Cisco Router 2620 with NAT and CBAC

[me19562]

Hi:

I have this client that i s
etup the CBAC and some static nat's in his 2620, but when i start to work with router find that the ISP put a Public IP address in the
ip nat inside interface as a secondary IP address. I took out that ip because i thought that's a security issue. Well after that they had a problem
with the email inbound is too slow, but until today them and me thought the problem was with their DNS because they change from ISP took about
3 months to move it to the new ISP. Ok the move was done but the problem still there and was checking and put it back the ip address i took out
and 30 seconds later could access the page of the mail server very fast and without a problem. This have to be configure that way or is something very strange.
This is the actual configuration of the router, any help will be appreciate

version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXXXX
!
enable secret 5 $1$gN3H$7afHPMO.AKyQeTaQlaoVe.
!
!
!
!
!
ip subnet-zero
no ip source-route
no ip finger
ip domain-name XXXXX.com
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
ip name-server 10.0.0.4
!
ip inspect name xxxxfw cuseeme timeout 3600
ip inspect name xxxxfw ftp timeout 3600
ip inspect name xxxxfw h323 timeout 3600
ip inspect name xxxxfw http timeout 3600
ip inspect name xxxxfw rcmd timeout 3600
ip inspect name xxxxfw realaudio timeout 3600
ip inspect name xxxxfw smtp timeout 3600
ip inspect name xxxxfw sqlnet timeout 3600
ip inspect name xxxxfw streamworks timeout 3600
ip inspect name xxxxfw tcp timeout 3600
ip inspect name xxxxfw tftp timeout 30
ip inspect name xxxxfw udp timeout 15
ip inspect name xxxxfw vdolive timeout 3600
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip address 10.0.0.254 255.255.255.0
ip access-group 102 in
no ip directed-broadcast
ip nat inside
ip inspect xxxxfw in
load-interval 30
duplex auto
speed auto
!
interface Serial0/0
bandwidth 512
no ip address
no ip directed-broadcast
ip nat outside
encapsulation frame-relay IETF
fair-queue 64 256 0
service-module t1 timeslots 1-8
service-module t1 remote-alarm-enable
frame-relay lmi-type cisco
!
interface Serial0/0.100 point-to-point
bandwidth 512
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip access-group 112 in
no ip redirects
no ip directed-broadcast
ip nat outside
frame-relay interface-dlci 100
!
ip nat inside source list 101 interface Serial0/0.100 overload
ip nat inside source static tcp 10.0.0.1 80 XXX.XXX.XXX.XXX 80 extendable
ip nat inside source static tcp 10.0.0.1 25 XXX.XXX.XXX.XXX 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.100
no ip http server
!
logging 10.0.0.4
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit tcp 10.0.0.0 0.0.0.255 any
access-list 102 permit udp 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp 10.0.0.0 0.0.0.255 any
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq smtp
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq www
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq telnet
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq telnet
access-list 112 permit tcp any any eq domain
access-list 112 permit udp any any eq domain
access-list 112 permit tcp any host XXX.XXX.XXX.XXX gt 1023
access-list 112 permit tcp any host XXX.XXX.XXX.XXX gt 1023
access-list 112 permit icmp any XXX.XXX.XXX.XXX 0.0.0.255 unreachable
access-list 112 permit icmp any XXX.XXX.XXX.XXX 0.0.0.255 echo-reply
access-list 112 permit icmp any XXX.XXX.XXX.XXX 0.0.0.255 packet-too-big
access-list 112 permit icmp any XXX.XXX.XXX.XXX 0.0.0.255 time-exceeded
access-list 112 permit icmp any XXX.XXX.XXX.XXX 0.0.0.255 traceroute
access-list 112 permit icmp any XXX.XXX.XXX.XXX 0.0.0.255 administratively-prohibited
access-list 112 permit icmp any XXX.XXX.XXX.XXX 0.0.0.255 echo
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 deny ip any any

 

[me19562]

bump, anyone?

 

[spidey07]

what is CBAC?

also what is the speed of the line and what is the processor utilization on the router? Very strange indeed, sorry no time to pick through the config.

 

[me19562]

CBAC is Content Based Access Control this is the new name for the cisco IOS Firewall feature set, line is a 384Kb burstable to 512Kb
and the processor utilization is 0%.

 

[me19562]

But the most strange thing is if I remove the public ip from fastethernet i get a routing loop

 

[Garion]

I don't know why having the IP address inside will make any difference - With NAT, it's not ever published.

A couple of thoughts:

Are there any devices using the IP subnet of the public IP inside? You might ping the .0 or .255 address on that subnet (or whatever the broadcast address if it's less than a /24) and see if there are other hosts out there.

A lot of services don't work well when there's not both a forward and reverse DNS entry for the source IP. Is the s0/0 IP resolveable? That's your source, so if it's not it could easily cause problems.

Try and telnet to some box out on the Internet that you know - See what your source IP is. If it's the S0/0, then things are good. If it's the public on the inside, then something really odd is happening and could explain why things are not right when the public goes away.

Oh, and you've got your IP NAT OUTSIDE statement on both S0/0 and S0/0.100 - That could be causing some confusion, as the S0/0 isn't a real interface. I doubt if it is, as your NAT statements specify s0/0.100, but it's something that should be cleaned up.

Now, I haven't worked with the firewall feature set, but you're filtering the traffic coming IN from FE0/0. Shouldn't that be on S0/0.100? (Caveat: I hate ACL's wioth a passion, so I might well be wrong here. Second opinion recommended) Might want to do a show ip access list and see which ones are getting hit.

- G

 

[me19562]

Thanks for the help, for the filtering I used as a guide a sample configuration on the cisco website, but I'm open to any suggestions.

 

[me19562]

oops, even the inspection is set on the FE0/0 the acces-list that the inspection modifiy r of the ser0/0.100. The way the cbac works is that it inspect
all the packets for invalid commands and as far the inspection don't find anything odd then it create an dymanic access-list allowing the access.

 

[me19562]

bump

 

[me19562]

bump

 

[me19562]

Garion I tried that tell about the ip nat outside on ser0/0 ser0/0.100 and works intermittent

 

[Garion]

I'm just wondering if the two NAT OUTSIDE statements are causing your problems. For example, in Windows , if you have two routes to the same network with the same metric it will alternate sending traffic between them.

Your router COULD be alternating sending packets between the the two interfaces listed in the NAT OUTSIDE - The S0/0 and the S0/0.100. It's the same physical interface, but they are treated as separate functional interfaces within the router.

That would actually make sense - Most TCP services would work in this scenario, since TCP is a connection-oriented protocol. If a packet gets lost (or sent out the wrong interface and dropped) it will get sent again. Things could be really slow, but they would probably work. Nearly all the common things you use are TCP - HTTP, telnet, FTP, etc. A few services, such as DNS require both UDP and TCP. UDP is a connectionless protocol - You send the packet and forget it. If it's lost, there's no way to tell. So, if you're having name resolution problems, you could be seeing lost DNS UDP packets.

Anyhow, try and take the NAT OUTSIDE statement out of S0/0 - It shouldn't be there anyhow, since that's not your outside interface.

- G

 

[me19562]

I already tried that and works intermittently.

 

[Garion]

If you ping an Internet address, do you get back clean pings all the time, or do you drop some? Try a ping -t www.yahoo.com and see how many fail.

- G