Ns Server Firewalled...can't "add Server"
SandTyger
Join Date: 2002-11-02 Member: 3868Members
Join Date: 2002-11-02 Member: 3868Members
<div class="IPBDescription">Almost there, but not quite.</div> I've been working on setting up my NS Server on the T1 I have.
In order to provide protection, I'm placing it behind my firewall as well.
So...
Here's what my situation looks like and the problem I'm having.
External IP -forwarded to- Internal IP...in this case.
204.244.10.164 -> 10.10.100.3
Firewall is setup to deny all port connections that are less than 1500 (on both TCP and UDP), and allow all others. (Including ICMP, for pinging). (I know, it's still fairly open, but I'm still working on troubleshooting this... I know I need 27100-27125 UDP open, and 7002 TCP open...but other than that....)
1) The server does function and it can be connected to, BUT, only by direct connection, GameSpy(can ping), or GameTiger(can ping) (haven't tested others).
2) If you attempt to retrieve a list from inside NS, the server does not show up on list.
3) If you attempt to "Add Server" from inside NS, the server does not show up on list. (using 204.244.10.164:27015)
The server will be running today if you want to try connecting to it to assist me in troubleshooting.
I'm grateful for any assistance or suggestions that you can offer, but I'm outta ideas.
(HW Summary)
Cisco PIX 515
P3 933 w/ 384mb
T1 connection
(Cisco Config Snippits) <b>UPDATED</b>
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol h323 h225 1720
names
access-list 150 permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 204.244.10.164 gt 1501
access-list acl_out permit udp any host 204.244.10.164 gt 1501
access-list acl_out deny tcp any host 204.244.10.164 lt 1500
access-list acl_out deny udp any host 204.244.10.164 lt 1500
pager lines 23
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 204.244.10.163 255.255.255.248
ip address inside 10.10.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 192.168.0.1-192.168.0.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 204.244.10.166 netmask 255.255.255.255
nat (inside) 0 access-list 150
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 204.244.10.164 10.10.100.3 dns netmask 255.255.255.255 0
0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 204.244.10.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0004.2746.5786
IP address 204.244.10.163, subnet mask 255.255.255.248
MTU 1500 bytes, BW 100000 Kbit full duplex
355608 packets input, 323074627 bytes, 0 no buffer
Received 850 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
280907 packets output, 51007485 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/19)
output queue (curr/max blocks): hardware (0/8) software (0/5)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0004.2746.5787
IP address 10.10.1.1, subnet mask 255.255.0.0
MTU 1500 bytes, BW 100000 Kbit full duplex
300164 packets input, 52601111 bytes, 0 no buffer
Received 15261 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
350427 packets output, 320846832 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/8)
output queue (curr/max blocks): hardware (1/12) software (0/6)
CURRENT AS OF:
<i> Jan 8, 17:26pm</i> <!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused.gif' border='0' valign='absmiddle' alt='confused.gif'><!--endemo-->
In order to provide protection, I'm placing it behind my firewall as well.
So...
Here's what my situation looks like and the problem I'm having.
External IP -forwarded to- Internal IP...in this case.
204.244.10.164 -> 10.10.100.3
Firewall is setup to deny all port connections that are less than 1500 (on both TCP and UDP), and allow all others. (Including ICMP, for pinging). (I know, it's still fairly open, but I'm still working on troubleshooting this... I know I need 27100-27125 UDP open, and 7002 TCP open...but other than that....)
1) The server does function and it can be connected to, BUT, only by direct connection, GameSpy(can ping), or GameTiger(can ping) (haven't tested others).
2) If you attempt to retrieve a list from inside NS, the server does not show up on list.
3) If you attempt to "Add Server" from inside NS, the server does not show up on list. (using 204.244.10.164:27015)
The server will be running today if you want to try connecting to it to assist me in troubleshooting.
I'm grateful for any assistance or suggestions that you can offer, but I'm outta ideas.
(HW Summary)
Cisco PIX 515
P3 933 w/ 384mb
T1 connection
(Cisco Config Snippits) <b>UPDATED</b>
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol h323 h225 1720
names
access-list 150 permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 204.244.10.164 gt 1501
access-list acl_out permit udp any host 204.244.10.164 gt 1501
access-list acl_out deny tcp any host 204.244.10.164 lt 1500
access-list acl_out deny udp any host 204.244.10.164 lt 1500
pager lines 23
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 204.244.10.163 255.255.255.248
ip address inside 10.10.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 192.168.0.1-192.168.0.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 204.244.10.166 netmask 255.255.255.255
nat (inside) 0 access-list 150
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 204.244.10.164 10.10.100.3 dns netmask 255.255.255.255 0
0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 204.244.10.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0004.2746.5786
IP address 204.244.10.163, subnet mask 255.255.255.248
MTU 1500 bytes, BW 100000 Kbit full duplex
355608 packets input, 323074627 bytes, 0 no buffer
Received 850 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
280907 packets output, 51007485 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/19)
output queue (curr/max blocks): hardware (0/8) software (0/5)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0004.2746.5787
IP address 10.10.1.1, subnet mask 255.255.0.0
MTU 1500 bytes, BW 100000 Kbit full duplex
300164 packets input, 52601111 bytes, 0 no buffer
Received 15261 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
350427 packets output, 320846832 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/8)
output queue (curr/max blocks): hardware (1/12) software (0/6)
CURRENT AS OF:
<i> Jan 8, 17:26pm</i> <!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused.gif' border='0' valign='absmiddle' alt='confused.gif'><!--endemo-->
Comments
but i can say you need ports 6003 and 7002 TCP to be forwarded to the server.
It appears that you are forwarding everything except ports <1500 to it anyway, so i'm not sure if thats that problem.
have you tried connecting to the server from home? because HL browser is flaking with my computer too.
i'm still a CCNA intraining so to be safe, i don't want to suggest anything about the actual router config.
but i can say you need ports 6003 and 7002 TCP to be forwarded to the server.
It appears that you are forwarding everything except ports <1500 to it anyway, so i'm not sure if thats that problem.
have you tried connecting to the server from home? because HL browser is flaking with my computer too.
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Not a router, just a PIX. I'm open to suggestions, I've also very careful about backing up my config...so I can experiment quite a bit.
6003 as well eh? Hmm...good to know.
I can connect to it from home....you should be able to connect to it right now if you tried.
I have a 501, 515 and 525 I can play with to look at it.
I've never tried firewalling my systems as for me its more trouble than its worth, and it only takes me 15 minutes or so to rebuild everything (I have an image of the HD).
I have plenty of cisco gear to test things on if anyone has questions (Im a network engineer).
-Brendan
(BTW, if you're having problems with adding a server to your list in NS, uncheck all your filters and try again.)