From: Price, Jamie (JPrice@xxxxxxxxxxx)
Date: Sun Aug 12 2001 - 17:44:33 GMT-3
OK - I screwed up my explanation/terminology - my mistake. I have this
nasty habit of assuming everyone knows what I'm thinking.
In saying "I never bother explicitly denying in my NAT pool what I am
assigning as a static further on" was meant with regard to internal
addresses - not external. I should have said "I never bother explicitly
denying in my NAT inside source list what I am assigning a static
translation further on". For that I can't see any problems arising and have
never run across any issues.
Obviously runnning a "NAT pool" with a range of addresses that includes
those you wish to translate statically would cause problems and I can't
dispute what you said - but I couldn't think of why anyone would do that
anyway unless they had enough public addresses to meet the number of
outbound stations.
But as we are playing the terminology game here I would have to get a
payback and add that running an inside source list against a NAT Pool using
overload is not a waste of addresses........provided the NAT pool only
contains one address.....for even when you are using one address - even
though it is really PAT - it is still called a NAT Pool :)
Jamie
-----Original Message-----
From: Brian Hescock [mailto:bhescock@cisco.com]
Sent: Saturday, August 11, 2001 11:07 PM
To: Price, Jamie
Cc: 'Todd Veillette'; 'Muhammed Omar'; 'Ccielab@Groupstudy. Com'
Subject: RE: OT: Outlook for Web Via 1605 Firewall
You should always deny an Inside Local address in your access-list if it
has a static nat entry. It can and does cause problems (you may have been
lucky thus far... ;-) Think about what happens if you have a pool
without the overload option and you have a pc that gets a dynamic
translation with that ip address and you also have a static translation
for that same Inside Global ip address? i.e.
10.1.1.1 200.1.1.1 static entry
10.1.1.5 200.1.1.1 dynamic entry
It won't work. The reason I specific "without overload" is it's really a
waste to use a nat pool with overload, you're just wasting ip addresses.
The reason for that is in newer code we do around 65,000 translations per
ip address and it will use up all 65,000 on the first ip address before it
moves to the next. So in reality you're only using one ip address out of
the pool. Given that, forget about using a pool and just overload the
outside interface, it's far easier anyway.
Brian
On Sat, 11 Aug 2001, Price, Jamie wrote:
> This part of the config concerns me:
>
> > access-list 7 deny 20.20.20.20
> > access-list 7 permit 20.0.0.0 0.255.255.255
>
> You have explicitly denied your Outlook server from being able to use NAT.
> Now admittedly it shouldn't matter because you have assigned a static IP
to
> that address......but that is later on in the config and therefore the
deny
> statement could be in some way overwriting things - especially if the
> Outlook box in some way tries to initiate an outbound conversation as part
> of the process. Stranger things have been known to happen in IOS.
>
> I dunno - it may be worth a shot to remove the deny statement.
>
> I may be wrong in my NAT configs but I never bother explicitly denying in
my
> NAT pool what I am assigning as a static further on, especially because 9
> out of 10 times I have to revisit it and add statics at later dates, and I
> haven't had any problems.
>
> Also.......
>
> This may not be what you're seeing but it's interesting nonetheless.
>
> Some admins set up Outlook to use NT challenge/response for added
security.
>
> In that scenario you need to enter the domain name as well as the user
name
> for Outlook to work or you just wont get in.
>
> For example - user "user1" in domain "domain" using password "password"
has
> to enter "user1" in the user field on the logon screen and then
> "domain/user1" in the user field and "password" in the password field of
the
> logon box that pops up next.
>
> If you don't do that and instead just use "user" instead of "domain/user"
> when using NT challenge/response then you'll be prompted 3 times and then
> get an unauthorized logon screen.
>
> If they haven't set up Outlook to use NT challenge/response in this way
then
> the passwords are passed in clear text. Yuck!!!
>
> Jamie
>
> -----Original Message-----
> From: Todd Veillette [mailto:tveillette@home.com]
> Sent: Saturday, August 11, 2001 9:45 PM
> To: 'Muhammed Omar'
> Cc: 'Ccielab@Groupstudy. Com'
> Subject: RE: OT: Outlook for Web Via 1605 Firewall
>
>
> When you say they get the login screen, do you mean the default http
> Web access page? If so, is the NT dns domain available in the domain
window,
> or via the drop down? If it is then it sees the domain so its probably a
NT
> issue not the router. Obviously if it doesn't effect all users then its NT
> for sure.
>
> HTH.
>
> -TV
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Andrew Lennon
> Sent: Saturday, August 11, 2001 9:11 PM
> To: 'Jay Hennigan'; 'Muhammed Omar'
> Cc: 'Ccielab@Groupstudy. Com'
> Subject: RE: OT: Outlook for Web Via 1605 Firewall
>
>
> Muhammed,
>
> As a first step, you may want to try removing the access list to be sure
> that is not causing the problem. Hopefully you can then diagnose further
> from there. I have a router running with NAT and IPSec, but without the
> FW which works fine with OWA.
>
> Andy
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Jay Hennigan
> Sent: 12 August 2001 00:12
> To: Muhammed Omar
> Cc: Ccielab@Groupstudy. Com
> Subject: Re: OT: Outlook for Web Via 1605 Firewall
>
> On Sat, 11 Aug 2001, Muhammed Omar wrote:
>
> > Hi guys
> >
> > I've setup a 1605 as a firewall (as below) to allow browsing, email &
> also
> > for remote users MS Outlook for Web Access. The problem is using a
> browser
> > users can't logon to Exchange 5.5 SP4 server (on Win2K server) for
> email using
> > port 80. The logon prompt is displayed but when a user types in name
> password
> > it does not log them in & does NOT give any error message. Any idea
> what I'm
> > missing. Is it permissions issue on Win2K?
>
> Port 443 TCP for SSL, perhaps?
>
> Try turning on logging on your deny statement in the ACL and see what's
> getting captured. Just change the last line to:
>
> access-list 112 deny ip any any log
>
> and turn on term mon unless you're on console.
>
>
> > hostname 1605
> > !
> > enable password c
> > !
> > ip subnet-zero
> > !
> > ip inspect name ethernetin cuseeme timeout 3600
> > ip inspect name ethernetin ftp timeout 3600
> > ip inspect name ethernetin h323 timeout 3600
> > ip inspect name ethernetin http timeout 3600
> > ip inspect name ethernetin rcmd timeout 3600
> > ip inspect name ethernetin realaudio timeout 3600
> > ip inspect name ethernetin smtp timeout 3600
> > ip inspect name ethernetin sqlnet timeout 3600
> > ip inspect name ethernetin streamworks timeout 3600
> > ip inspect name ethernetin tcp timeout 3600
> > ip inspect name ethernetin tftp timeout 30
> > ip inspect name ethernetin udp timeout 15
> > ip inspect name ethernetin vdolive timeout 3600
> > !
> > interface Ethernet0
> > ip address 150.150.150.1 255.255.255.0
> > ip access-group 112 in
> > no ip directed-broadcast
> > ip nat outside
> >
> > interface Ethernet1
> > ip address 20.20.20.2 255.255.255.0
> > no ip directed-broadcast
> > ip nat inside
> > ip inspect ethernetin in
> >
> > !
> > interface Serial1
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > ip nat inside source list 7 interface Ethernet0 overload
> > ip nat inside source static tcp 20.20.20.20 150.150.150.150
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 150.150.150.2
> > !
> > access-list 7 deny 20.20.20.20
> > access-list 7 permit 20.0.0.0 0.255.255.255
> > !
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255
> > administratively-prohibited
> > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo
> > access-list 112 permit tcp any www host 150.150.150.150 eq www
> > access-list 112 permit tcp host 200.20.1.1 25 host 150.150.150.150 eq
> 25
> > access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq
> telnet
> > access-list 112 deny ip 127.0.0.0 0.255.255.255 any
> > access-list 112 deny ip any any
>
> --
> Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
> NetLojix Communications, Inc. - http://www.netlojix.com/
> WestNet: Connecting you to the planet. 805 884-6323
> **Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3