From: Davis, David (DDavis@xxxxxxxxxx)
Date: Fri Sep 07 2001 - 18:18:34 GMT-3
Thanks to everyone who responded to my request for help on the Internet
firewall/NAT config.
Someone asked me to post what the final resolution was so that everyone
knew so here it goes-
As it turns out, the NAT configuration was correct.
The access list for DNS and SMTP were our problems.
What we believe is the correct configuration is below.
Thanks to Jay Hennigan for a new understanding of DNS and access lists.
His response is below this, then the, apparent, working config follows-
(this board is so great!)
David Davis
>From Jay-
UDP is used for regular DNS queries and TCP for zone transfers. So
unless the machines on 251.4 and 251.5 are authoritative nameservers,
you don't need TCP. From your question, I'm not sure if the machines on
251.4 and 251.5 are themselves nameservers (they are authoritative) or
are querying external nameservers, and whether the issue is that the
outside world can't reach them or that they can't resolve when pulling
from outside nameservers.
I think your problem is that the machines at 251.4 and 251.5 are unable
to receive responses from outside nameservers. (that was the problem)
This is because your port specification is backwards for a DNS response.
Try the following instead of (or in addition to) the above four lines:
access-list 100 permit udp any eq 53 host 63.161.251.4 gt 1023
access-list 100 permit udp any eq 53 host 63.161.251.5 gt 1023
The response to a DNS query will have a source port of 53 and the same
random high port as the originating query. Your filter will block all
UDP unless the destination port is 53.
For tighter security, replace the "any" in the above lines with the host
IP(s) of the specific external nameserver(s) your ISP specifies that you
use, unless you need to resolve from anywhere.
!Apparent, working config-
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.252 secondary
ip address 192.168.1.1 255.255.255.252 secondary
ip address 17.0.21.21 255.0.0.0
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Serial0/0
description Internet T1
ip address 144.232.221.38 255.255.255.252
ip access-group 100 in
no ip directed-broadcast
no ip proxy-arp
ip nat outside
encapsulation ppp
no cdp enable
!
ip nat inside source static 17.0.27.254 63.161.251.9
ip nat inside source static 17.0.18.254 63.161.251.8
ip nat inside source static 17.0.26.1 63.161.251.6
ip nat inside source static 17.0.17.254 63.161.251.4
ip nat inside source static 17.0.39.254 63.161.251.3
ip nat inside source static 17.0.19.254 63.161.251.5
ip nat inside source static 192.168.0.2 63.161.251.1
ip nat inside source static 192.168.1.2 63.161.251.7
ip nat inside source static 17.0.22.254 63.161.251.2
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0 2
no ip http server
!
logging 17.0.19.254
access-list 100 permit ip any host 63.161.251.7
access-list 100 permit ip any host 63.161.251.1
access-list 100 permit tcp any host 63.161.251.2 eq 443
access-list 100 permit tcp any host 63.161.251.2 eq www
access-list 100 permit tcp any eq smtp host 63.161.251.2 gt 1023
access-list 100 permit tcp any host 63.161.251.2 eq smtp
access-list 100 permit tcp any host 63.161.251.4 eq domain
access-list 100 permit tcp any host 63.161.251.5 eq domain
access-list 100 permit udp any eq domain host 63.161.251.4 gt 1023
access-list 100 permit udp any eq domain host 63.161.251.5 gt 1023
access-list 100 permit udp any host 63.161.251.4 eq ntp
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any host 63.161.251.2 echo
access-list 100 permit icmp any host 63.161.251.7 echo
access-list 100 deny ip any any log
no cdp run
-----Original Message-----
From: Tu Nguyen [mailto:tunguyen@juniper.net]
Sent: Thursday, September 06, 2001 3:46 PM
To: Davis, David; ccielab@groupstudy.com
Subject: RE: Internet Firewall Router IOS Config
Try this..
access-list 100 permit tcp any eq 25 host 63.161.251.2
access-list 100 permit tcp any eq 53 host 63.161.251.4
access-list 100 permit tcp any eq 53 host 63.161.251.5
access-list 100 permit udp any eq 53 host 63.161.251.4
-----Original Message-----
From: Davis, David [mailto:DDavis@foxgal.com]
Sent: Thursday, September 06, 2001 12:34 PM
To: ccielab@groupstudy.com
Subject: Internet Firewall Router IOS Config
I have been using all my CCIE-candidate access-list & NAT
troubleshooting skills to figure out the config on our new
firewall/router but with no luck. When this access-list is put in place,
DNS inquiries from the servers that the access-list permits on port 53
(for DNS) stop working.
Is this access-list configured correctly for DNS?
Any help is appreciated!
Thanks,
David
The servers on 63.161.251.4 and .5 are our two DNS servers that do not
function once the access-list is put in place.
!
! Last configuration change at 03:11:43 CST Wed Mar 3 1993 by root
! NVRAM config last updated at 03:23:44 CST Wed Mar 3 1993 by root
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname inetrouter
!
logging buffered 4096 notifications
enable secret 5 $1$xZE9$KX4QfCbWvk.x1zFXLGHHg.
!
username root privilege 15 password 7 05070F1924455A1C09
memory-size iomem 20
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
ip rcmd rsh-enable
ip rcmd remote-host root 17.0.26.1 root enable
ip rcmd remote-username root
no ip domain-lookup
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.252 secondary
ip address 192.168.1.1 255.255.255.252 secondary
ip address 17.0.21.21 255.0.0.0
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Serial0/0
description Internet T1
ip address 144.232.221.38 255.255.255.252
ip access-group 100 in
no ip directed-broadcast
no ip proxy-arp
ip nat outside
encapsulation ppp
no cdp enable
!
ip nat inside source static 17.0.27.254 63.161.251.9
ip nat inside source static 17.0.18.254 63.161.251.8
ip nat inside source static 17.0.26.1 63.161.251.6
ip nat inside source static 17.0.17.254 63.161.251.4
ip nat inside source static 17.0.39.254 63.161.251.3
ip nat inside source static 17.0.19.254 63.161.251.5
ip nat inside source static 192.168.0.2 63.161.251.1
ip nat inside source static 192.168.1.2 63.161.251.7
ip nat inside source static 17.0.22.254 63.161.251.2
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0 2
no ip http server
!
logging 17.0.19.254
access-list 100 permit ip any host 63.161.251.7
access-list 100 permit ip any host 63.161.251.1
access-list 100 permit tcp any host 63.161.251.2 eq 443
access-list 100 permit tcp any host 63.161.251.2 eq 80
access-list 100 permit tcp any host 63.161.251.2 eq 25
access-list 100 permit tcp any host 63.161.251.4 eq 53
access-list 100 permit tcp any host 63.161.251.5 eq 53
access-list 100 permit udp any host 63.161.251.4 eq 53
access-list 100 permit udp any host 63.161.251.5 eq 53
access-list 100 permit udp any host 63.161.251.4 eq 123
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any host 63.161.251.2 echo
access-list 100 deny ip any any log
no cdp run
!
line con 0
exec-timeout 0 0
login local
transport input none
line aux 0
password 7 14141B180F0B
line vty 0 4
login local
!
ntp clock-period 17208398
ntp server 17.253.100.1
no scheduler allocate
end
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:15 GMT-3