mirfan_cert
asked on
Allow only certain traffic for inside users through cisco router.
Hi,
I have a cisco 2821 router and our inside network is 192.168.1.0.
and wan IP Address is something like 1.1.1.2/30
I want to open only these ports for inside users.
80
443
25
110
3389
And want to forward 3389 port 192.168.1.10
how should i Configure router to accomplish this taks.
I have a cisco 2821 router and our inside network is 192.168.1.0.
and wan IP Address is something like 1.1.1.2/30
I want to open only these ports for inside users.
80
443
25
110
3389
And want to forward 3389 port 192.168.1.10
how should i Configure router to accomplish this taks.
no dns?
would be port 53
i would also add the line
access-list 101 deny ip any any log
at the end
this way you can see what is being blocked and then make changes if need be.
you would then want to remove the line when you have everything running as it should.
Greg
would be port 53
i would also add the line
access-list 101 deny ip any any log
at the end
this way you can see what is being blocked and then make changes if need be.
you would then want to remove the line when you have everything running as it should.
Greg
I would suggest that if your statically NAT'ng a server to a particular port you would need more IP's, however you should be able to do it with a 30 bit mask like this:
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 80
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 443
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 25
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 110
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 3389
ip access-list extended OUTSIDE_IN permit tcp any 192.168.1.10 0.0.0.0 eq 3389
ip access-list extended OUTSIDE_IN deny ip any any
access-list 10 permit 192.168.1.0 0.0.0.255
ip nat inside source list 10 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 3389 1.1.1.2 3389
ip route 0.0.0.0 0.0.0.0 interface fa0/0
interface FastEthernet 0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip access-group OUTSIDE_IN in
interface FastEthernet 0/1
description INSIDE_INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip access-group INSIDE_OUT in
I think this should work, but i'm sure someone else may have some alternative suggestion or a change to my config.
Simon
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 80
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 443
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 25
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 110
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 3389
ip access-list extended OUTSIDE_IN permit tcp any 192.168.1.10 0.0.0.0 eq 3389
ip access-list extended OUTSIDE_IN deny ip any any
access-list 10 permit 192.168.1.0 0.0.0.255
ip nat inside source list 10 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 3389 1.1.1.2 3389
ip route 0.0.0.0 0.0.0.0 interface fa0/0
interface FastEthernet 0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip access-group OUTSIDE_IN in
interface FastEthernet 0/1
description INSIDE_INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip access-group INSIDE_OUT in
I think this should work, but i'm sure someone else may have some alternative suggestion or a change to my config.
Simon
ip access-list extended OUTSIDE_IN permit tcp any 192.168.1.10 0.0.0.0 eq 3389
ip access-list extended OUTSIDE_IN deny ip any any < this statement would block all traffic coming into the router including dns,http and ftp.
Not sure you want that however depending on the ios version you might want to look at the ip inspect option.
https://learningnetwork.cisco.com/thread/13408
Greg
ip access-list extended OUTSIDE_IN deny ip any any < this statement would block all traffic coming into the router including dns,http and ftp.
Not sure you want that however depending on the ios version you might want to look at the ip inspect option.
https://learningnetwork.cisco.com/thread/13408
Greg
ASKER
I created two access lists allowing all these ports but after I apply them everything works except for port forwarding. The Remote desktop does not work from wan to lan.
This is the configuration..
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip name-server 213.42.20.20
ip name-server 195.229.241.222
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
Description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group allowedservices in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0
Description WAN
ip address 192.168.1.237 255.255.255.0
ip access-group allowedservices in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.2.12 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 192.168.2.12 3389 interface FastEthernet0/0 3389
!
ip access-list extended allowedservices
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 445
permit tcp any any eq 143
permit tcp any any eq pop3
permit tcp any any eq 997
permit tcp any any eq 995
permit tcp any any eq smtp
permit tcp any any eq telnet
permit tcp any any eq 22
permit tcp any any eq domain
permit udp any any eq domain
permit icmp any any echo-reply
permit tcp any any eq 3389
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
This is the configuration..
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip name-server 213.42.20.20
ip name-server 195.229.241.222
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
Description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group allowedservices in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0
Description WAN
ip address 192.168.1.237 255.255.255.0
ip access-group allowedservices in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.2.12 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 192.168.2.12 3389 interface FastEthernet0/0 3389
!
ip access-list extended allowedservices
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 445
permit tcp any any eq 143
permit tcp any any eq pop3
permit tcp any any eq 997
permit tcp any any eq 995
permit tcp any any eq smtp
permit tcp any any eq telnet
permit tcp any any eq 22
permit tcp any any eq domain
permit udp any any eq domain
permit icmp any any echo-reply
permit tcp any any eq 3389
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
permit tcp any eq 3389 any
because the port is on the inside not on the internet.
Greg
because the port is on the inside not on the internet.
Greg
For now, to check, try adding:
ip access-list extended allowedservices
permit ip host 192.168.2.12 any
I would also create separate access lists for the inside and the outside.
ip access-list extended allowedservices
permit ip host 192.168.2.12 any
I would also create separate access lists for the inside and the outside.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After trying many options this one worked for me.
Ip nat inside source static tcp 192.168.1.10 3389 outside_ip 3389
For the traffic from inside:
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 25
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 80
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 110
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 3389
And on the inside interface, add: ip access-group 101 in