Networking with Cisco871w and SBS

I understand the 1 question per post rule. I generally try to abide. I could
not see positing this multiple times due to the size.

If you don't mind the reading / understand Cisco configuration better than I
and feel like offering some input (especially with the VPN configuration) -
please do.

Thanks - Chris -
-------------------------------------------
Ok, I will be the first to tell you that I do not have "Real World"
experience with Cisco routers--I did take CCNA 1-4 in school several years
ago - and honestly, forget most of it due to no use.So I'm one of those "do
more damage kind of people"

Tomorrow (August 8th,2008) - I will be putting the router to test for a few
hours. This test will be to make sure outbound connectivity is there and
hopefully finding out if exchange still works and PPTP to windows still
works. Our IP's have changed with this service - meaning I have one months
grace before
switch services.

Concerns:
VPN -> I can connect to the VPN Server and obtain an IP, no gateway
displayed (no connectivity)
VPN -> Not sure if you can set VPN Security Policies (ACL's) per user. See
additional notes in next section
Servers --> Are things setup to allow connections properly with NAT to our
server and their services.
DHCP --> do I need to forward DHCP, since it's handled by Windows Server

Any advice would be great.

----------------------------------------------------------------
Internal Servers
Windows 2003 Small Business Server IP: 10.0.0.15 / VPN on 10.0.0.19 I believe!
AD configured as mydomain.local
DNS requests are forwarded to ISP
SBS Exchange -using Webmail with SSL certificate (Port:443)
SBS VPN (PPTP) being used as VPN solution for staff.

Additional Notes:
- Replacing Cisco 800 router owned by ISP, no configurable options with 871w
that we purchased.
- Changed DSL package to Static, 5-IP , no PPP
- We are replacing a SOHO Watchguard with the Cisco 871w because it's dying
- Watchguard has 5 vpn licenses, only 1 in use with external client who gets
the ip 10.0.0.249. The
client connects, this allows us to send invoices/purchase orders to their
line printer.
* This functionality needs to be setup on the Cisco 871w. I would like to
see 1 way communication - so client
could not access local resources.

--------------------------------------------------------------------
External DNS
* all addresses are examples

IN A <isp IP>
www IN A <isp IP>
ftp IN A <isp IP>
remote IN A 192.168.100.230
remote1 IN A 172.16.0.139 ** Added to point to 1 new static IP
webmail IN A 192.168.100.230
IN MX 10 remote.domainname.com.
IN MX 15 remote1.domainname.com. ** Added

pop3 IN CNAME <ISP hostname>
smtp IN CNAME remote.domainname.com.

Additional switch will be: webmail will point to 172.16.0.140
MX 15 will replace MX 10 when service is finally switched
--------------------------------------------------------------------------
Running-Config

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Zesta
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 <passwrd>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -4
clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
!
crypto pki trustpoint TP-self-signed-1965494646
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1965494646
revocation-check none
rsakeypair TP-self-signed-1965494646
!
!
crypto pki certificate chain TP-self-signed-1965494646
certificate self-signed 01
.... key here....
quit

dot11 syslog
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name scotiangold.com
ip name-server 10.0.0.15
ip name-server <ISP DNS>
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

!
!
username <username> privilege 15 secret 5 <passwd>
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ITStaff
key <pre-share key>
dns 10.0.0.15
wins 10.0.0.15
domain mydomain.local
pool SDM_POOL_1
acl 100
split-dns mydomain.local
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group ITStaff
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 5000000
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
class-map type inspect match-all sdm-nat-smtp-1
match access-group 103
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-protocol-smtp
match protocol smtp
class-map type inspect match-all sdm-nat-https-1
match access-group 104
match protocol https
class-map type inspect match-all sdm-protocol-imap
match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-app-nonascii
log
reset
class class-default
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-smtp
inspect
service-policy smtp sdm-action-smtp
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect sdm-access
inspect
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination
in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface Loopback0
description $FW_INSIDE$ !Used for VPN Unnumbered Interface
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security in-zone
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 172.16.0.138 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
description Loopback for EasyVPN Server - Arbitrary Network$FW_INSIDE$
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security ezvpn-zone
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.15.10 192.168.15.22
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.0.0.15 25 172.16.0.139 25 extendable
ip nat inside source static tcp 10.0.0.15 443 172.16.0.140 80 extendable
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.136 0.0.0.7 any !Gateway to ISP
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 10.0.0.15
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 10.0.0.15
no cdp run
!
!
!
control-plane
!
banner exec ^C
....
^C

banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end