1700 Series -- Can't get out from DMZ 1

[rhyno2k]

Hi,


We have our web server setup in a DMZ using a Cisco 1700 Router. However, I cannot retrieve any internet data from this machine -- either directly (launching a web browser from the console) or programmatically (loading an XML/RSS feed via PHP). All incoming data is received, and it's running well as a web & front-end Exchange Server.

It's setup as 10.10.0.18, with Gateway of 10.10.0.1 (1700 router). The DNS seems to be working fine, as I see the IP address of the site I'm trying to connect to in IE's status bar. CurrentPorts shows proper remote IPs and remote port 80, as well as incoming UDP port 54xxx.

But no data ever comes in.

My highly-paid consultant has not been able to figure this out for months.

Does anyone have any ideas?!


Thanks
--RHYNO

 

[chipk]

Just for clarification -

This box is single-homed?
You can access it from both inside, and outside, your DMZ?
But you cannot sit at this server's console and access the Internet?
Can you access anything in your internal network via http?

 

[rhyno2k]

Hi Chip,

This box is single-homed?
-- Yes, it's single-homed, directly to the 1700

You can access it from both inside, and outside, your DMZ?
-- It's the only box in the DMZ. It's accessible from outside the DMZ.

But you cannot sit at this server's console and access the Internet?
-- Correct.

Can you access anything in your internal network via http?
-- Yes, I can access a Server2Go HTTP daemon running on my workstation on the internal network from the box on the DMZ.

 

[chipk]

Can you post the config from the 1700 - minus passwords and public IPs of course.

What is the 1700 connected to? Can you give a better picture of traffic flow from 1700 to Internet? Or is it directly connected to Internet with a WIC?

 

[rhyno2k]

Hi Chip,

Thanks for the prompt responses...

The 1700 has 3 connections, 1 connected to a T-1 Line, 1 to the internal network switch, and 1 to the DMZ (currently only the one box).

Here's the config:

!
aaa authentication login userauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
!
!
ip domain name mycompany.com
ip name-server 10.0.0.3
no ip bootp server
ip cef
ip inspect audit-trail
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
password encryption aes
!
!
!
!
crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key XXXX
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group remote
 key mycompany
 dns 10.0.0.3
 pool ippool
crypto isakmp profile L2L
   keyring spokes
   match identity address 0.0.0.0
crypto isakmp profile VPNclient
   match identity group remote
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map dynmap 5
 set transform-set myset
 set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
 set transform-set myset
 set isakmp-profile L2L
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
 ip address 172.XX.XX.1 255.255.255.252
!
interface Ethernet0
 description FW_DMZ
 ip address 10.10.0.1 255.255.0.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip inspect DEFAULT100 in
 ip route-cache flow
 half-duplex
 no cdp enable
!
interface FastEthernet0
 description FW_INSIDE
 ip address 10.0.0.250 255.255.255.0
 ip access-group 120 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect DEFAULT100 in
 ip route-cache flow
 ip policy route-map rmap
 speed auto
 no cdp enable
!
interface Serial0
 description Circuit ID=XX-XXXX-XXXX
 ip address 209.XX.XX.18 255.255.255.252
 ip access-group 130 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 in
 encapsulation ppp
 ip route-cache flow
 no cdp enable
 crypto map mymap
!
ip local pool ippool 172.XX.XX.1 172.XX.XX.254
ip nat inside source list 150 interface Serial0 overload
ip nat inside source static tcp 10.10.0.18 25 209.XX.XX.162 25 extendable
ip nat inside source static tcp 10.10.0.18 80 209.XX.XX.162 80 extendable
ip nat inside source static tcp 10.10.0.18 110 209.XX.XX.162 110 extendable
ip nat inside source static tcp 10.10.0.18 20 209.XX.XX.163 20 extendable
ip nat inside source static tcp 10.10.0.18 21 209.XX.XX.163 21 extendable
ip nat inside source static tcp 10.0.0.213 80 209.XX.XX.164 80 extendable
ip nat inside source static tcp 10.0.0.90 3389 209.XX.XX.166 3389 extendable
ip nat inside source static udp 10.0.0.90 3389 209.XX.XX.166 3389 extendable
ip nat inside source static tcp 10.0.0.100 3389 209.XX.XX.167 3389 extendable
ip nat inside source static udp 10.0.0.100 3389 209.XX.XX.167 3389 extendable
ip nat inside source static tcp 10.0.0.112 3389 209.XX.XX.168 3389 extendable
ip nat inside source static udp 10.0.0.112 3389 209.XX.XX.168 3389 extendable
ip nat inside source static tcp 10.0.0.109 3389 209.XX.XX.169 3389 extendable
ip nat inside source static udp 10.0.0.109 3389 209.XX.XX.169 3389 extendable
ip nat inside source static tcp 10.0.0.66 3389 209.XX.XX.170 3389 extendable
ip nat inside source static udp 10.0.0.66 3389 209.XX.XX.170 3389 extendable
ip nat inside source static tcp 10.10.0.18 80 209.XX.XX.171 80 extendable
ip nat inside source static tcp 10.10.0.18 80 209.XX.XX.172 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 10.10.0.0 255.255.0.0 Ethernet0
ip http server
ip http authentication local
ip http secure-server
!
!
!
logging trap debugging
logging 10.0.0.3
access-list 120 remark SDM_ACL Category=17
access-list 120 permit tcp any eq 3389 192.168.1.0 0.0.0.255
access-list 120 permit udp any eq 3389 192.168.1.0 0.0.0.255
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq www
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq smtp
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq pop3
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq 3389
access-list 120 permit udp any 10.10.0.0 0.0.255.255 eq 3389
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq 3306
access-list 120 permit udp any 10.10.0.0 0.0.255.255 eq 3306
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq 137
access-list 120 permit udp any 10.10.0.0 0.0.255.255 eq netbios-ns
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq 138
access-list 120 permit udp any 10.10.0.0 0.0.255.255 eq netbios-dgm
access-list 120 permit tcp any 10.10.0.0 0.0.255.255 eq 139
access-list 120 permit udp any 10.10.0.0 0.0.255.255 eq netbios-ss
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit tcp any eq domain any
access-list 120 permit tcp any any eq domain
access-list 120 permit tcp any eq 135 any
access-list 120 permit udp any eq 135 any
access-list 120 permit tcp any eq 137 any
access-list 120 permit udp any eq netbios-ns any
access-list 120 permit tcp any eq 138 any
access-list 120 permit udp any eq netbios-dgm any
access-list 120 permit tcp any eq 139 any
access-list 120 permit udp any eq netbios-ss any
access-list 120 permit tcp any eq 445 any
access-list 120 permit udp any eq 88 any
access-list 120 permit udp any eq 389 any
access-list 120 permit tcp any eq 389 any
access-list 120 permit tcp any eq 3268 any
access-list 120 permit icmp any any
access-list 120 permit tcp any any eq www
access-list 120 deny   ip any 10.10.0.0 0.0.255.255
access-list 120 permit ip any any
access-list 130 permit esp any any
access-list 130 permit udp any any eq isakmp
access-list 130 permit udp any any eq non500-isakmp
access-list 130 deny   tcp any any eq 4444
access-list 130 deny   udp any any eq 8998
access-list 130 deny   udp any any range 995 999
access-list 130 deny   tcp any any range 3127 3199
access-list 130 deny   tcp any range 3127 3199 any
access-list 130 deny   udp any any range 3127 3199
access-list 130 deny   udp any range 3127 3199 any
access-list 130 deny   tcp any any eq 5554
access-list 130 deny   tcp any any eq 9996
access-list 130 deny   tcp any any eq 707
access-list 130 permit icmp any any echo
access-list 130 permit icmp any any echo-reply
access-list 130 permit icmp any any time-exceeded
access-list 130 permit icmp any any traceroute
access-list 130 permit icmp host 206.XX.XX.254 any echo-reply
access-list 130 deny   icmp any any
access-list 130 permit tcp any host 209.XX.XX.162 eq smtp
access-list 130 permit tcp any host 209.XX.XX.162 eq www
access-list 130 permit tcp any gt 1023 host 209.XX.XX.163 eq ftp-data
access-list 130 permit tcp any gt 1023 host 209.XX.XX.163 eq ftp
access-list 130 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 130 permit udp any host 209.XX.XX.170 eq 3389
access-list 130 permit tcp any host 209.XX.XX.170 eq 3389
access-list 130 permit udp any host 209.XX.XX.169 eq 3389
access-list 130 permit tcp any host 209.XX.XX.169 eq 3389
access-list 130 permit udp any host 209.XX.XX.168 eq 3389
access-list 130 permit tcp any host 209.XX.XX.168 eq 3389
access-list 130 permit udp any host 209.XX.XX.167 eq 3389
access-list 130 permit tcp any host 209.XX.XX.167 eq 3389
access-list 130 permit tcp any host 209.XX.XX.172 eq www
access-list 130 permit tcp any host 209.XX.XX.171 eq www
access-list 130 permit tcp any host 209.XX.XX.18 eq 22
access-list 130 permit tcp any any established
access-list 130 permit udp any any eq domain
access-list 130 permit udp any eq domain any
access-list 130 permit tcp any host 209.XX.XX.164 eq www
access-list 130 permit tcp any host 209.XX.XX.166 eq 3389
access-list 130 permit udp any host 209.XX.XX.166 eq 3389
access-list 150 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny   ip 10.0.0.0 0.0.0.255 172.XX.XX.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.0.0.255 any
access-list 160 permit ip 10.0.0.0 0.0.255.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map rmap permit 10
 match ip address 160
 set ip next-hop 172.XX.XX.2
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
ntp server 10.0.0.3 source FastEthernet0 prefer
!
end

 

[chipk]

Sorry, should have axed for this in the first place, can you post ipconfig output from the server?

 

[rhyno2k]

Sure:

Windows IP Configuration


   Host Name . . . . . . . . . . . . : dmzwebsrv
   Primary Dns Suffix  . . . . . . . : mycompany.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycompany.com


Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection
   Physical Address. . . . . . . . . : 00-04-23-XX-XX-XX


Ethernet adapter DMZ Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Network Connection #2
   Physical Address. . . . . . . . . : 00-04-23-XX-XX-XX
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.0.18
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.10.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.3

 

[chipk]

Have you tried a simple port probe from the router?

telnet yahoo.com 80

You'll either get a constant blinking cursor, or an eventual time-out:

"Could not open connection to the host, on port 80: Connect failed"

Are you doing ipsec on the server as well, or is it all on the router?

 

[rhyno2k]

I get a solid cursor and: "Connecting to yahoo.com...Could not open connection to the host, on port 80: Connect failed"

IPSec is all on the router I believe, nothing additional was installed.

 

[Ru55ell]

What I can contribute, don’t have any experience with context based commands but have a little understanding of it. I do have experience with access lists and it appears you would need an access list entry in list 150 allowing established sessions back in. Maybe a more experience person can add to or disprove my observation. (just be easy on me)

 

[chipk]

I'd lean toward what Ru55el is saying, though I'm not so familiar with NAT-ing, so I couldn't say for sure.

Based on what you got from yahoo.com, you definitely have something in a firewall or access-list that is stopping port 80, otherwise you would have just got a blinking cursor and no timeout/connection error.

You can use show access-list ## to see which lines in each access-list are being matched when trying to access a web site. I believe "show ip accounting access-violations" should give you some info on what access-list is blocking that traffic.

That will at least narrow it down.

 

[UnaBomber]

Yeap, you arent Overload Nating any traffic from 10.10.0.0/16 only traffic coming from 10.0.0.0/24. Your acl:

access-list 150 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny   ip 10.0.0.0 0.0.0.255 172.XX.XX.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.0.0.255 any

doesnt have the 10.10.0.0/24 subnet included thus it is denied

Add this to the 150 ACL and see if it works:
permit ip 10.10.0.0 0.0.255.255 any




UnaBomber
ccnp mcse2k

 

[rhyno2k]

Unabomber,

Gold star for you. Worked right away! Now I can get on with my XML-ing, CURL-ing, screen scraping, etc...

Thanks to ChipK & Ru55el for your thoughts as well.


A Happy,
--RHYNO

 

[castlesmadeofsand]

Is your highly paid consultant Cisco certified, like Unabomber?