Help! Cisco n00b!

Kingy · 7 Jun 2006 at 17:20

Help, please... *beg*

I've changed jobs and I've got an issue with my new network not letting traffic from the internet through the Cisco 878 Firewall Router.

I've configured Netgear routers before, and successfully forwarded ports to 25 and 80 etc to get SMTP and OWA working, but despite allowing (I think) traffic to port 25 to be directed to the exchange server, no-one can telnet to it (what the hell is telnet?), and I can't even ping my external IP address from outside the network.

I've spent days on this, and I'm about at breaking point. Does anyone here know anything about Cisco routers, or know where I should be looking for help?

Any help appreciated.

/desperate

Burbleflop · 7 Jun 2006 at 17:38

Can you post your config (minus passwords) and I'll take a look.

Rich · 7 Jun 2006 at 18:44

Aye, post the config up.
As a pointer you need to have a static translation (or port redirection) in place.

You would use port redirection if you only had one public IP address available for use. Basically this would do exactly the same thing as Port forwarding on a Netgear or Linksys box.

Example:

"ip nat inside source static tcp 192.168.100.80 4662 interface Ethernet0 4662"

This is taken directly from mine. Basically this statement is the router saying "when i see traffic hit the outside interface on port 4662, i need to translate this to 192.168.100.80 on port 4662".
You will need to replace ethernet0 with "dialer0" on an ADSL router, which should apply to you as its an SHDSL router.
Obviously your ports need to change also to suit your needs.

Second would be the access list. This should be pretty straightforward.

Do a "show run" and let it scroll as it does. Type /interface and it will filter the config down to your interfaces.
Look for dialer0 (im assuming it will be dialer0 here, not personally touched the 878) and it will have a statement that says " ip access-group 101 in" for example. This means that access-list 101 is protecting your outside interface (ADSL).
You need to edit this access-list to allow the traffic, so for example you start with the following:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any host 192.168.100.81 eq 25

You would need to add the following to make this work for HTTP to the same ip we used for the translation:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any host 192.168.100.81 eq 25
access-list 101 permit tcp any host 192.168.100.80 eq 80
access-list 101 deny ip any any log

That should do it, and also give you logs when people try to access your other devices.

Deleted member 58846 · 8 Jun 2006 at 12:52

from the pix isnt there a debug command you can use ?

debug ip http all

go to the workstation you need to access http traiffic and watch what its doing remotly or something...

brocksta · 8 Jun 2006 at 14:07

Kingy said:
what the hell is telnet?

telnet is a protocol used for remote access to a device

Wyvern971 · 8 Jun 2006 at 14:29

zen62619 said:
from the pix isnt there a debug command you can use ?

It's a Router with a firewall module, not a firewall, though I think the commands are fairly similar I don't think they are the same

Telnet is as described above, but I'd use SSH and putty as a client as Telnet sends everything in clear text

Kingy · 8 Jun 2006 at 15:42

Burbleflop said:
Can you post your config (minus passwords) and I'll take a look.

My apologies for the delay, I'd been trying to get VPN working, and on just realised what a mess it made of the running configuration, so I reset it and tried a couple of things.

First of, I configured the router without enabling the firewall, whch meant that I could ping my external ip address from home. This is the config:

Code:

!This is the running config of the router: 192.168.0.2
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco878
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 *removed*
!
username admin privilege 15 secret 5 *removed*.
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name sbsonline.co.uk
ip name-server 213.208.106.212
ip name-server 213.208.106.213
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
! 
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 no cdp enable
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address 62.3.253.44 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password 7 *removed*
 ppp pap sent-username [email protected] password 7 *removed*
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 login local
 transport preferred all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Then having enable the firewall, I can't ping my external IP from home, and this is the running config for that setup.

Code:

!This is the running config of the router: 192.168.0.2
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco878
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 *removed*
username admin privilege 15 secret 5 *removed*
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name sbsonline.co.uk
ip name-server 213.208.106.212
ip name-server 213.208.106.213
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
! 
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 no cdp enable
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 62.3.253.44 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password 7 *removed*
 ppp pap sent-username [email protected] password 7 *removed*
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 62.3.253.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark SMTP
access-list 101 permit tcp any host 192.168.0.1 eq smtp
access-list 101 remark OWA
access-list 101 permit tcp any host 192.168.0.1 eq www
access-list 101 remark RAdmin
access-list 101 permit tcp any host 192.168.0.1 eq 4899
access-list 101 permit udp host 213.208.106.213 eq domain host 62.3.253.44
access-list 101 permit udp host 213.208.106.212 eq domain host 62.3.253.44
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 62.3.253.44 echo-reply
access-list 101 permit icmp any host 62.3.253.44 time-exceeded
access-list 101 permit icmp any host 62.3.253.44 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 login local
 transport preferred all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Thanks for all the replies, but I'm afraid this was pretty much the only one that I understood.

tolien · 8 Jun 2006 at 15:43

For starters:

Burbleflop said:
(minus passwords)

"Encrypted" or no, they're much better not there.

Kingy · 8 Jun 2006 at 15:51

tolien said:
For starters:

"Encrypted" or no, they're much better not there.

Thanks.

tolien · 8 Jun 2006 at 17:50

At (a bit) of a guess, I'd point at access list 101. Surely you'd need a permit icmp any any echo-request (since the request will be coming in to the router, and the reply will be going out from the router)?
The deny ip any any at the end isn't needed either - it's implicitly there.

Wyvern971 · 8 Jun 2006 at 18:59

tolien said:
The deny ip any any at the end isn't needed either - it's implicitly there.

It is, but it's a useful one to have as it gives statistics for packets dropped and can be useful for troubleshooting

Rich · 8 Jun 2006 at 20:18

More useful with the log option too...

tolien · 8 Jun 2006 at 20:32

Wyvern971 said:
It is, but it's a useful one to have as it gives statistics for packets dropped and can be useful for troubleshooting

Quite, though as said, it would be much more useful if it (and/or the rest of the denies) had log at the end.

Kingy · 9 Jun 2006 at 14:38

tolien said:
At (a bit) of a guess, I'd point at access list 101. Surely you'd need a permit icmp any any echo-request (since the request will be coming in to the router, and the reply will be going out from the router)?
The deny ip any any at the end isn't needed either - it's implicitly there.

I've added the icmp thing, and can now ping the external IP, but still can't connect to the ports I've opened. Someone suggested I need to configure NAT as I'm using a single static IP? How would I do that?

tolien · 9 Jun 2006 at 15:28

Example:

"ip nat inside source static tcp 192.168.100.80 4662 interface Ethernet0 4662"

This is taken directly from mine. Basically this statement is the router saying "when i see traffic hit the outside interface on port 4662, i need to translate this to 192.168.100.80 on port 4662".
You will need to replace ethernet0 with "dialer0" on an ADSL router, which should apply to you as its an SHDSL router.
Obviously your ports need to change also to suit your needs.

And as suggested, edit your ACL to suit too.

Kingy · 21 Jun 2006 at 14:53

tolien said:
And as suggested, edit your ACL to suit too.

Cheers, it took me a while to figure out how to get the GUI to make that change to the running config, and I'm now running this:-

Code:

Building configuration...

Current configuration : 5606 bytes
!
! Last configuration change at 13:57:54 PCTime Wed Jun 21 2006 by admin
! NVRAM config last updated at 13:48:04 PCTime Wed Jun 21 2006 by cisco
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco878
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 *removed*
username *removed* privilege 15 secret 5 *removed*.
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name sbsonline.co.uk
ip name-server 213.208.106.212
ip name-server 213.208.106.213
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
! 
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 no cdp enable
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 62.3.253.44 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password *removed*
 ppp pap sent-username [email protected] password *removed*
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.10 2326 interface Dialer0 2326
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 62.3.253.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark SMTP
access-list 101 permit tcp any host 192.168.0.1 eq smtp log
access-list 101 remark OWA
access-list 101 permit tcp any host 192.168.0.1 eq www log
access-list 101 remark RAdmin(Ad)
access-list 101 permit tcp any host 192.168.0.10 eq 2326 log
access-list 101 remark PING-ECHO
access-list 101 permit icmp any any echo log
access-list 101 permit udp host 213.208.106.213 eq domain host 62.3.253.44
access-list 101 permit udp host 213.208.106.212 eq domain host 62.3.253.44
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 62.3.253.44 echo-reply
access-list 101 permit icmp any host 62.3.253.44 time-exceeded
access-list 101 permit icmp any host 62.3.253.44 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 login local
 transport preferred all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

I can ping the external IP, but if I enter the ip address into Internet explorer, I get a Page Cannot Be Displayed error.

Any thoughts? Is it possible to ping individual ports to see if they're opened correctly?

tolien · 21 Jun 2006 at 15:01

telnet [IP] [port]?

Kingy · 21 Jun 2006 at 15:07

tolien said:
telnet [IP] [port]?

telnet 62.3.253.44 80

Connecting to 62.3.253.44...Could not open connection to the host, on port 80: Connect failed

feriso · 21 Jun 2006 at 15:16

Kingy said:
telnet 62.3.253.44 80

Connecting to 62.3.253.44...Could not open connection to the host, on port 80: Connect failed

You missed the colon - that might help

telnet 62.3.253.44:80

tolien · 21 Jun 2006 at 15:29

You don't use the colon in Windows telnet.

Are you trying to connect to the external IP from the inside?

Help! Cisco n00b!

Deleted member 58846

Deleted member 58846