Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco 877 Access List config

Posted on 2007-03-20
12
Medium Priority
?
1,159 Views
Last Modified: 2008-01-23
Hi,

We recently signed up with a new ADSL provider. As part of the service we are provided with 5 static IP addresses and a Cisco 877 modem/router. It is a managed solution and as such, I cannot configure the router myself. I have logged a service request but unfortunately there seems to be a communication/training gap. I'm not sure if I'm asking for the impossible or if the agent is misunderstanding me/has insufficient knowledge. Assume the NATing is setup correctly:

Firstly is the request below possible?

Secondly, can you supply me with the correct config data if possible?

1. Allow all outboud requests through. (Its a small company and cannot afford to worry about which outbound traffic is permitted or not)
2. Open inbound traffic to <external IP address 1>  on port 3389
3. Open inbound traffic to <external IP address 2> on ports 25, 443, 3389
4. Open inbound traffic to <external IP address 3> on ports 443, 3389
0
Comment
Question by:virtualworks
  • 5
  • 3
  • 2
  • +1
12 Comments
 

Author Comment

by:virtualworks
ID: 18756442
from research on the web, would the correct way of doing this be:

permit ip any any
permit ip any host <external IP address 1>  eq 3389
permit ip any host <external IP address 2>  eq 25
permit ip any host <external IP address 2>  eq 443
permit ip any host <external IP address 2>  eq 3389
permit ip any host <external IP address 3>  eq 443
permit ip any host <external IP address 3>  eq 3389
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 1000 total points
ID: 18756506
interface FastEthernet0/1                   <---this will be your outside interface
 ip address <outside_IP_address> <netmask>
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 
interface FastEthernet0/0                   <---this will be your inside interface
 ip address <inside_IP_address> <netmask>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside

ip nat inside source static <internal_IP_address_1> <external_IP_address_1>
ip nat inside source static <internal_IP_address_2> <external_IP_address_2>
ip nat inside source static <internal_IP_address_3> <external_IP_address_3>

access-list 101 permit tcp any host <external_IP_address_1> eq 3389
access-list 101 permit tcp any host <external_IP_address_2> eq 25
access-list 101 permit tcp any host <external_IP_address_2> eq 443
access-list 101 permit tcp any host <external_IP_address_2> eq 3389
access-list 101 permit tcp any host <external_IP_address_3> eq 443
access-list 101 permit tcp any host <external_IP_address_3> eq 3389

Note that this is very insecure since you're opening yourself up to port scans on these well known ports.  You should try to specify source ports in your access lists so that you don't have to open up these ports to the world.  However, in some environments this may not be feasible...just thought I would mention it.
0
 

Author Comment

by:virtualworks
ID: 18756739
Great. Thank-you. two things:

1. Will my internal staff be able to do anything they want on the internet with that setup? I don't have a spare machine I can setup as a proxy.

2. I have been supplied with 5 static IPs which I'll use for my servers. The normal work stations on the network will need to be NAT'ed as the router I assume? Is that included in that config?
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 18761180
2,3 and 4 are answered above by batry_boy; for the first one;

1. Allow all the inside users to go out the network; add this one as well;

ip nat inside source list 1 int fa0/1 overload

access-list 1 permit ip <inside_Network_Range> <WildCard Mask>

The above commands pat all the inside-to-outside connections using the ip address that is assigned on interface fast ethernet 0/1.

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18761195
Both issues above can be taken care of by implementing PAT on the router.  You can do this by adding the following commands if you assume the following values:

Inside network : 192.168.1.0/24
Outside router interface : ethernet0

---------BEGIN COMMANDS--------
access-list 1 permit ip 192.168.1.0 255.255.255.0
ip nat inside source list 1 interface ethernet0 overload
---------END COMMANDS--------

You would still need to put in the commands from previous posts.  These last two commands are in addition to those.

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18761199
We're typing at the same time again, Rajesh!  ;-)
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18761206
Yo Batry_boy, where are you from ? Seems like same time zone (I'm from India)

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18761306
I'm in the US, Central time zone...is it the start of the business day over there?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18761329
No, actually when I last typed it as 7.30 AM, I usually go to work at 10-10.30 AM :-)

Cheers,
Rajesh
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 21640865
Hi guys,
   Looking around to confirm one thing, some configs and comments confirm me and some not like this one. I hope you are around to comment on.
    Does the router run in statefull mode? I mean there is no permit for dynamically created ports 1024-65535 for return traffic to overloaded interface IP in ACL 101. This would run only if the device is statefull and bypasses the ACLs for return traffic of locally originated traffics. Otherwise this config should affect connectivity just like it did in my dynampis sim. Am I right?

Regards
   
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 21641270
Yes, the router becomes stateful through the use of CBAC which is a feature of the IOS firewall feature set.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 21641427
Thanks batry
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question