Switches, Hubs, and Modems
1748073 Members
4694 Online
108758 Solutions
New Discussion юеВ

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

 
Andrew Kececi
Occasional Advisor

Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

I have tried the following config file however i cant seem to get access to the internal webserver/emailserver/dnsserver/ftpserver

I have tried port forwarding the ports i need..

Here is the config...
_____________________________________________
!
!
! ProCurve Secure Router 7102dl SROS version J08.03
! Boot ROM version J06.06
! Platform: ProCurve Secure Router 7102dl, part number J8752A
! Serial number Serial
! Flash: 33554432 bytes DRAM: 134217727 bytes
! Date/Time: Mon Sep 14 2009, 16:14:40 EST
!
!
hostname "ProCurve"
enable password password
!
clock timezone +10-Canberra
!
ip subnet-zero
ip classless
ip domain-proxy
ip default-gateway xxx.xxx.xxx.xxx
ip routing
!
event-history on
no logging forwarding
no logging email
logging email priority-level info
!
no service password-encryption
!
username "username" password "password"
!
!
ip firewall
ip firewall stealth
no ip firewall alg msn
no ip firewall alg h323
!
!
!
!
!
!
no autosynch-mode
no safe-mode
!
!
!
!
!
ip dhcp-server pool "pool-for-lan"
network xxx.xxx.xxx.xxx 255.255.255.0
domain-name "providers domain"
dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
netbios-node-type h-node
default-router xxx.xxx.xxx.xxx
!
!
!
!
!
!
!
!
interface eth 0/1
ip address xxx.xxx.xxx.xxx 255.255.255.0
access-policy Private
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
!
!
interface adsl 1/1
description "Description"
no shutdown
!
!
interface atm 1 point-to-point
no shutdown
bind 1 adsl 1/1 atm 1
!
interface atm 1.1 point-to-point
no shutdown
pvc 8/35
no ip address
!
interface ppp 1
ip address negotiated
access-policy Public
ppp multilink
no fair-queue
ppp chap hostname provider username
ppp chap password provider password
no shutdown
bind 2 atm 1.1 ppp 1
!
!
!
!
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to ProCurve SR
permit ip any any log
!
ip access-list extended web-acl-13
remark Port Forward 8 port 81
permit tcp any eq 81 any eq 81 log
!
ip access-list extended web-acl-14
remark Port Forward 9 port 10000
permit tcp any eq 10000 any eq 10000 log
!
ip access-list extended web-acl-15
remark Port Forward 10 port 53
permit udp any eq domain any eq domain log
!
ip access-list extended web-acl-16
remark Port Forward 11 Port 22
permit tcp any any eq echo
!
ip access-list extended web-acl-17
remark Port Forward 12 Port 88
permit tcp any eq 88 any eq 88 log
!
ip access-list extended web-acl-18
remark Port Forward 13 Port 123
permit tcp any eq 123 any eq 123 log
!
ip access-list extended web-acl-19
remark Port Forward 14 Port 514
permit tcp any eq syslog any eq syslog log
!
ip access-list extended web-acl-20
remark Port Forward 15 Port 993
permit tcp any eq 993 any eq 993 log
!
ip access-list extended web-acl-21
remark Port Forward 16 Port 995
permit tcp any any eq 995 log
!
ip access-list extended web-acl-22
remark Port Forward 17 Port 989/990
permit tcp any any eq 989 log
permit tcp any any eq 990 log
!
ip access-list extended web-acl-24
remark Port Forward 18 Port 1723/500
permit tcp any eq 1723 any eq 1723 log
permit udp any eq isakmp any eq isakmp log
!
ip access-list extended web-acl-25
remark Port Forward 19 Port 1701/500
permit tcp any eq 1701 any eq 1701 log
permit udp any eq isakmp any eq isakmp log
!
ip access-list extended web-acl-26
remark Port Forward 20 Port 500
permit udp any eq isakmp any eq isakmp log
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1 port 80
permit tcp any eq www any eq www log
!
ip access-list extended wizard-pfwd-2
remark Port Forward 2 Port 21
permit tcp any eq ftp any eq ftp log
!
ip access-list extended wizard-pfwd-3
remark Port Forward 3 Port 25
permit tcp any eq smtp any eq smtp log
!
ip access-list extended wizard-pfwd-4
remark Port Forward 4 Port 53
permit tcp any eq domain any eq domain log
!
ip access-list extended wizard-pfwd-5
remark Port Forward 5 Port 20
permit tcp any eq ftp-data any eq ftp-data log
!
ip access-list extended wizard-pfwd-6
remark Port Forward 6 Port 443
permit tcp any eq https any eq https log
!
ip access-list extended wizard-pfwd-7
remark Port Forward 7 Port 110
permit tcp any eq pop3 any eq pop3 log
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
nat destination list wizard-pfwd-1 address xxx.xxx.xxx.xxx
nat destination list wizard-pfwd-2 address xxx.xxx.xxx.xxx
nat destination list wizard-pfwd-3 address xxx.xxx.xxx.xxx
nat destination list wizard-pfwd-4 address xxx.xxx.xxx.xxx
nat destination list wizard-pfwd-5 address xxx.xxx.xxx.xxx
nat destination list wizard-pfwd-6 address xxx.xxx.xxx.xxx
nat destination list wizard-pfwd-7 address xxx.xxx.xxx.xxx
nat destination list web-acl-13 address xxx.xxx.xxx.xxx
nat destination list web-acl-14 address xxx.xxx.xxx.xxx
nat destination list web-acl-15 address xxx.xxx.xxx.xxx
discard list web-acl-16
nat destination list web-acl-17 address xxx.xxx.xxx.xxx
nat destination list web-acl-18 address xxx.xxx.xxx.xxx
nat destination list web-acl-19 address xxx.xxx.xxx.xxx
nat destination list web-acl-20 address xxx.xxx.xxx.xxx
nat destination list web-acl-21 address xxx.xxx.xxx.xxx
nat destination list web-acl-22 address xxx.xxx.xxx.xxx
nat destination list web-acl-24 address xxx.xxx.xxx.xxx
nat destination list web-acl-25 address xxx.xxx.xxx.xxx
nat destination list web-acl-26 address xxx.xxx.xxx.xxx
!
!
!
no ip tftp server
no ip tftp server overwrite
ip http server
no ip http secure-server
no ip snmp agent
ip ftp server
ip ftp server default-filesystem flash
no ip scp server
ip sntp server
!
!
!
!
!
!
!

ip sip

ip sip proxy

!

!

!
line con 0
no login
!
line telnet 0 4
login
shutdown
line ssh 0 4
login local-userlist
shutdown
!
sntp server time.nist.gov
!
end
__________________________________

Also what im trying to do is setup Local Loopback or NAT Loopback and VPN Passthrough.

However i have had no success so far...

Please help.... Any hits would be appreciated.

regards
Andrew Kececi
7 REPLIES 7
Olaf Borowski
Respected Contributor

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

Andrew, please be more specific.
Can you send the output of "show ip policy-session" when you try to get to the internal server?
Try ftp for example. wizard-pfwd-2 should hit. I assume you are using the IP address of the ADSL interface (ppp1) whey you try to access this service from the outside.
Andrew Kececi
Occasional Advisor

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

Hi Olaf,

Firstly thank you for your response...

Olaf i am attaching a newwork diagram done in excel of our network here...

What i would like to achieve is the following:

1. Internal domain resolution using NAT loopback.

2. External access to our web/dns/email/ftp server.

3. VPN access to the network from outside the network... (VPN Passthrough).

4. Also possibly in the future, seperating the office computers from a future training room computer using VLAN.

I will provide you with the "show ip policy-session" for FTP access from a internal ip address as well as a external ip address.

I cant do this untill after 5.00 pm when our employees are gone home...

However here are some logs from last night...

__________________________________________

2009.09.15 02:29:19 FIREWALL id=firewall time="2009-09-15 02:29:19" fw=ProCurve pri=1 proto=63230/tcp src=63.241.92.42 dst=165.228.191.209 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet Src 80 Dst 63230 from Public policy-class on interface ppp 1" agent=AdFirewall

_________________________________________

This first one i would imagine is a ip address trying to access our webserver...

_________________________________________

2009.09.15 02:44:49 FIREWALL id=firewall time="2009-09-15 02:44:49" fw=ProCurve pri=1 rule=3 proto=pop3 src=192.168.0.3 dst=165.228.191.209 msg="Zero bytes transferred for connection Src 1450 Dst 110 from Private policy-class" agent=AdFirewall

________________________________________

This is me trying to access our email pop3 server from inside the network using the pop3 domain name for the email account...

_________________________________________

Please if you can provide me with any assistance this would be much much much appreciated...

I will also provide you the routers response to accessing the ftp server from inside the network as well as from outside the networking using the 3G internet connection i have access too.

Regards
Andrew Kececi
Andrew Kececi
Occasional Advisor

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

Olaf here are some of the logs i get when i connect the procurve router to our adsl line...
_____________________________________________
ProCurve>
2009.09.15 22:22:16 INTERFACE_STATUS.eth 0/1 changed state to up
2009.09.15 22:22:47 INTERFACE_STATUS.atm 1.1 changed state to up
2009.09.15 22:22:47 INTERFACE_STATUS.adsl 1/1 changed state to up
2009.09.15 22:22:47 INTERFACE_STATUS.atm 1 changed state to up
2009.09.15 22:22:51 PPP.NEGOTIATION atm 1.1: LCP up
2009.09.15 22:22:52 PPP.NEGOTIATION atm 1.1: LCP down
2009.09.15 22:23:02 PPP.NEGOTIATION atm 1.1: LCP up
2009.09.15 22:23:02 PPP.NEGOTIATION ppp 1: IPCP up
2009.09.15 22:23:03 INTERFACE_STATUS.ppp 1 changed state to up


As you can see here the ADSL goes up fine and i can get internet access from inside the network without a problem...

_________________________________________
2009.09.15 22:24:16 FIREWALL id=firewall time="2009-09-15 22:24:16" fw=ProCurve pri=1 proto=15251/tcp src=32.60.49.13 dst=165.228.191.209 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet Src 80 Dst 15251 from Public policy-class on interface ppp 1" agent=AdFirewall

This is probably another attempt to connect to our internal webserver...
_________________________________________
ProCurve#show ip policy-sessions

Protocol (TTL) [in crypto map] -> [out crypto map] Destination policy-class
Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port
--------------- -------- --------------- -------- ----------------- --------

Policy class "Private":
tcp (565) -> Public
192.168.0.3 1764 74.125.155.125 5222 s 165.228.191.209 1764
tcp (558) -> Public
192.168.0.28 1238 165.12.241.20 80 s 165.228.191.209 1238
tcp (593) -> Public
192.168.0.98 4313 203.34.62.182 8372 s 165.228.191.209 4313
udp (18) -> Public
192.168.0.100 51175 58.65.255.73 53 s 165.228.191.209 51175
tcp (481) -> Public
192.168.0.100 2397 84.45.62.203 21 s 165.228.191.209 2397
tcp (600) -> Public
192.168.0.100 2400 84.45.62.203 1391 s 165.228.191.209 1026
udp (11) -> Public
192.168.0.100 65330 144.140.70.30 53 s 165.228.191.209 65330
udp (11) -> Public
192.168.0.100 65330 144.140.71.16 53 s 165.228.191.209 1034
udp (18) -> Public
192.168.0.100 54917 165.12.251.25 53 s 165.228.191.209 54917
tcp (593) -> Public
192.168.0.224 43782 32.60.49.205 80 s 165.228.191.209 43782
tcp (558) -> Public
192.168.0.224 54830 74.125.155.105 80 s 165.228.191.209 54830
tcp (516) -> Public
192.168.0.224 39884 74.125.155.113 80 s 165.228.191.209 39884
udp (18) -> Public
192.168.0.224 32776 139.130.4.4 53 s 165.228.191.209 1025
tcp (502) -> Public
192.168.0.224 34751 144.135.8.175 80 s 165.228.191.209 34751
tcp (509) -> Public
192.168.0.224 38108 207.46.124.129 80 s 165.228.191.209 38108

Policy class "Public":

Policy class "self":

Policy class "default":

ProCurve#



I cannot see anywhere in this list where i have connected to our internal ftp server at all
___________________________________________


Olaf

I tried to connect to one of our FTP accounts from insite and outside using another external connection and all i got was ....

Status: Connection attempt failed with "EAI_NONAME - Neither nodename nor servname provided, or not known".
Error: Could not connect to server...

and then i tried the show ip policy-sessions and couldnt find anything related to my attemple at connecting to the internal ftp server...

I hope this is enough information you require
Your help is very very very much appreciated.

regards
Andrew Kececi

Olaf Borowski
Respected Contributor

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

Based on the information you provided, I can get to your WEB server (Tracs Hosting?)
I also tried to ftp something but didn't have the right credentials. To me, it works..

Are you doing the following from home?
https://165.228.191.209/

or ftp 165.228.191.209?

The above should definetely give you entries in the policy-session table (but they will age out). What you are looking for is hits in "public".

VPN: What do you mean by pass-through? Should the router terminate the VPN session (it can only do IPSec) or do you have a VPN-terminator behind the router? What VPN client will you be using?
Looking at your config again, I am not sure why you want to forward all these ports. Why, for example syslog? Why DNS? That is dangerous...Only offer the services to the outside like WEB and ftp, SMTP and nothing else.
Olaf Borowski
Respected Contributor

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

Andrew, I just noticed your questions, response inline...
1. Internal domain resolution using NAT loopback.
<< What NAT loopback? You have an internal DNS server that should do domain lookups locally. This DNS server should be the one announced from your DHCP server. For anything that is not in your local domain, configure the DNS to forward those requestes to the "outside" DNS-server. This is typically an IP address provided by your service provider.>>>

2. External access to our web/dns/email/ftp server.
<>>

3. VPN access to the network from outside the network... (VPN Passthrough).
Question in earlier post...

4. Also possibly in the future, seperating the office computers from a future training room computer using VLAN.
<>>
Olaf Borowski
Respected Contributor

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

Andrew, I thought about your problem some more last night. I think your problem is DNS. If I do a reverse lookup of the ADSL IP address and try to WEB to this DNS name, I get a message from the service provider that that address is shared. You need to get your DNS domain registered and pointed to your router. If you have a static IP address, no problem. You can use DNS providers like GoDaddy.com to achive this. If it's dynamic, you have to use dyn-dns, which the router supports. Basically, when the router obtains an address, it dynamically registers this address with a public DNS server. You want people accessing your services (WEB,FTP,Mail,etc.) via a hostname, not IP address. So either ask your service provider for a static IP address (which will probably cost you more and sometimes it's included in "Business grade DSL") or use Dynamic DNS.
If you try yourself WEGing to the IP-address, it should work. WEBing to your hostname will not work.
Andrew Kececi
Occasional Advisor

Re: Still having trouble with Procurve SR7102dl firewall router... Configuration help!!!

Olaf...

YOu know i really do appreciate your assistance in my problem...

However i need to inform you Olaf that the procurve router is not what i have connected 100% of the time...

The reason for this is we have customers that are hosting there website of our webserver here and i cannot afford for any customer website to go down at any stage...

Olaf im really sorry to of informed you of that... What you have been diagnosing is not the procurve its just a plain old dlink router that does not do NAT Loopback hence the need to upgrade to a more professional router hence the procurve 7102dl.

Im sorry my friend...

Prehaps i can keep the procurve connected for a period of time however sycning that with you avalible time might be a little difficult...

Olaf i do feel a little bad about not telling you this from the start i hope you can forgive me...

regards
Andrew Kececi