[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 774
  • Last Modified:

Cisco 2911 Router Rule Outside to Inside

Group, morning, I hope a simple question. Using CCP I am trying to allow traffic from the outside into the LAN for some services but a port scan shows the port closed, the application is not responding to the outside traffic so I suspect something is still block the port. Wanted to see if I missed anything. Firewall is Off. Thanks!

Under ACL -->NAT Rules I have the following:
Action: Permit
Source: any
Destination: 192.168.10.29
Service tftp/udp, dest tftp/udp
0
Ross Mccullough
Asked:
Ross Mccullough
  • 2
  • 2
1 Solution
 
rauenpcCommented:
I believe the destination needs to be the public IP which is nat'd to the private IP. So if you had a nat of 192.168.10.29 --> 1.1.1.1, your rule would have a destination of 1.1.1.1. Also make sure that the source doesn't have a service set in the rule (as only the destination will have the service port numbers) and that you have the proper nat in place.
0
 
Ross McculloughAuthor Commented:
Rauenpc,
Thanks for the follow up, I have played with it some more via CCP and getting nowhere fast. I have included the running config output. I think there are some commands in there that go nowhere so let me know your thoughts. TY.


ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
!
ip access-list extended NAT_ACL
 remark Master NAT List
 remark CCP_ACL Category=18
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
 remark FileZilla FTP Server
 permit tcp host 192.168.10.2 eq ftp any eq ftp
 permit ip any any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 permit ip 192.168.10.0 0.0.0.31 any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 104 permit ip 192.168.10.0 0.0.0.31 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
route-map RMAP-NAT permit 10
 match ip address NAT_ACL
!
!
0
 
rauenpcCommented:
I don't see anything necessarily wrong with that configuration, but it definitely isn't doing what you are looking for. Here is some sample config to allow www through to an inside device

!this is one line on the acl applied to the outside interface.
access-list 105 permit tcp any host 71.13.116.194 eq www

!This is the PAT to do the translation
ip nat inside source static tcp 192.168.37.31 80 x.x.x.194 80 extendable


On a basic level, that is all that is needed to allow inbound services - a specific allow statement, and a matching nat entry.
0
 
Ross McculloughAuthor Commented:
Hello, I went back to the CLI and started with a clean sheet of paper per say and your statements worked perfectly. Also had to make some adjustments on the Windows computers because the FW is disabled via GPO but it considered its connection "Work / Private" not domain hence some of the services were still being blocked making it look as if the statements weren't working. Thanks again!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now