RE: OT: Outlook for Web Via 1605 Firewall

From: Price, Jamie (JPrice@xxxxxxxxxxx)
Date: Sun Aug 12 2001 - 19:22:44 GMT-3

   
I'd be extremely hesitant to say that in production environments you
normally wouldn't use a NAT pool of just one ip address. A lot of ISP's (in
this area at least) provide the customer with one Public WAN address and a
separate block of Public IP addresses - the block being the range that you
can use for NAT/PAT and statics. In fact more than 1/2 of the customers
that I have implemented CBAC solutions for have this arrangement.

i.e. from the ISP they recieve:

WAN Interface address 1.1.1.1/24
Default Gateway 1.1.1.2
IP Block 2.2.2.0/24

In cases such as these the IP block assigned for public use, which in turn
is the one that ultimately ends up in the NAT pool and used for statics, is
a separate IP subnet to that to which the outside interface address belongs
to. The ISPs I deal with that do this dont like it if you're using the
address that they have recorded as a pure interface address as your NAT
address. I could see it screwing up their flow reporting, etc.

-----Original Message-----
From: Brian Hescock [mailto:bhescock@cisco.com]
Sent: Sunday, August 12, 2001 4:19 PM
To: Price, Jamie
Cc: 'Todd Veillette'; 'Muhammed Omar'; 'Ccielab@Groupstudy. Com'
Subject: RE: OT: Outlook for Web Via 1605 Firewall

Oh, but people screw up the access-list all the time, trust me on that
one... ;-) For production reasons (i.e. not the lab), you normally
wouldn't use a nat pool of just one ip address, why use three commands to
do the same thing you can with two? i.e.:

ip nat inside source list 1 interface serial0 overload
access-list 1 permit 10.0.0.0 0.255.255.255

instead of

ip nat pool test 200.1.1.1 200.1.1.1 netmask 255.255.255.255
ip nat inside source list 1 pool test overload
access-list 1 permit 10.0.0.0 0.255.255.255

In fact, it's better to overload the outside interface, especially if you
have two isp's. That's because nat doesn't support asymmetrical routing
and if you use the source interface of the outside interface, the packets
are more likely to come back in on that interface since the network is
owned by that isp and it would tend to be fewer AS hops away on the return
path (the shortest AS path is typically what it comes down to in path
selection in the internet).

Brian

On Sun, 12 Aug 2001, Price, Jamie wrote:

> OK - I screwed up my explanation/terminology - my mistake. I have this
> nasty habit of assuming everyone knows what I'm thinking.
>
> In saying "I never bother explicitly denying in my NAT pool what I am
> assigning as a static further on" was meant with regard to internal
> addresses - not external. I should have said "I never bother explicitly
> denying in my NAT inside source list what I am assigning a static
> translation further on". For that I can't see any problems arising and
have
> never run across any issues.
>
> Obviously runnning a "NAT pool" with a range of addresses that includes
> those you wish to translate statically would cause problems and I can't
> dispute what you said - but I couldn't think of why anyone would do that
> anyway unless they had enough public addresses to meet the number of
> outbound stations.
>
> But as we are playing the terminology game here I would have to get a
> payback and add that running an inside source list against a NAT Pool
using
> overload is not a waste of addresses........provided the NAT pool only
> contains one address.....for even when you are using one address - even
> though it is really PAT - it is still called a NAT Pool :)
>
> Jamie
>
> -----Original Message-----
> From: Brian Hescock [mailto:bhescock@cisco.com]
> Sent: Saturday, August 11, 2001 11:07 PM
> To: Price, Jamie
> Cc: 'Todd Veillette'; 'Muhammed Omar'; 'Ccielab@Groupstudy. Com'
> Subject: RE: OT: Outlook for Web Via 1605 Firewall
>
>
> You should always deny an Inside Local address in your access-list if it
> has a static nat entry. It can and does cause problems (you may have been
> lucky thus far... ;-) Think about what happens if you have a pool
> without the overload option and you have a pc that gets a dynamic
> translation with that ip address and you also have a static translation
> for that same Inside Global ip address? i.e.
>
> 10.1.1.1 200.1.1.1 static entry
> 10.1.1.5 200.1.1.1 dynamic entry
>
> It won't work. The reason I specific "without overload" is it's really a
> waste to use a nat pool with overload, you're just wasting ip addresses.
> The reason for that is in newer code we do around 65,000 translations per
> ip address and it will use up all 65,000 on the first ip address before it
> moves to the next. So in reality you're only using one ip address out of
> the pool. Given that, forget about using a pool and just overload the
> outside interface, it's far easier anyway.
>
> Brian
>
> On Sat, 11 Aug 2001, Price, Jamie wrote:
>
> > This part of the config concerns me:
> >
> > > access-list 7 deny 20.20.20.20
> > > access-list 7 permit 20.0.0.0 0.255.255.255
> >
> > You have explicitly denied your Outlook server from being able to use
NAT.
> > Now admittedly it shouldn't matter because you have assigned a static IP
> to
> > that address......but that is later on in the config and therefore the
> deny
> > statement could be in some way overwriting things - especially if the
> > Outlook box in some way tries to initiate an outbound conversation as
part
> > of the process. Stranger things have been known to happen in IOS.
> >
> > I dunno - it may be worth a shot to remove the deny statement.
> >
> > I may be wrong in my NAT configs but I never bother explicitly denying
in
> my
> > NAT pool what I am assigning as a static further on, especially because
9
> > out of 10 times I have to revisit it and add statics at later dates, and
I
> > haven't had any problems.
> >
> > Also.......
> >
> > This may not be what you're seeing but it's interesting nonetheless.
> >
> > Some admins set up Outlook to use NT challenge/response for added
> security.
> >
> > In that scenario you need to enter the domain name as well as the user
> name
> > for Outlook to work or you just wont get in.
> >
> > For example - user "user1" in domain "domain" using password "password"
> has
> > to enter "user1" in the user field on the logon screen and then
> > "domain/user1" in the user field and "password" in the password field of
> the
> > logon box that pops up next.
> >
> > If you don't do that and instead just use "user" instead of
"domain/user"
> > when using NT challenge/response then you'll be prompted 3 times and
then
> > get an unauthorized logon screen.
> >
> > If they haven't set up Outlook to use NT challenge/response in this way
> then
> > the passwords are passed in clear text. Yuck!!!
> >
> > Jamie
> >
> > -----Original Message-----
> > From: Todd Veillette [mailto:tveillette@home.com]
> > Sent: Saturday, August 11, 2001 9:45 PM
> > To: 'Muhammed Omar'
> > Cc: 'Ccielab@Groupstudy. Com'
> > Subject: RE: OT: Outlook for Web Via 1605 Firewall
> >
> >
> > When you say they get the login screen, do you mean the default http
> > Web access page? If so, is the NT dns domain available in the domain
> window,
> > or via the drop down? If it is then it sees the domain so its probably a
> NT
> > issue not the router. Obviously if it doesn't effect all users then its
NT
> > for sure.
> >
> > HTH.
> >
> > -TV
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Andrew Lennon
> > Sent: Saturday, August 11, 2001 9:11 PM
> > To: 'Jay Hennigan'; 'Muhammed Omar'
> > Cc: 'Ccielab@Groupstudy. Com'
> > Subject: RE: OT: Outlook for Web Via 1605 Firewall
> >
> >
> > Muhammed,
> >
> > As a first step, you may want to try removing the access list to be sure
> > that is not causing the problem. Hopefully you can then diagnose further
> > from there. I have a router running with NAT and IPSec, but without the
> > FW which works fine with OWA.
> >
> > Andy
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Jay Hennigan
> > Sent: 12 August 2001 00:12
> > To: Muhammed Omar
> > Cc: Ccielab@Groupstudy. Com
> > Subject: Re: OT: Outlook for Web Via 1605 Firewall
> >
> > On Sat, 11 Aug 2001, Muhammed Omar wrote:
> >
> > > Hi guys
> > >
> > > I've setup a 1605 as a firewall (as below) to allow browsing, email &
> > also
> > > for remote users MS Outlook for Web Access. The problem is using a
> > browser
> > > users can't logon to Exchange 5.5 SP4 server (on Win2K server) for
> > email using
> > > port 80. The logon prompt is displayed but when a user types in name
> > password
> > > it does not log them in & does NOT give any error message. Any idea
> > what I'm
> > > missing. Is it permissions issue on Win2K?
> >
> > Port 443 TCP for SSL, perhaps?
> >
> > Try turning on logging on your deny statement in the ACL and see what's
> > getting captured. Just change the last line to:
> >
> > access-list 112 deny ip any any log
> >
> > and turn on term mon unless you're on console.
> >
> >
> > > hostname 1605
> > > !
> > > enable password c
> > > !
> > > ip subnet-zero
> > > !
> > > ip inspect name ethernetin cuseeme timeout 3600
> > > ip inspect name ethernetin ftp timeout 3600
> > > ip inspect name ethernetin h323 timeout 3600
> > > ip inspect name ethernetin http timeout 3600
> > > ip inspect name ethernetin rcmd timeout 3600
> > > ip inspect name ethernetin realaudio timeout 3600
> > > ip inspect name ethernetin smtp timeout 3600
> > > ip inspect name ethernetin sqlnet timeout 3600
> > > ip inspect name ethernetin streamworks timeout 3600
> > > ip inspect name ethernetin tcp timeout 3600
> > > ip inspect name ethernetin tftp timeout 30
> > > ip inspect name ethernetin udp timeout 15
> > > ip inspect name ethernetin vdolive timeout 3600
> > > !
> > > interface Ethernet0
> > > ip address 150.150.150.1 255.255.255.0
> > > ip access-group 112 in
> > > no ip directed-broadcast
> > > ip nat outside
> > >
> > > interface Ethernet1
> > > ip address 20.20.20.2 255.255.255.0
> > > no ip directed-broadcast
> > > ip nat inside
> > > ip inspect ethernetin in
> > >
> > > !
> > > interface Serial1
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > !
> > > ip nat inside source list 7 interface Ethernet0 overload
> > > ip nat inside source static tcp 20.20.20.20 150.150.150.150
> > > !
> > > ip classless
> > > ip route 0.0.0.0 0.0.0.0 150.150.150.2
> > > !
> > > access-list 7 deny 20.20.20.20
> > > access-list 7 permit 20.0.0.0 0.255.255.255
> > > !
> > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable
> > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply
> > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big
> > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded
> > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute
> > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255
> > > administratively-prohibited
> > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo
> > > access-list 112 permit tcp any www host 150.150.150.150 eq www
> > > access-list 112 permit tcp host 200.20.1.1 25 host 150.150.150.150 eq
> > 25
> > > access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq
> > telnet
> > > access-list 112 deny ip 127.0.0.0 0.255.255.255 any
> > > access-list 112 deny ip any any
> >
> > --
> > Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
> > NetLojix Communications, Inc. - http://www.netlojix.com/
> > WestNet: Connecting you to the planet. 805 884-6323
> > **Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3