Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco DMZ Frustration 1

Status
Not open for further replies.
QCumber

QCumber

Technical User
Apr 23, 2003
45
GB
Hi there,

Could someone please explain why my email/web server can't connect to the outside world? This is proving a bit inconvenient for a box that's supposed to collect my POP3 mail!

Setup:

Cisco 837 ADSL Router
Dialer0 - ADSL I/F to ISP
Ethernet0 - internal LAN (192.168.4.0)
Ethernet2 - DMZ Interface (10.0.0.0)

Internal LAN (192.168.4.0) all works fine.

DMZ inbound http to 2 different ports on the server (10.0.0.2), 1 for IIS one for webmail, works fine.

But, the server (10.0.0.2) in the DMZ cannot connect to the outside at all. Hell, it can't even ping it's own router interface (10.0.0.1) - "destination net unreachable"

I'm kind of new to all this and have got where I am now by mostly trawling the net, but I just can't seem to crack this last bit.

Ideally, I want the server (10.0.0.2) to be able to access the outside world and be accessible FROM the internal (192.168.4.0) LAN, but not be able to connect TO it itself (is that even possible just using the Cisco kit? If not I can put a software firewall on, to enable 1 way traffic only).

As a relative newby, I would welcome all (constructive!) criticism of the following config :)

Thanks in advance,

Q.

=============================================
version 12.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxx
!
username xxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxxx
username xxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxx

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.4.1 192.168.4.20
!
ip dhcp pool CLIENT
import all
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
lease infinite
!
!
no ip domain lookup
ip domain name myisp.net
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip ids po max-events 100
ftp-server enable
no ftp-server write-enable
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.4.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
description $FW_DMZ$
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect dmzinspect out
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 30
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description ADSL interface for PlusNet$FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip access-group 102 in
ip nat outside
ip inspect ethernetin in
ip inspect ethernetin out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname me@myisp.net
ppp chap password 7 xxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 10.0.0.2 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 10.0.0.2 110 xxx.xxx.xxx.xxx 110 extendable
ip nat inside source static tcp 10.0.0.2 143 xxx.xxx.xxx.xxx 143 extendable
ip nat inside source static tcp 192.168.4.2 3389 xxx.xxx.xxx.xxx 3389 extendable
ip nat inside source static udp 192.168.4.2 3389 xxx.xxx.xxx.xxx 3389 extendable
ip nat inside source static tcp 10.0.0.2 8888 xxx.xxx.xxx.xxx 8888 extendable
ip nat outside source list 102 interface Dialer0
!
!
no logging trap
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 remark outbound rules for dialer0
access-list 100 remark inbound rules for ethernet0
access-list 100 deny ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 100 deny ip 10.0.0.0 0.0.0.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark inbound rules for ethernet2
access-list 101 permit ip any host 10.0.0.2
access-list 101 permit tcp any host 10.0.0.2
access-list 101 permit udp host xxx.xxx.xxx.xxx eq domain host 10.0.0.2
access-list 101 permit udp host xxx.xxx.xxx.xxx eq domain host 10.0.0.2
access-list 101 permit udp host xxx.xxx.xxx.xxx eq domain host 10.0.0.2
access-list 101 permit icmp any host 10.0.0.2 echo-reply
access-list 101 permit icmp any host 10.0.0.2 time-exceeded
access-list 101 permit icmp any host 10.0.0.2 unreachable
access-list 102 permit icmp host xxx.xxx.xxx.xxx any
access-list 102 deny ip 10.0.0.0 0.0.0.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list 102 permit icmp any host xxx.xxx.xxx.xxx time-exceeded
access-list 102 permit icmp any host xxx.xxx.xxx.xxx unreachable
access-list 102 permit udp host xxx.xxx.xxx.xxx eq domain host 81.174.134.163
access-list 102 permit udp host xxx.xxx.xxx.xxx eq domain host 81.174.134.163
access-list 102 permit udp host xxx.xxx.xxx.xxx eq domain host 81.174.134.163
access-list 102 permit gre host xxx.xxx.xxx.xxx any
access-list 102 permit ip host xxx.xxx.xxx.xxx any
access-list 102 permit udp host xxx.xxx.xxx.xxx any
access-list 102 permit tcp host xxx.xxx.xxx.xxx any
access-list 102 permit tcp any host xxx.xxx.xxx.xxx eq 8888
access-list 102 permit tcp any host xxx.xxx.xxx.xxx eq www
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
length 0
transport preferred all
transport input telnet ssh
transport output all
line vty 0 4
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
 
Sort by date Sort by votes
Ok....start with the basics....
Do a show interface ethernet2 and check to see if line and protocol are up. Would I be correct that the 10.0.0.2 server is directly connected to the router ethernet2 interface? If so and line and protocol are down check the cable to make sure it is a crossover cable and not straight through. Also should look at the NIC in the server. If old 10Base-T then you should set interface ethernet2 to half-duplex and speed 10.
 
Upvote 0 Downvote
Actually....confused by your show run...837 series should on show the following interfaces:
ATM0
Ethernet0
FastEthernet1 through 4
Dialer interface for DSL connection

Do not think that Ethernet2 is a useable interface.
 
Upvote 0 Downvote
Hi Joamon,

thanks for the replies.

The Ethernet2 port and server NIC are fine, I can connect to the web server (port 80) and the email web interface (port 8888) from the internet. I just can't get the server to make an outbound connection to anything, even to it's own 10.0.0.1 router interface.

Well spotted on the 837 interfaces too! IOS ver 13.3(7)XR3 added the facility to configure the FastEthernet4 port as Ethernet2 for use as a DMZ.

Cheers,

Q.
 
Upvote 0 Downvote
access-list 102 deny ip 10.0.0.0 0.0.0.255 any

this will stop anything from this subnet getting to the outside world, as the access-list is applied before NAT.

also remember access-list 101 has an implicet deny, therefore anything that hasn't been allowed by the permit will be dropped, try.

access-list 101 permit host 10.0.0.2 0.0.0.255 any eq 110

good luck

WGM



 
Upvote 0 Downvote
Ahhhh! Of course. It's blindly obvious, now you've pointed it out!

Many thanks.

Q.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Question
Cisco RV042G router
Replies
0
Views
155
Blackybear
Blackybear
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
264
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
630
nt8d09
nt8d09
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
411
CPM86
CPM86
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
633
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top