Solved

Cisco 2911 Router Rule Outside to Inside

Posted on 2013-06-13
4
743 Views
Last Modified: 2013-06-15
Group, morning, I hope a simple question. Using CCP I am trying to allow traffic from the outside into the LAN for some services but a port scan shows the port closed, the application is not responding to the outside traffic so I suspect something is still block the port. Wanted to see if I missed anything. Firewall is Off. Thanks!

Under ACL -->NAT Rules I have the following:
Action: Permit
Source: any
Destination: 192.168.10.29
Service tftp/udp, dest tftp/udp
0
Comment
Question by:Ross Mccullough
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39245375
I believe the destination needs to be the public IP which is nat'd to the private IP. So if you had a nat of 192.168.10.29 --> 1.1.1.1, your rule would have a destination of 1.1.1.1. Also make sure that the source doesn't have a service set in the rule (as only the destination will have the service port numbers) and that you have the proper nat in place.
0
 

Author Comment

by:Ross Mccullough
ID: 39245625
Rauenpc,
Thanks for the follow up, I have played with it some more via CCP and getting nowhere fast. I have included the running config output. I think there are some commands in there that go nowhere so let me know your thoughts. TY.


ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
!
ip access-list extended NAT_ACL
 remark Master NAT List
 remark CCP_ACL Category=18
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
 remark FileZilla FTP Server
 permit tcp host 192.168.10.2 eq ftp any eq ftp
 permit ip any any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 permit ip 192.168.10.0 0.0.0.31 any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 104 permit ip 192.168.10.0 0.0.0.31 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
route-map RMAP-NAT permit 10
 match ip address NAT_ACL
!
!
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 300 total points
ID: 39245770
I don't see anything necessarily wrong with that configuration, but it definitely isn't doing what you are looking for. Here is some sample config to allow www through to an inside device

!this is one line on the acl applied to the outside interface.
access-list 105 permit tcp any host 71.13.116.194 eq www

!This is the PAT to do the translation
ip nat inside source static tcp 192.168.37.31 80 x.x.x.194 80 extendable


On a basic level, that is all that is needed to allow inbound services - a specific allow statement, and a matching nat entry.
0
 

Author Closing Comment

by:Ross Mccullough
ID: 39250411
Hello, I went back to the CLI and started with a clean sheet of paper per say and your statements worked perfectly. Also had to make some adjustments on the Windows computers because the FW is disabled via GPO but it considered its connection "Work / Private" not domain hence some of the services were still being blocked making it look as if the statements weren't working. Thanks again!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
what is mstp 6 65
windows server 2012 R2 DHCP clustering ? 5 51
IP range 6 62
Network adapter failed to start 5 38
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question