From: Brian Hescock (bhescock@xxxxxxxxx)
Date: Sun Aug 12 2001 - 01:12:18 GMT-3
p.s. also, only permit those network address that need to be translated.
A big mistake is "permit any". That will cause packets on the outside
interface to be translated and will break routing protocols, i.e. eigrp
hello's will be translated even though they're sourced on the outside
interface. "Technically" it's a misconfiguration since you said that ip
address could be translated because the access-list says "permit any". If
all of your interfaces are to be translated except the outside interface,
here's wha tyou would typically do:
access-list 1 deny a.b.c.d (ip address of outside interface
access-list 1 deny e.f.g.h (ip address of static nat entries)
access-list 1 permit 10.0.0.0 0.255.255.255 (or permit any if all other
interfaces are 10 network. Personally, avoid "permit any", since down the
line you could make changes that bite you in the tail.
Brian
On Sat, 11 Aug 2001, Price, Jamie wrote:
> This part of the config concerns me:
>
> > access-list 7 deny 20.20.20.20
> > access-list 7 permit 20.0.0.0 0.255.255.255
>
> You have explicitly denied your Outlook server from being able to use NAT.
> Now admittedly it shouldn't matter because you have assigned a static IP to
> that address......but that is later on in the config and therefore the deny
> statement could be in some way overwriting things - especially if the
> Outlook box in some way tries to initiate an outbound conversation as part
> of the process. Stranger things have been known to happen in IOS.
>
> I dunno - it may be worth a shot to remove the deny statement.
>
> I may be wrong in my NAT configs but I never bother explicitly denying in my
> NAT pool what I am assigning as a static further on, especially because 9
> out of 10 times I have to revisit it and add statics at later dates, and I
> haven't had any problems.
>
> Also.......
>
> This may not be what you're seeing but it's interesting nonetheless.
>
> Some admins set up Outlook to use NT challenge/response for added security.
>
> In that scenario you need to enter the domain name as well as the user name
> for Outlook to work or you just wont get in.
>
> For example - user "user1" in domain "domain" using password "password" has
> to enter "user1" in the user field on the logon screen and then
> "domain/user1" in the user field and "password" in the password field of the
> logon box that pops up next.
>
> If you don't do that and instead just use "user" instead of "domain/user"
> when using NT challenge/response then you'll be prompted 3 times and then
> get an unauthorized logon screen.
>
> If they haven't set up Outlook to use NT challenge/response in this way then
> the passwords are passed in clear text. Yuck!!!
>
> Jamie
>
> -----Original Message-----
> From: Todd Veillette [mailto:tveillette@home.com]
> Sent: Saturday, August 11, 2001 9:45 PM
> To: 'Muhammed Omar'
> Cc: 'Ccielab@Groupstudy. Com'
> Subject: RE: OT: Outlook for Web Via 1605 Firewall
>
>
> When you say they get the login screen, do you mean the default http
> Web access page? If so, is the NT dns domain available in the domain window,
> or via the drop down? If it is then it sees the domain so its probably a NT
> issue not the router. Obviously if it doesn't effect all users then its NT
> for sure.
>
> HTH.
>
> -TV
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Andrew Lennon
> Sent: Saturday, August 11, 2001 9:11 PM
> To: 'Jay Hennigan'; 'Muhammed Omar'
> Cc: 'Ccielab@Groupstudy. Com'
> Subject: RE: OT: Outlook for Web Via 1605 Firewall
>
>
> Muhammed,
>
> As a first step, you may want to try removing the access list to be sure
> that is not causing the problem. Hopefully you can then diagnose further
> from there. I have a router running with NAT and IPSec, but without the
> FW which works fine with OWA.
>
> Andy
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Jay Hennigan
> Sent: 12 August 2001 00:12
> To: Muhammed Omar
> Cc: Ccielab@Groupstudy. Com
> Subject: Re: OT: Outlook for Web Via 1605 Firewall
>
> On Sat, 11 Aug 2001, Muhammed Omar wrote:
>
> > Hi guys
> >
> > I've setup a 1605 as a firewall (as below) to allow browsing, email &
> also
> > for remote users MS Outlook for Web Access. The problem is using a
> browser
> > users can't logon to Exchange 5.5 SP4 server (on Win2K server) for
> email using
> > port 80. The logon prompt is displayed but when a user types in name
> password
> > it does not log them in & does NOT give any error message. Any idea
> what I'm
> > missing. Is it permissions issue on Win2K?
>
> Port 443 TCP for SSL, perhaps?
>
> Try turning on logging on your deny statement in the ACL and see what's
> getting captured. Just change the last line to:
>
> access-list 112 deny ip any any log
>
> and turn on term mon unless you're on console.
>
>
> > hostname 1605
> > !
> > enable password c
> > !
> > ip subnet-zero
> > !
> > ip inspect name ethernetin cuseeme timeout 3600
> > ip inspect name ethernetin ftp timeout 3600
> > ip inspect name ethernetin h323 timeout 3600
> > ip inspect name ethernetin http timeout 3600
> > ip inspect name ethernetin rcmd timeout 3600
> > ip inspect name ethernetin realaudio timeout 3600
> > ip inspect name ethernetin smtp timeout 3600
> > ip inspect name ethernetin sqlnet timeout 3600
> > ip inspect name ethernetin streamworks timeout 3600
> > ip inspect name ethernetin tcp timeout 3600
> > ip inspect name ethernetin tftp timeout 30
> > ip inspect name ethernetin udp timeout 15
> > ip inspect name ethernetin vdolive timeout 3600
> > !
> > interface Ethernet0
> > ip address 150.150.150.1 255.255.255.0
> > ip access-group 112 in
> > no ip directed-broadcast
> > ip nat outside
> >
> > interface Ethernet1
> > ip address 20.20.20.2 255.255.255.0
> > no ip directed-broadcast
> > ip nat inside
> > ip inspect ethernetin in
> >
> > !
> > interface Serial1
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > ip nat inside source list 7 interface Ethernet0 overload
> > ip nat inside source static tcp 20.20.20.20 150.150.150.150
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 150.150.150.2
> > !
> > access-list 7 deny 20.20.20.20
> > access-list 7 permit 20.0.0.0 0.255.255.255
> > !
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255
> > administratively-prohibited
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo
> > access-list 112 permit tcp any www host 150.150.150.150 eq www
> > access-list 112 permit tcp host 200.20.1.1 25 host 150.150.150.150 eq
> 25
> > access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq
> telnet
> > access-list 112 deny ip 127.0.0.0 0.255.255.255 any
> > access-list 112 deny ip any any
>
> --
> Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
> NetLojix Communications, Inc. - http://www.netlojix.com/
> WestNet: Connecting you to the planet. 805 884-6323
> **Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3