
    no ip address
    bridge-group 1
    !

    interface Vlan10
    description DMZ Vlan
    no ip address
    bridge-group 2
    !

    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname [email protected]
    ppp chap password 7 15020A1F172B2327292767
    !

    interface Dialer2
    ip address negotiated
    ip access-group external_ACL in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1452
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    no ip mroute-cache
    dialer pool 3
    dialer-group 3
    no keepalive
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username [email protected] password 7 0608002F495A08
    !

    interface BVI1
    description Corporate LAN
    ip dhcp relay information trusted
    ip address 192.168.2.254 255.255.255.0
    ip access-group internal_ACL in
    ip inspect internal_CBAC in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    !

    interface BVI2
    description DMZ LAN
    ip dhcp relay information trusted
    ip address 192.168.211.254 255.255.255.0
    ip access-group DMZ_ACL in
    ip inspect DMZ_CBAC in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    !

    ip local pool clients 192.168.2.210 192.168.2.220
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer2
    !

    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list DMZ_ACL interface Dialer2 overload
    ip nat inside source list internal_ACL interface Dialer2 overload
    ip nat inside source static tcp 192.168.2.1 3388 interface Dialer2 3388
    ip nat inside source static tcp 192.168.2.1 443 interface Dialer2 443
    ip nat inside source static tcp 192.168.2.1 80 interface Dialer2 80
    ip nat inside source static tcp 192.168.2.1 110 interface Dialer2 110
    ip nat inside source static tcp 192.168.2.1 25 interface Dialer2 25
    ip nat inside source static tcp 192.168.2.2 3389 interface Dialer2 3389
    ip nat inside source static tcp 192.168.2.1 20 interface Dialer2 20
    ip nat inside source static tcp 192.168.2.1 21 interface Dialer2 21
    ip nat inside source static tcp 192.168.2.254 22 interface Dialer2 22
    !

    ip access-list extended DMZ_ACL
    deny ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip any any
    ip access-list extended external_ACL
    permit tcp any host 192.168.2.1 eq smtp
    permit tcp any host 192.168.2.1 eq pop2
    permit tcp any host 192.168.2.1 eq pop3
    permit tcp any host 192.168.2.1 eq www
    permit tcp any host 192.168.2.1 eq 443
    permit tcp any host 192.168.2.1 eq ftp
    permit tcp any host 192.168.2.1 eq ftp-data
    permit tcp any host 192.168.2.1 eq 3388
    permit tcp any host 192.168.2.2 eq 3389
    permit tcp any host 192.168.2.254 eq 1723
    permit tcp any any established
    ip access-list extended internal_ACL
    permit tcp host 192.168.2.1 any eq smtp
    permit tcp any 0.0.0.0 255.255.255.0 eq 1723
    deny tcp any any eq pop2
    deny tcp any any eq pop3
    permit ip any any
    !

    dialer-list 1 protocol ip permit
    dialer-list 2 protocol ip permit
    !

    !
    !

    control-plane
    !

    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    banner motd ^CWARNING Restricted Access Only!!!^C
    !

    line con 0
    exec-timeout 0 0
    password 7 15352B18573D0B3D69
    login local
    no modem enable
    line aux 0
    line vty 0 4
    password 7 072801581D1E391C56
    login local
    transport input ssh
    !

    scheduler max-task-time 5000
    end

  • #2
    Re: Cisco 877 Port Forwarding & ACL ISSUES

    Your inbound ACL on the outside interface needs to reference the public ip addresses not the private ones. Not sure if this was done to sanitize the config.


    ip access-list extended external_ACL
    permit tcp any host 192.168.2.1 eq smtp
    permit tcp any host 192.168.2.1 eq pop2
    permit tcp any host 192.168.2.1 eq pop3
    permit tcp any host 192.168.2.1 eq www
    permit tcp any host 192.168.2.1 eq 443
    permit tcp any host 192.168.2.1 eq ftp
    permit tcp any host 192.168.2.1 eq ftp-data
    permit tcp any host 192.168.2.1 eq 3388
    permit tcp any host 192.168.2.2 eq 3389
    permit tcp any host 192.168.2.254 eq 1723
    permit tcp any any established


    Also finish up this ACL with a an deny ip any any
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco 877 Port Forwarding & ACL ISSUES

      Thanks Auglan,

      I tried what you advised me to do, but still no joy...
      I still cannot connect via RDP, VPN, SSH...

      I tried configuring the no ip nat statement, but it does not want to apply.
      See below.
      SilkR1(config)#no ip nat inside source static tcp 192.168.2.254 22 interface Dialer2 22
      %Static entry not found
      SilkR1(config)#

      Cauld NAT be causing me any problems? Hence I cant port forward.

      James

      Comment


      • #4
        Re: Cisco 877 Port Forwarding & ACL ISSUES

        You need an ACL on the outside interface to permit the traffic and then a corresponding nat statement for the port forwarding. So they both work together. The ACL is hit first then the nat.

        Did you generate a public/private key pair for ssh?


        crypto key generate rsa modulus 1024

        This is required for ssh


        Also do this:


        sh run | sec ip nat


        Then look to see if that static is in the nat table. It almost looks like it may have been removed. Check your acl again as I dont see an entry for ssh inbound from the outside interface.

        permit tcp any host "public ip address" eq 22

        The is an implicit deny after every ACL
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco 877 Port Forwarding & ACL ISSUES

          Hi Auglan,

          Yes I did enable crypto key generate rsa.
          And yes I do SSH to the router Via the local LAN connected to the router.

          I will give you the result of sh run | sec ip nat in a few hours once I arrive home.

          Could you help me design my ACL's for my intended Setup?


          Regards
          James

          Comment


          • #6
            Re: Cisco 877 Port Forwarding & ACL ISSUES

            Your ACL looks okay. I just noticed you didnt allow ssh inbound from the outside. I made a few corrections as well.


            ip access-list extended external_ACL
            permit tcp any host "your public ip " eq smtp
            permit tcp any host "your public ip " eq pop2
            permit tcp any host "your public ip "eq pop3
            permit tcp any host "your public ip " eq www
            permit tcp any host "your public ip " eq 443
            permit tcp any host "your public ip " eq ftp
            permit tcp any host "your public ip "eq ftp-data
            permit tcp any host "your public ip " eq 3388
            permit tcp any host "your public ip " eq 3389
            permit tcp any host "your public ip " eq 1723
            permit tcp any host "your public ip " eq 22
            deny ip any any
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Cisco 877 Port Forwarding & ACL ISSUES

              OK Guys,
              GOOD NEWS
              I got SSH port 22 open and VPN port 1723 open

              I can SSH into the router and perform commands on the router from the dialer interface.
              I can't VPN though, its detecting the connection but its grumbling about user name and password! Any Ideas Do I have to state Login local somewhere? The username and
              Password I am using is privilege level 15 the highest level. Do I need to modify my config somewhere?
              Also the other ports dont seem to be open!
              I am running a port scan on the router and telneting onto the ports I opened, but they are not open.

              Any Ideas Guys
              Nearly there....
              Last edited by james.murraycurtis; 13th March 2012, 21:22.

              Comment


              • #8
                Re: Cisco 877 Port Forwarding & ACL ISSUES

                aaa new-model


                aaa authentication login default group local
                aaa authentication ppp default group local
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Cisco 877 Port Forwarding & ACL ISSUES

                  applied those commands

                  but still with problem, error i get is
                  Error Verify username and password

                  Error Number 734 The PPP link control protocol was terminated

                  Scanning ports on 195.158.XXX.XXX

                  195.158.XXX.XXX isn't responding on port 20 (ftp-data).195.158.XXX.XXX isn't responding on port 21 (ftp).195.158.XXX.XXX is responding on port 22 (ssh).195.158.XXX.XXX isn't responding on port 80 (http).195.158.XXX.XXX isn't responding on port 110 (pop3).195.158.XXX.XXX isn't responding on port 443 (https).195.158.XXX.XXX isn't responding on port 3388 (cbserver).195.158.XXX.XXX isn't responding on port 3389 (ms-wbt-server).
                  Last edited by james.murraycurtis; 13th March 2012, 22:27.

                  Comment


                  • #10
                    Re: Cisco 877 Port Forwarding & ACL ISSUES

                    Try adding this:

                    aaa authorization network default group local


                    Are your internal hosts listening on those ports? Check your acls and nats again to make sure they are setup correctly.

                    Post this:


                    sh ip nat translations
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment

                    Working...
                    X