?
Solved

Allow only certain traffic for inside users through cisco router.

Posted on 2011-10-02
9
Medium Priority
?
533 Views
Last Modified: 2012-05-12
Hi,
I have a cisco 2821 router and our inside network is 192.168.1.0.
and wan IP Address is something like 1.1.1.2/30
I want to open only these ports for inside users.
80
443
25
110
3389
And want to forward 3389 port 192.168.1.10
how should i Configure router to accomplish this taks.

0
Comment
Question by:mirfan_cert
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36899926
For rdp:
Ip nat inside source static tcp 192.168.1.10 3389 outside_ip 3389

For the traffic from inside:
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 25
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 80
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 110
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit ip 192.168.1.0 0.0.0.255 any eq 3389

And on the inside interface, add: ip access-group 101 in
0
 
LVL 15

Expert Comment

by:greg ward
ID: 36899946
no dns?
would be port 53

i would also add the line
access-list 101 deny ip any any log
at the end

this way you can see what is being blocked and then make changes if need be.
you would then want to remove the line when you have everything running as it should.

Greg
0
 
LVL 1

Expert Comment

by:sb1mpo
ID: 36899961
I would suggest that if your statically NAT'ng a server to a particular port you would need more IP's, however you should be able to do it with a 30 bit mask like this:

ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 80
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 443
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 25
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 110
ip access-list extended INSIDE_OUT permit tcp 192.168.1.0 0.0.0.255 any eq 3389

ip access-list extended OUTSIDE_IN permit tcp any 192.168.1.10 0.0.0.0 eq 3389
ip access-list extended OUTSIDE_IN deny ip any any

access-list 10 permit 192.168.1.0 0.0.0.255
ip nat inside source list 10 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 3389 1.1.1.2 3389

ip route 0.0.0.0 0.0.0.0 interface fa0/0

interface FastEthernet 0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.2 255.255.255.252
ip nat outside
ip access-group OUTSIDE_IN in

interface FastEthernet 0/1
description INSIDE_INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip access-group INSIDE_OUT in


I think this should work, but i'm sure someone else may have some alternative suggestion or a change to my config.

Simon
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:greg ward
ID: 36900318
ip access-list extended OUTSIDE_IN permit tcp any 192.168.1.10 0.0.0.0 eq 3389
ip access-list extended OUTSIDE_IN deny ip any any < this statement would block all traffic coming into the router including dns,http and ftp.

Not sure you want that however depending on the ios version you might want to look at the ip inspect option.
https://learningnetwork.cisco.com/thread/13408

Greg

0
 

Author Comment

by:mirfan_cert
ID: 36916605
I created two access lists allowing all these ports but after I apply them everything works except for port forwarding. The Remote desktop does not work from wan to lan.

This is the configuration..

!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip name-server 213.42.20.20
ip name-server 195.229.241.222
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
 Description LAN
 ip address 192.168.2.1 255.255.255.0
 ip access-group allowedservices in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0
 Description WAN
 ip address 192.168.1.237 255.255.255.0
 ip access-group allowedservices in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.2.12 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 192.168.2.12 3389 interface FastEthernet0/0 3389
!
ip access-list extended allowedservices
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 445
 permit tcp any any eq 143
 permit tcp any any eq pop3
 permit tcp any any eq 997
 permit tcp any any eq 995
 permit tcp any any eq smtp
 permit tcp any any eq telnet
 permit tcp any any eq 22
 permit tcp any any eq domain
 permit udp any any eq domain
 permit icmp any any echo-reply
 permit tcp any any eq 3389
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end
0
 
LVL 15

Expert Comment

by:greg ward
ID: 36918199
permit tcp any eq 3389 any
because the port is on the inside not on the internet.

Greg
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36922795
For now, to check, try adding:

ip access-list extended allowedservices
 permit ip host 192.168.2.12 any


I would also create separate access lists for the inside and the outside.
0
 

Accepted Solution

by:
mirfan_cert earned 0 total points
ID: 37112064
This is finally I achieved.
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Dubai
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip name-server 213.42.20.20
ip name-server 195.229.241.222
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip access-group LANACL in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.2.12 3389 interface FastEthernet0/0 3389
!
ip access-list extended LANACL
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 445
 permit tcp any any eq 143
 permit tcp any any eq pop3
 permit tcp any any eq 997
 permit tcp any any eq 995
 permit tcp any any eq smtp
 permit tcp any any eq telnet
 permit tcp any any eq 22
 permit tcp any any eq domain
 permit udp any any eq domain
 permit tcp any any eq 3389
 permit tcp any any eq 4443
 permit tcp any any eq cmd
 permit icmp any any
 permit tcp any eq 3389 any
 permit udp any eq 3389 any
!
access-list 101 permit ip any any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 password telnet
 login
!
!
end
0
 

Author Closing Comment

by:mirfan_cert
ID: 37130151
After trying many options this one worked for me.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question