• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1165
  • Last Modified:

Cisco 877 Access List config

Hi,

We recently signed up with a new ADSL provider. As part of the service we are provided with 5 static IP addresses and a Cisco 877 modem/router. It is a managed solution and as such, I cannot configure the router myself. I have logged a service request but unfortunately there seems to be a communication/training gap. I'm not sure if I'm asking for the impossible or if the agent is misunderstanding me/has insufficient knowledge. Assume the NATing is setup correctly:

Firstly is the request below possible?

Secondly, can you supply me with the correct config data if possible?

1. Allow all outboud requests through. (Its a small company and cannot afford to worry about which outbound traffic is permitted or not)
2. Open inbound traffic to <external IP address 1>  on port 3389
3. Open inbound traffic to <external IP address 2> on ports 25, 443, 3389
4. Open inbound traffic to <external IP address 3> on ports 443, 3389
0
virtualworks
Asked:
virtualworks
  • 5
  • 3
  • 2
  • +1
1 Solution
 
virtualworksAuthor Commented:
from research on the web, would the correct way of doing this be:

permit ip any any
permit ip any host <external IP address 1>  eq 3389
permit ip any host <external IP address 2>  eq 25
permit ip any host <external IP address 2>  eq 443
permit ip any host <external IP address 2>  eq 3389
permit ip any host <external IP address 3>  eq 443
permit ip any host <external IP address 3>  eq 3389
0
 
batry_boyCommented:
interface FastEthernet0/1                   <---this will be your outside interface
 ip address <outside_IP_address> <netmask>
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 
interface FastEthernet0/0                   <---this will be your inside interface
 ip address <inside_IP_address> <netmask>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside

ip nat inside source static <internal_IP_address_1> <external_IP_address_1>
ip nat inside source static <internal_IP_address_2> <external_IP_address_2>
ip nat inside source static <internal_IP_address_3> <external_IP_address_3>

access-list 101 permit tcp any host <external_IP_address_1> eq 3389
access-list 101 permit tcp any host <external_IP_address_2> eq 25
access-list 101 permit tcp any host <external_IP_address_2> eq 443
access-list 101 permit tcp any host <external_IP_address_2> eq 3389
access-list 101 permit tcp any host <external_IP_address_3> eq 443
access-list 101 permit tcp any host <external_IP_address_3> eq 3389

Note that this is very insecure since you're opening yourself up to port scans on these well known ports.  You should try to specify source ports in your access lists so that you don't have to open up these ports to the world.  However, in some environments this may not be feasible...just thought I would mention it.
0
 
virtualworksAuthor Commented:
Great. Thank-you. two things:

1. Will my internal staff be able to do anything they want on the internet with that setup? I don't have a spare machine I can setup as a proxy.

2. I have been supplied with 5 static IPs which I'll use for my servers. The normal work stations on the network will need to be NAT'ed as the router I assume? Is that included in that config?
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
rsivanandanCommented:
2,3 and 4 are answered above by batry_boy; for the first one;

1. Allow all the inside users to go out the network; add this one as well;

ip nat inside source list 1 int fa0/1 overload

access-list 1 permit ip <inside_Network_Range> <WildCard Mask>

The above commands pat all the inside-to-outside connections using the ip address that is assigned on interface fast ethernet 0/1.

Cheers,
Rajesh
0
 
batry_boyCommented:
Both issues above can be taken care of by implementing PAT on the router.  You can do this by adding the following commands if you assume the following values:

Inside network : 192.168.1.0/24
Outside router interface : ethernet0

---------BEGIN COMMANDS--------
access-list 1 permit ip 192.168.1.0 255.255.255.0
ip nat inside source list 1 interface ethernet0 overload
---------END COMMANDS--------

You would still need to put in the commands from previous posts.  These last two commands are in addition to those.

0
 
batry_boyCommented:
We're typing at the same time again, Rajesh!  ;-)
0
 
rsivanandanCommented:
Yo Batry_boy, where are you from ? Seems like same time zone (I'm from India)

Cheers,
Rajesh
0
 
batry_boyCommented:
I'm in the US, Central time zone...is it the start of the business day over there?
0
 
rsivanandanCommented:
No, actually when I last typed it as 7.30 AM, I usually go to work at 10-10.30 AM :-)

Cheers,
Rajesh
0
 
Alan Huseyin KayahanCommented:
Hi guys,
   Looking around to confirm one thing, some configs and comments confirm me and some not like this one. I hope you are around to comment on.
    Does the router run in statefull mode? I mean there is no permit for dynamically created ports 1024-65535 for return traffic to overloaded interface IP in ACL 101. This would run only if the device is statefull and bypasses the ACLs for return traffic of locally originated traffics. Otherwise this config should affect connectivity just like it did in my dynampis sim. Am I right?

Regards
   
0
 
batry_boyCommented:
Yes, the router becomes stateful through the use of CBAC which is a feature of the IOS firewall feature set.
0
 
Alan Huseyin KayahanCommented:
Thanks batry
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now