+ Post New Thread
Results 1 to 4 of 4
Internet Related/Filtering/Firewall Thread, Cisco DMZ Configuration. in Technical; Good Day, I am having issues with a Cisco 2811 router at a school, and specifically using it to publish ...
  1. #1

    Join Date
    Feb 2011
    Location
    Melbourne, Australia
    Posts
    6
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Cisco DMZ Configuration.

    Good Day,

    I am having issues with a Cisco 2811 router at a school, and specifically using it to publish services externally. I have configured the router as shown below, (I know I am NATing a whole address to a specific server currently, that is just because I am trying to find the problem, ultimately it will be only the required ports). The 4 public IP addresses (on Fa0/0) are routed in from another cisco router that I have no access to managed by our WAN provider, they have forwarded those four addresses to 10.191.191.2 where the upstream router is 10.191.191.1 hence the four secondary addresses.

    At this point I am just trying to get a pass through on 80 and on 443 for the web based services, anything else can come later. I know the upstream routing is working as when I put a PC behind it with a webserver (test machine) I can hit the address and resolve it both internally and externally, so it is clearly something I am missing in the config below

    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname DMZRT01
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone AEST 10
    clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
    errdisable recovery interval 30
    !
    !
    ip cef
    !
    !
    no ip domain lookup
    ip domain name domain.site.wan
    ip name-server 10.x.y.35
    !
    !
    voice-card 0
    no dspfarm
    !
    interface FastEthernet0/0
    ip address 203.a.b.142 255.255.255.0 secondary
    ip address 203.a.b.140 255.255.255.0 secondary
    ip address 203.a.b.143 255.255.255.0 secondary
    ip address 203.a.b.141 255.255.255.0 secondary
    ip address 10.191.191.2 255.255.255.0
    ip access-group Services-Inbound in
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 10.x.y.80 255.255.252.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/0/0
    !
    interface FastEthernet0/0/1
    !
    interface FastEthernet0/0/2
    !
    interface FastEthernet0/0/3
    !
    interface Vlan1
    no ip address
    !
    ip route 0.0.0.0 0.0.0.0 10.191.191.1
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source static 10.x.y.47 203.a.b.141
    !
    ip access-list standard SNMP_LMS_ACCESS
    !
    ip access-list extended Services-Inbound
    permit tcp any host 10.x.y.47 eq www
    permit tcp any host 10.x.y.47 eq 443
    permit tcp any host 10.x.y.48 eq www
    permit tcp any host 10.x.y.48 eq 443
    permit tcp any host 10.x.y.50 eq 443
    !
    snmp-server community 3432Read RO SNMP_LMS_ACCESS
    snmp-server community edu5T3R#0611 RO SNMP_LMS_ACCESS
    snmp-server community 3432Master RW SNMP_LMS_ACCESS
    snmp-server community edu5TaR#2906 RW SNMP_LMS_ACCESS
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    banner motd ^C
    ************************************************** ***************
    Authorised Users Only
    The information on this computer and network is the property of
    XYZ Corp and is protected by intellectual property
    rights. You must be assigned an account on this computer to
    access information and are only allowed to access information as
    defined by the System Administrator(s). Your activities are
    monitored for security reasons.
    ************************************************** ***************
    ^C
    !
    line con 0
    login local
    line aux 0
    line vty 0 4
    exec-timeout 15 0
    login local
    length 0
    transport input ssh
    line vty 5 15
    exec-timeout 15 0
    login local
    length 0
    transport input ssh
    !
    scheduler allocate 20000 1000
    ntp server 10.x.y.35
    !
    end

    I know this is going to be something small and stupid that I have overlooked, but any help would be appreciated.

    Regards

    Justin

  2. #2

    Join Date
    Mar 2008
    Location
    Medway, Kent
    Posts
    129
    Thank Post
    23
    Thanked 28 Times in 25 Posts
    Rep Power
    18
    Forgive me if I'm wrong as I'm still studying the ccent at the moment, it looks like you only have an outgoing route specified? does your routing table show the incoming routes as you'd expect? another thing is there is no outside to inside NAT specified only an inside nat. not sure if it's correct but maybe somewhere to look.
    Last edited by glen_j; 1st July 2014 at 10:53 AM.

  3. Thanks to glen_j from:

    ShadowPeo (2nd July 2014)

  4. #3

    Join Date
    Feb 2011
    Location
    Melbourne, Australia
    Posts
    6
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Routes were fine it was the ACL, had specified the wrong IP address so it was blocking all incoming traffic. Thanks for the advice through. I knew it was going to be something totally minor and stupid that I could not see for looking

  5. #4

    Join Date
    Feb 2011
    Location
    Melbourne, Australia
    Posts
    6
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Just for others to reference this is the configuration I am using for the DMZ, please note that the provider forwards the four external IPs via their router to 192.168.22.2 by default and there is no way to get this changed, their upstream router/gateway is 192.168.22.1

    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname DMZROUTER
    !
    boot-start-marker
    boot-end-marker
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone AEST 10
    clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
    errdisable recovery interval 30
    !
    ip cef
    !
    no ip domain lookup
    ip domain name site.internal-uri.wan
    ip name-server XXX.XXX.XXX.35
    !
    voice-card 0
    no dspfarm
    !
    username SiteAdmin privilege 15 password password123
    !
    interface FastEthernet0/0
    ip address XXX.XXX.XXX.142 255.255.255.0 secondary
    ip address XXX.XXX.XXX.140 255.255.255.0 secondary
    ip address XXX.XXX.XXX.143 255.255.255.0 secondary
    ip address XXX.XXX.XXX.141 255.255.255.0 secondary
    ip address 192.168.22.2 255.255.255.0
    ip access-group Services-Inbound in
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address XXX.XXX.XXX.80 255.255.252.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/0/0
    !
    interface FastEthernet0/0/1
    !
    interface FastEthernet0/0/2
    !
    interface FastEthernet0/0/3
    !
    interface Vlan1
    no ip address
    !
    ip route 0.0.0.0 0.0.0.0 192.168.22.1
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ip nat inside source static tcp XXX.XXX.XXX.48 80 XXX.XXX.XXX.140 80 extendable
    ip nat inside source static tcp XXX.XXX.XXX.50 443 XXX.XXX.XXX.140 443 extendable
    ip nat inside source static tcp XXX.XXX.XXX.47 80 XXX.XXX.XXX.141 80 extendable
    ip nat inside source static tcp XXX.XXX.XXX.47 443 XXX.XXX.XXX.141 443 extendable
    ip nat inside source static tcp XXX.XXX.XXX.55 443 XXX.XXX.XXX.142 443 extendable
    ip nat inside source static tcp XXX.XXX.XXX.55 500 XXX.XXX.XXX.142 500 extendable
    ip nat inside source static tcp XXX.XXX.XXX.55 1701 XXX.XXX.XXX.142 1701 extendable
    ip nat inside source static tcp XXX.XXX.XXX.55 1723 XXX.XXX.XXX.142 1723 extendable
    !
    ip access-list standard SNMP_ACCESS
    permit XXX.XXX.XXX.0 0.0.0.255
    permit XXX.XXX.XXX.0 0.0.3.255
    !
    ip access-list extended Services-Inbound
    permit tcp any host XXX.XXX.XXX.140 eq www
    permit tcp any host XXX.XXX.XXX.140 eq 443
    permit tcp any host XXX.XXX.XXX.141 eq www
    permit tcp any host XXX.XXX.XXX.141 eq 443
    permit gre any host XXX.XXX.XXX.142
    permit tcp any host XXX.XXX.XXX.142 eq 1723
    permit tcp any host XXX.XXX.XXX.142 eq 1701
    permit tcp any host XXX.XXX.XXX.142 eq 443
    permit udp any host XXX.XXX.XXX.142 eq isakmp
    !
    access-list 1 permit XXX.XXX.XXX.0 0.0.0.128
    snmp-server community SiteNoRead RO SNMP_ACCESS
    snmp-server community SiteNoMaster RW SNMP_ACCESS
    !
    control-plane
    !
    banner motd ^
    ************************************************** ***************
    Authorised Users Only
    The information on this computer and network is the property of
    CLIENT NAME and is protected by intellectual property
    rights. You must be assigned an account on this computer to
    access information and are only allowed to access information as
    defined by the System Administrator(s). Your activities are
    monitored for security reasons.
    ************************************************** ***************
    ^
    !
    line con 0
    login local
    line aux 0
    line vty 0 4
    exec-timeout 15 0
    login local
    length 0
    transport input ssh
    line vty 5 15
    exec-timeout 15 0
    login local
    length 0
    transport input ssh
    !
    scheduler allocate 20000 1000
    ntp clock-period 17179877
    ntp server XXX.XXX.XXX.69
    !
    end
    Last edited by ShadowPeo; 8th August 2014 at 06:26 AM.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 12
    Last Post: 10th August 2011, 04:42 PM
  2. Help me to configure Cisco 2611xm to give internet to dial-in users
    By ahmadirad in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 27th February 2011, 11:14 AM
  3. Configuring Cisco SDM and Firewall
    By certnerd in forum Internet Related/Filtering/Firewall
    Replies: 2
    Last Post: 10th September 2010, 03:01 PM
  4. Software to view Cisco Configurations
    By jreimer in forum Wireless Networks
    Replies: 7
    Last Post: 16th August 2009, 09:26 PM
  5. Cisco Aironet 1200 Series Configuration
    By DaveP in forum Wireless Networks
    Replies: 5
    Last Post: 1st June 2007, 10:23 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •