From: Bruno Poussard (bruno.poussard@xxxxxxxxxx)
Date: Fri Sep 07 2001 - 12:38:18 GMT-3
FYI, you can do it with the Pix but you need version 6.01.
This is a new feature. Read the release note and test it with the static
command.
Bruno #6424
-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com]De la part de Jerry
Toomey
Envoye : jeudi 6 septembre 2001 22:53
A : Davis, David
Cc : ccielab@groupstudy.com
Objet : RE: Internet Firewall Router IOS Config
David,
I did DNS filtering a bit differently for one of my routers:
ip nat inside source static udp 206.4.188.10 53 64.173.118.210 53 extend
ip nat inside source static tcp 206.4.188.10 53 64.173.118.210 53 extend
By doing PAT instead of NAT for those IPs I didn't have to worry about
filtering because of the way PAT works. Also I could overlap addresses so
the internet saw a single IP for web, DNS, mail, etc.
Jerry
--- "Davis, David" <DDavis@foxgal.com> wrote:
> Jerry,
>
> Thanks for the tips, good info.
>
> Hmm, I thought that the access list was using the outside Global IP
> address. The 64. addresses are actual Internet addresses...
>
> Does DNS use a port other than 53 at both source and destination? My
> access list was based on that assumption that DNS only uses 53 for
> source and destination.
> Again, Thanks for the help!
>
> David
>
> -----Original Message-----
> From: Jerry Toomey [mailto:jetoomey@yahoo.com]
> Sent: Thursday, September 06, 2001 3:40 PM
> To: Davis, David; ccielab@groupstudy.com
> Subject: Re: Internet Firewall Router IOS Config
>
> David,
> Shouldn't your access-list use the Outside Global IP address instead of
> the Inside Local IP?
>
> Why don't you add these to your access list (before any deny):
> access-list 100 permit tcp any host 17.0.17.254 eq 53
> access-list 100 permit tcp any host 17.0.19.254 eq 53
> access-list 100 permit udp any host 17.0.17.254 eq 53
> access-list 100 permit udp any host 17.0.19.254 eq 53
>
> Then, do a "sho access-list 100" and see where the hits are coming from.
>
> Look for "(xxx matches)".
>
> Jerry
> --- "Davis, David" <DDavis@foxgal.com> wrote:
> > I have been using all my CCIE-candidate access-list & NAT
> > troubleshooting skills to figure out the config on our new
> > firewall/router but with no luck. When this access-list is put in
> place,
> > DNS inquiries from the servers that the access-list permits on port 53
> > (for DNS) stop working.
> >
> > Is this access-list configured correctly for DNS?
> >
> > Any help is appreciated!
> >
> > Thanks,
> > David
> >
> > The servers on 63.161.251.4 and .5 are our two DNS servers that do not
> > function once the access-list is put in place.
> >
> >
> >
> > !
> > ! Last configuration change at 03:11:43 CST Wed Mar 3 1993 by root
> > ! NVRAM config last updated at 03:23:44 CST Wed Mar 3 1993 by root
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > service password-encryption
> > !
> > hostname inetrouter
> > !
> > logging buffered 4096 notifications
> > enable secret 5 $1$xZE9$KX4QfCbWvk.x1zFXLGHHg.
> > !
> > username root privilege 15 password 7 05070F1924455A1C09
> > memory-size iomem 20
> > clock timezone CST -6
> > clock summer-time CDT recurring
> > ip subnet-zero
> > no ip source-route
> > ip rcmd rsh-enable
> > ip rcmd remote-host root 17.0.26.1 root enable
> > ip rcmd remote-username root
> > no ip domain-lookup
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Ethernet0/0
> > ip address 192.168.0.1 255.255.255.252 secondary
> > ip address 192.168.1.1 255.255.255.252 secondary
> > ip address 17.0.21.21 255.0.0.0
> > no ip directed-broadcast
> > no ip proxy-arp
> > ip nat inside
> > no cdp enable
> > !
> > interface Serial0/0
> > description Internet T1
> > ip address 144.232.221.38 255.255.255.252
> > ip access-group 100 in
> > no ip directed-broadcast
> > no ip proxy-arp
> > ip nat outside
> > encapsulation ppp
> > no cdp enable
> > !
> > ip nat inside source static 17.0.27.254 63.161.251.9
> > ip nat inside source static 17.0.18.254 63.161.251.8
> > ip nat inside source static 17.0.26.1 63.161.251.6
> > ip nat inside source static 17.0.17.254 63.161.251.4
> > ip nat inside source static 17.0.39.254 63.161.251.3
> > ip nat inside source static 17.0.19.254 63.161.251.5
> > ip nat inside source static 192.168.0.2 63.161.251.1
> > ip nat inside source static 192.168.1.2 63.161.251.7
> > ip nat inside source static 17.0.22.254 63.161.251.2
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Serial0/0 2
> > no ip http server
> > !
> > logging 17.0.19.254
> > access-list 100 permit ip any host 63.161.251.7
> > access-list 100 permit ip any host 63.161.251.1
> > access-list 100 permit tcp any host 63.161.251.2 eq 443
> > access-list 100 permit tcp any host 63.161.251.2 eq 80
> > access-list 100 permit tcp any host 63.161.251.2 eq 25
> > access-list 100 permit tcp any host 63.161.251.4 eq 53
> > access-list 100 permit tcp any host 63.161.251.5 eq 53
> > access-list 100 permit udp any host 63.161.251.4 eq 53
> > access-list 100 permit udp any host 63.161.251.5 eq 53
> > access-list 100 permit udp any host 63.161.251.4 eq 123
> > access-list 100 permit icmp any any echo-reply
> > access-list 100 permit icmp any host 63.161.251.2 echo
> > access-list 100 deny ip any any log
> > no cdp run
> > !
> > line con 0
> > exec-timeout 0 0
> > login local
> > transport input none
> > line aux 0
> > password 7 14141B180F0B
> > line vty 0 4
> > login local
> > !
> > ntp clock-period 17208398
> > ntp server 17.253.100.1
> > no scheduler allocate
> > end
> > **Please read:http://www.groupstudy.com/list/posting.html
> =====
> Jerry Toomey of http://www.wansend.com can be reached at 877-690-2578
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:15 GMT-3