From: Brian Hescock (bhescock@xxxxxxxxx)
Date: Sun Aug 12 2001 - 19:37:19 GMT-3
But now you're introducing something not in the original equation, you're
now adding servers that require a static nat entry and would therefore
require an additional ip block on top of the global ip on the outside
interface. So let's say you're a small company and don't have any
internal web servers, would you purchase an ip block just to overload on a
nat pool of one ip address or would it make more sense to have a simpler
config and save money by just overloading the outside interface?
Even if you do have servers and need static nat, put the network on a
loopback and overload it and use the other remaining ip addresses for your
static nat entries. Still no need for a nat pool.
Brian
On Sun, 12 Aug 2001, Price, Jamie wrote:
> I'd be extremely hesitant to say that in production environments you
> normally wouldn't use a NAT pool of just one ip address. A lot of ISP's (in
> this area at least) provide the customer with one Public WAN address and a
> separate block of Public IP addresses - the block being the range that you
> can use for NAT/PAT and statics. In fact more than 1/2 of the customers
> that I have implemented CBAC solutions for have this arrangement.
>
> i.e. from the ISP they recieve:
>
> WAN Interface address 1.1.1.1/24
> Default Gateway 1.1.1.2
> IP Block 2.2.2.0/24
>
> In cases such as these the IP block assigned for public use, which in turn
> is the one that ultimately ends up in the NAT pool and used for statics, is
> a separate IP subnet to that to which the outside interface address belongs
> to. The ISPs I deal with that do this dont like it if you're using the
> address that they have recorded as a pure interface address as your NAT
> address. I could see it screwing up their flow reporting, etc.
>
> -----Original Message-----
> From: Brian Hescock [mailto:bhescock@cisco.com]
> Sent: Sunday, August 12, 2001 4:19 PM
> To: Price, Jamie
> Cc: 'Todd Veillette'; 'Muhammed Omar'; 'Ccielab@Groupstudy. Com'
> Subject: RE: OT: Outlook for Web Via 1605 Firewall
>
>
> Oh, but people screw up the access-list all the time, trust me on that
> one... ;-) For production reasons (i.e. not the lab), you normally
> wouldn't use a nat pool of just one ip address, why use three commands to
> do the same thing you can with two? i.e.:
>
> ip nat inside source list 1 interface serial0 overload
> access-list 1 permit 10.0.0.0 0.255.255.255
>
> instead of
>
> ip nat pool test 200.1.1.1 200.1.1.1 netmask 255.255.255.255
> ip nat inside source list 1 pool test overload
> access-list 1 permit 10.0.0.0 0.255.255.255
>
> In fact, it's better to overload the outside interface, especially if you
> have two isp's. That's because nat doesn't support asymmetrical routing
> and if you use the source interface of the outside interface, the packets
> are more likely to come back in on that interface since the network is
> owned by that isp and it would tend to be fewer AS hops away on the return
> path (the shortest AS path is typically what it comes down to in path
> selection in the internet).
>
> Brian
>
> On Sun, 12 Aug 2001, Price, Jamie wrote:
>
> > OK - I screwed up my explanation/terminology - my mistake. I have this
> > nasty habit of assuming everyone knows what I'm thinking.
> >
> > In saying "I never bother explicitly denying in my NAT pool what I am
> > assigning as a static further on" was meant with regard to internal
> > addresses - not external. I should have said "I never bother explicitly
> > denying in my NAT inside source list what I am assigning a static
> > translation further on". For that I can't see any problems arising and
> have
> > never run across any issues.
> >
> > Obviously runnning a "NAT pool" with a range of addresses that includes
> > those you wish to translate statically would cause problems and I can't
> > dispute what you said - but I couldn't think of why anyone would do that
> > anyway unless they had enough public addresses to meet the number of
> > outbound stations.
> >
> > But as we are playing the terminology game here I would have to get a
> > payback and add that running an inside source list against a NAT Pool
> using
> > overload is not a waste of addresses........provided the NAT pool only
> > contains one address.....for even when you are using one address - even
> > though it is really PAT - it is still called a NAT Pool :)
> >
> > Jamie
> >
> > -----Original Message-----
> > From: Brian Hescock [mailto:bhescock@cisco.com]
> > Sent: Saturday, August 11, 2001 11:07 PM
> > To: Price, Jamie
> > Cc: 'Todd Veillette'; 'Muhammed Omar'; 'Ccielab@Groupstudy. Com'
> > Subject: RE: OT: Outlook for Web Via 1605 Firewall
> >
> >
> > You should always deny an Inside Local address in your access-list if it
> > has a static nat entry. It can and does cause problems (you may have been
> > lucky thus far... ;-) Think about what happens if you have a pool
> > without the overload option and you have a pc that gets a dynamic
> > translation with that ip address and you also have a static translation
> > for that same Inside Global ip address? i.e.
> >
> > 10.1.1.1 200.1.1.1 static entry
> > 10.1.1.5 200.1.1.1 dynamic entry
> >
> > It won't work. The reason I specific "without overload" is it's really a
> > waste to use a nat pool with overload, you're just wasting ip addresses.
> > The reason for that is in newer code we do around 65,000 translations per
> > ip address and it will use up all 65,000 on the first ip address before it
> > moves to the next. So in reality you're only using one ip address out of
> > the pool. Given that, forget about using a pool and just overload the
> > outside interface, it's far easier anyway.
> >
> > Brian
> >
> > On Sat, 11 Aug 2001, Price, Jamie wrote:
> >
> > > This part of the config concerns me:
> > >
> > > > access-list 7 deny 20.20.20.20
> > > > access-list 7 permit 20.0.0.0 0.255.255.255
> > >
> > > You have explicitly denied your Outlook server from being able to use
> NAT.
> > > Now admittedly it shouldn't matter because you have assigned a static IP
> > to
> > > that address......but that is later on in the config and therefore the
> > deny
> > > statement could be in some way overwriting things - especially if the
> > > Outlook box in some way tries to initiate an outbound conversation as
> part
> > > of the process. Stranger things have been known to happen in IOS.
> > >
> > > I dunno - it may be worth a shot to remove the deny statement.
> > >
> > > I may be wrong in my NAT configs but I never bother explicitly denying
> in
> > my
> > > NAT pool what I am assigning as a static further on, especially because
> 9
> > > out of 10 times I have to revisit it and add statics at later dates, and
> I
> > > haven't had any problems.
> > >
> > > Also.......
> > >
> > > This may not be what you're seeing but it's interesting nonetheless.
> > >
> > > Some admins set up Outlook to use NT challenge/response for added
> > security.
> > >
> > > In that scenario you need to enter the domain name as well as the user
> > name
> > > for Outlook to work or you just wont get in.
> > >
> > > For example - user "user1" in domain "domain" using password "password"
> > has
> > > to enter "user1" in the user field on the logon screen and then
> > > "domain/user1" in the user field and "password" in the password field of
> > the
> > > logon box that pops up next.
> > >
> > > If you don't do that and instead just use "user" instead of
> "domain/user"
> > > when using NT challenge/response then you'll be prompted 3 times and
> then
> > > get an unauthorized logon screen.
> > >
> > > If they haven't set up Outlook to use NT challenge/response in this way
> > then
> > > the passwords are passed in clear text. Yuck!!!
> > >
> > > Jamie
> > >
> > > -----Original Message-----
> > > From: Todd Veillette [mailto:tveillette@home.com]
> > > Sent: Saturday, August 11, 2001 9:45 PM
> > > To: 'Muhammed Omar'
> > > Cc: 'Ccielab@Groupstudy. Com'
> > > Subject: RE: OT: Outlook for Web Via 1605 Firewall
> > >
> > >
> > > When you say they get the login screen, do you mean the default http
> > > Web access page? If so, is the NT dns domain available in the domain
> > window,
> > > or via the drop down? If it is then it sees the domain so its probably a
> > NT
> > > issue not the router. Obviously if it doesn't effect all users then its
> NT
> > > for sure.
> > >
> > > HTH.
> > >
> > > -TV
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > Andrew Lennon
> > > Sent: Saturday, August 11, 2001 9:11 PM
> > > To: 'Jay Hennigan'; 'Muhammed Omar'
> > > Cc: 'Ccielab@Groupstudy. Com'
> > > Subject: RE: OT: Outlook for Web Via 1605 Firewall
> > >
> > >
> > > Muhammed,
> > >
> > > As a first step, you may want to try removing the access list to be sure
> > > that is not causing the problem. Hopefully you can then diagnose further
> > > from there. I have a router running with NAT and IPSec, but without the
> > > FW which works fine with OWA.
> > >
> > > Andy
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > > Jay Hennigan
> > > Sent: 12 August 2001 00:12
> > > To: Muhammed Omar
> > > Cc: Ccielab@Groupstudy. Com
> > > Subject: Re: OT: Outlook for Web Via 1605 Firewall
> > >
> > > On Sat, 11 Aug 2001, Muhammed Omar wrote:
> > >
> > > > Hi guys
> > > >
> > > > I've setup a 1605 as a firewall (as below) to allow browsing, email &
> > > also
> > > > for remote users MS Outlook for Web Access. The problem is using a
> > > browser
> > > > users can't logon to Exchange 5.5 SP4 server (on Win2K server) for
> > > email using
> > > > port 80. The logon prompt is displayed but when a user types in name
> > > password
> > > > it does not log them in & does NOT give any error message. Any idea
> > > what I'm
> > > > missing. Is it permissions issue on Win2K?
> > >
> > > Port 443 TCP for SSL, perhaps?
> > >
> > > Try turning on logging on your deny statement in the ACL and see what's
> > > getting captured. Just change the last line to:
> > >
> > > access-list 112 deny ip any any log
> > >
> > > and turn on term mon unless you're on console.
> > >
> > >
> > > > hostname 1605
> > > > !
> > > > enable password c
> > > > !
> > > > ip subnet-zero
> > > > !
> > > > ip inspect name ethernetin cuseeme timeout 3600
> > > > ip inspect name ethernetin ftp timeout 3600
> > > > ip inspect name ethernetin h323 timeout 3600
> > > > ip inspect name ethernetin http timeout 3600
> > > > ip inspect name ethernetin rcmd timeout 3600
> > > > ip inspect name ethernetin realaudio timeout 3600
> > > > ip inspect name ethernetin smtp timeout 3600
> > > > ip inspect name ethernetin sqlnet timeout 3600
> > > > ip inspect name ethernetin streamworks timeout 3600
> > > > ip inspect name ethernetin tcp timeout 3600
> > > > ip inspect name ethernetin tftp timeout 30
> > > > ip inspect name ethernetin udp timeout 15
> > > > ip inspect name ethernetin vdolive timeout 3600
> > > > !
> > > > interface Ethernet0
> > > > ip address 150.150.150.1 255.255.255.0
> > > > ip access-group 112 in
> > > > no ip directed-broadcast
> > > > ip nat outside
> > > >
> > > > interface Ethernet1
> > > > ip address 20.20.20.2 255.255.255.0
> > > > no ip directed-broadcast
> > > > ip nat inside
> > > > ip inspect ethernetin in
> > > >
> > > > !
> > > > interface Serial1
> > > > no ip address
> > > > no ip directed-broadcast
> > > > shutdown
> > > > !
> > > > ip nat inside source list 7 interface Ethernet0 overload
> > > > ip nat inside source static tcp 20.20.20.20 150.150.150.150
> > > > !
> > > > ip classless
> > > > ip route 0.0.0.0 0.0.0.0 150.150.150.2
> > > > !
> > > > access-list 7 deny 20.20.20.20
> > > > access-list 7 permit 20.0.0.0 0.255.255.255
> > > > !
> > > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable
> > > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply
> > > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big
> > > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded
> > > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute
> > > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255
> > > > administratively-prohibited
> > > > access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo
> > > > access-list 112 permit tcp any www host 150.150.150.150 eq www
> > > > access-list 112 permit tcp host 200.20.1.1 25 host 150.150.150.150 eq
> > > 25
> > > > access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq
> > > telnet
> > > > access-list 112 deny ip 127.0.0.0 0.255.255.255 any
> > > > access-list 112 deny ip any any
> > >
> > > --
> > > Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
> > > NetLojix Communications, Inc. - http://www.netlojix.com/
> > > WestNet: Connecting you to the planet. 805 884-6323
> > > **Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3