Solved

Cisco 877 Access List config

Posted on 2007-03-20
12
1,127 Views
Last Modified: 2008-01-23
Hi,

We recently signed up with a new ADSL provider. As part of the service we are provided with 5 static IP addresses and a Cisco 877 modem/router. It is a managed solution and as such, I cannot configure the router myself. I have logged a service request but unfortunately there seems to be a communication/training gap. I'm not sure if I'm asking for the impossible or if the agent is misunderstanding me/has insufficient knowledge. Assume the NATing is setup correctly:

Firstly is the request below possible?

Secondly, can you supply me with the correct config data if possible?

1. Allow all outboud requests through. (Its a small company and cannot afford to worry about which outbound traffic is permitted or not)
2. Open inbound traffic to <external IP address 1>  on port 3389
3. Open inbound traffic to <external IP address 2> on ports 25, 443, 3389
4. Open inbound traffic to <external IP address 3> on ports 443, 3389
0
Comment
Question by:virtualworks
  • 5
  • 3
  • 2
  • +1
12 Comments
 

Author Comment

by:virtualworks
ID: 18756442
from research on the web, would the correct way of doing this be:

permit ip any any
permit ip any host <external IP address 1>  eq 3389
permit ip any host <external IP address 2>  eq 25
permit ip any host <external IP address 2>  eq 443
permit ip any host <external IP address 2>  eq 3389
permit ip any host <external IP address 3>  eq 443
permit ip any host <external IP address 3>  eq 3389
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 18756506
interface FastEthernet0/1                   <---this will be your outside interface
 ip address <outside_IP_address> <netmask>
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 
interface FastEthernet0/0                   <---this will be your inside interface
 ip address <inside_IP_address> <netmask>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside

ip nat inside source static <internal_IP_address_1> <external_IP_address_1>
ip nat inside source static <internal_IP_address_2> <external_IP_address_2>
ip nat inside source static <internal_IP_address_3> <external_IP_address_3>

access-list 101 permit tcp any host <external_IP_address_1> eq 3389
access-list 101 permit tcp any host <external_IP_address_2> eq 25
access-list 101 permit tcp any host <external_IP_address_2> eq 443
access-list 101 permit tcp any host <external_IP_address_2> eq 3389
access-list 101 permit tcp any host <external_IP_address_3> eq 443
access-list 101 permit tcp any host <external_IP_address_3> eq 3389

Note that this is very insecure since you're opening yourself up to port scans on these well known ports.  You should try to specify source ports in your access lists so that you don't have to open up these ports to the world.  However, in some environments this may not be feasible...just thought I would mention it.
0
 

Author Comment

by:virtualworks
ID: 18756739
Great. Thank-you. two things:

1. Will my internal staff be able to do anything they want on the internet with that setup? I don't have a spare machine I can setup as a proxy.

2. I have been supplied with 5 static IPs which I'll use for my servers. The normal work stations on the network will need to be NAT'ed as the router I assume? Is that included in that config?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18761180
2,3 and 4 are answered above by batry_boy; for the first one;

1. Allow all the inside users to go out the network; add this one as well;

ip nat inside source list 1 int fa0/1 overload

access-list 1 permit ip <inside_Network_Range> <WildCard Mask>

The above commands pat all the inside-to-outside connections using the ip address that is assigned on interface fast ethernet 0/1.

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18761195
Both issues above can be taken care of by implementing PAT on the router.  You can do this by adding the following commands if you assume the following values:

Inside network : 192.168.1.0/24
Outside router interface : ethernet0

---------BEGIN COMMANDS--------
access-list 1 permit ip 192.168.1.0 255.255.255.0
ip nat inside source list 1 interface ethernet0 overload
---------END COMMANDS--------

You would still need to put in the commands from previous posts.  These last two commands are in addition to those.

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18761199
We're typing at the same time again, Rajesh!  ;-)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 18761206
Yo Batry_boy, where are you from ? Seems like same time zone (I'm from India)

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18761306
I'm in the US, Central time zone...is it the start of the business day over there?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18761329
No, actually when I last typed it as 7.30 AM, I usually go to work at 10-10.30 AM :-)

Cheers,
Rajesh
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 21640865
Hi guys,
   Looking around to confirm one thing, some configs and comments confirm me and some not like this one. I hope you are around to comment on.
    Does the router run in statefull mode? I mean there is no permit for dynamically created ports 1024-65535 for return traffic to overloaded interface IP in ACL 101. This would run only if the device is statefull and bypasses the ACLs for return traffic of locally originated traffics. Otherwise this config should affect connectivity just like it did in my dynampis sim. Am I right?

Regards
   
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 21641270
Yes, the router becomes stateful through the use of CBAC which is a feature of the IOS firewall feature set.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 21641427
Thanks batry
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now