Cisco IOS Wake On LAN via WAN

Hi Folks,

I am attempting to permit inbound WoL packets from any source on the Internuts for UDP port 9 only.I've looked at a few posts here, but would appreciate clarification for the following scenario:

Device: Cisco 877

External Interface: Di0 IP Add 100.1.1.1  255.255.255.252
Inbound WAN Access-List: InterPr0n

Internal Int: BVI1 IP Add 192.168.0.254 255.255.255.0
Outbound Interal Access-List: LAN

Acess-List for Directed BroadCasts: 150
access-list 150 permit udp any any eq 9

Questions:
1. Which interface(s) do I put the 'ip directed broadcast 150' command?
2. Do I need to also mod the InterPr0n ACL to accept upd 9 traffic from any any?
3. Do I need a NAT statement to the broadcast addy?
4. *** Edited by _alias99 ***
5. I fantasize that acl 150 is meant used to evaluate traffic hitting the WAN port. Is that right (so I could use it to limit the public addresses that are allowed to send the WoL packet/broadcats)?
6. Do I use the ip help-address? Some examples I've seen suggest it. If so what interface and what IP? I'm guess it would be di0 and 192.168.0.255.

Thanks mucho-man-lots!
J
LVL 3
jasefAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

OzNetNerdCommented:
Can you please post a copy of your running config?
0
Nayyar HH (CCIE RS)Network ArchitectCommented:
Answers:
1. Which interface(s) do I put the 'ip directed broadcast 150' command?
On the destination router that hosts the subnet for which the broadcast is destined

2. Do I need to also mod the InterPr0n ACL to accept upd 9 traffic from any any?
Yes - Think Security

3. Do I need a NAT statement to the broadcast addy?
Try creating a Static for anything hitting your public WAN IP on UDP 9 to get translated to the Broadcast Address on the destined subnet.

e.g. ip nat inside source static udp 10.1.1.255 9 interface Di0

4. *** Edited by _alias99 ***
Its certainly worth a try.


5. I fantasize that acl 150 is meant used to evaluate traffic hitting the WAN port. Is that right (so I could use it to limit the public addresses that are allowed to send the WoL packet/broadcats)?
Yes

6. Do I use the ip help-address? Some examples I've seen suggest it. If so what interface and what IP? I'm guess it would be di0 and 192.168.0.255.
Helper is applied on the originating hosts router interface - Dont think its need Here.


Please let us know how you get on!

0
Nayyar HH (CCIE RS)Network ArchitectCommented:
Moderator,

My comment "Its certainly worth a try" was refering to the solution he was trying to put together, nothing else.

Regards,
Nazsky
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

jasefAuthor Commented:
Thanks for your help everyone... I would not wish the REAL config upon anyone as it is ridiculous, but I've attached a pretend version that will do the job just fine for demo purposes..

So
1. Goes on Di0 (or BVI50. I have tested on Di0 to no avail, but perhaps probs with other parts)?
2. I figured that would be the case ty.
3. I figured that too.
4. There is no spoon.
5. Thankyou again.
6. And a bit more thanks.

Now the only problem here is, unless I made a mistake, these settings are pretty much the config I tested earlier today. I will have a go at it again tomorrow. Hope ya'll havin a good night/day/timezone!!

PS. Nazsky, I am sure the mod had no issues with your assistance (which was both friendly and very handy - I never realised it, but I could have tried your help before I posted and found out myself!!! Of course, the real trouble is there are so many... Sometimes I wonder if it is my Gym ball, or medicine ball or basket ball that is i****, and I worry about this when I am on the job and cannot make sure they are ok, but I digress). It is most likely commandnamesubstitute... I mean alias was misunderstanding the nature of my question; perhaps thinking along the lines of http://www.imdb.com/title/tt0243759/quotes but I am not sure. And I am very sorry!!!!! I never meant any upset or discourtesy and will not do so again!
Current configuration : 10916 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hq
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
!
aaa new-model
!
!
xxx!
no ip cef
no ip bootp server
no ip domain lookup
ip inspect log drop-pkt
ip inspect name LAN icmp
ip inspect name LAN udp
ip inspect name LAN tcp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport access vlan 50
!
!
!
interface Vlan1
 description $LAB_LAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 no ip virtual-reassembly
 bridge-group 50
!
!
interface Vlan50
 no ip address
 bridge-group 50
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group INTERNUTS in
 no ip redirects
 no ip unreachables
 ip directed-broadcast 150
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
xxx!
!
interface BVI50
 ip address 172.31.255.125 255.255.255.126
 ip access-group LAN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat inside
 ip inspect LAN in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat inside source list LAN_NAT interface Dialer0 overload
ip nat inside source static udp 172.31.255.126 9 interface Dialer0 9
!
ip access-list extended INTERNUTS
xxx
 remark Refuse Spoofing
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 xxx
 remark ALLOW WoL
 permit udp any any eq discard
ip access-list extended LAN
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 permit ip 172.31.255.0 0.0.0.255 any
 permit ip any host 255.255.255.255
ip access-list extended LAN_NAT
 permit ip 172.31.255.0 0.0.0.255 any
!
logging history size 500
access-list 150 permit udp any any eq discard
!
!
!
!
!
control-plane
!
bridge 50 protocol ieee
bridge 50 route ip
banner login ^C
All your nuts are belong to us!
^C
!
 line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 login authentication MOOOOO!
 transport preferred ssh
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Nayyar HH (CCIE RS)Network ArchitectCommented:
No problem, Thanks!

Did the router not accept NAT to .127 instead of .126? .127 is the broadcast for address for the LAN.

The static NAT should be "ip nat inside source static udp 172.31.255.127 9 interface Dialer0 9"

Also, I think the directed broadcast should be on BVI50 not Di0.

Int BVI50
ip directed-broadcast 150

And does ACL INTERNUTS permit ANY to DI0 on UDP 9? If not, its needed to allow your WoL packets through.
Lastly, "no ip classless" command is required by directed-broadcast when your using subnet broadcast address - 172.31.255.127.







0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jasefAuthor Commented:
NazSky,

All yr awesomeness are belong to YOU! Thanks very much (especially for question 4 ;))

It was the 150 acl interface and the broadcast addressing. I'd setup a lab a few weeks ago and changed the IP address back, but missed the subnet mask. PS. discard is udp 9
0
Nayyar HH (CCIE RS)Network ArchitectCommented:
Its a pleasure Jasef, Thanking You!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Operations

From novice to tech pro — start learning today.