[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 294
  • Last Modified:

Access List/Security Question for Cisco 831 Router

Hello,

I am trying to configure a Cisco 831 to act as a router for a web server.  There is only one external Global IP.  I am trying to setup a very secure access list that works well.  So far, I have managed to get it to connect, but I require help with the following two points :

I need the internal IP Address of 10.10.10.50 setup with port forwarding for 683(ftp) – 80(http) – 443(SSL) ?
I also need 10.10.10.100 setup with port 6881 forwarded.

If possible, I would also like to do some packet scanning and implement the firewall to try and increase security.  Could anyone help me with the config?  I would be very grateful.

Thanks very much,

civic86
0
civic86
Asked:
civic86
2 Solutions
 
GenexenCommented:
First step is to set your nat points:

 interface s0
  ip nat outside

 interface e0
  ip nat inside

The create your mappings for port forwardig to each LAN host

 ip nat inside source static tcp 10.10.10.50 80 interface s0 (where s0 is your external interface or dialer)
 ip nat inside source static tcp 10.10.10.50 683 interface s0
 ip nat inside source static tcp 10.10.10.50 443 interface s0
 ip nat inside source static tcp 10.10.10.100 6881 interface s0

Then create your access-lists.

 access-list 111 permit ip any 10.10.10.50 eq 683
 access-list 111 permit ip any 10.10.10.50 eq 80
 access-list 111 permit ip any 10.10.10.50 eq 443
 access-list 111 permit ip any 10.10.10.100 eq 6881

Then apply your access list to the interface

 interface s0
  ip access-group 111 in (if you're applying to a dialer, OR...)
  ip access-list 111 in (if you're applying to an interface)

Double check my syntax, been a while since I've worked on IOS.
0
 
PennGwynCommented:
> access-list 111 permit ip any 10.10.10.50 eq 683
> access-list 111 permit ip any 10.10.10.50 eq 80
> access-list 111 permit ip any 10.10.10.50 eq 443
> access-list 111 permit ip any 10.10.10.100 eq 6881

Should be:

access-list 111 permit tcp any host 10.10.10.50 eq 683
access-list 111 permit tcp any host 10.10.10.50 eq 80
access-list 111 permit tcp any host 10.10.10.50 eq 443
access-list 111 permit tcp any host 10.10.10.100 eq 6881

For each source and destination, you need one of
  any
  <address> <wildcard-mask>
  host <address>

Also, it's

interface <x>
 ip access-group 111 in

for any kind of interface, not just a dialer.

Odds are that you'll want to expand on this list in various ways.  

1. There are a variety of bogus source addresses from which you will never see legitimate traffic.  Here's the list I use:

access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 169.254.0.0 0.0.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip 224.0.0.0 31.255.255.255 any

2. There may be other traffic you'd like to allow (access lists get an implied "deny ip any any" appended at the end, so anything you don't list will be blocked).  You can get the vast majority of what you want by inserting

access-list 111 permit tcp any any established

ahead of the specific forwarded ports.  (Note that this is not terrifically secure.  You'd be much better off with a true stateful firewall for this job, but that's not what access lists provide.)
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now