[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco 2911 Router Rule Outside to Inside

Posted on 2013-06-13
4
Medium Priority
?
764 Views
Last Modified: 2013-06-15
Group, morning, I hope a simple question. Using CCP I am trying to allow traffic from the outside into the LAN for some services but a port scan shows the port closed, the application is not responding to the outside traffic so I suspect something is still block the port. Wanted to see if I missed anything. Firewall is Off. Thanks!

Under ACL -->NAT Rules I have the following:
Action: Permit
Source: any
Destination: 192.168.10.29
Service tftp/udp, dest tftp/udp
0
Comment
Question by:Ross Mccullough
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39245375
I believe the destination needs to be the public IP which is nat'd to the private IP. So if you had a nat of 192.168.10.29 --> 1.1.1.1, your rule would have a destination of 1.1.1.1. Also make sure that the source doesn't have a service set in the rule (as only the destination will have the service port numbers) and that you have the proper nat in place.
0
 

Author Comment

by:Ross Mccullough
ID: 39245625
Rauenpc,
Thanks for the follow up, I have played with it some more via CCP and getting nowhere fast. I have included the running config output. I think there are some commands in there that go nowhere so let me know your thoughts. TY.


ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
!
ip access-list extended NAT_ACL
 remark Master NAT List
 remark CCP_ACL Category=18
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
 remark FileZilla FTP Server
 permit tcp host 192.168.10.2 eq ftp any eq ftp
 permit ip any any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 permit ip 192.168.10.0 0.0.0.31 any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 104 permit ip 192.168.10.0 0.0.0.31 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
route-map RMAP-NAT permit 10
 match ip address NAT_ACL
!
!
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 1200 total points
ID: 39245770
I don't see anything necessarily wrong with that configuration, but it definitely isn't doing what you are looking for. Here is some sample config to allow www through to an inside device

!this is one line on the acl applied to the outside interface.
access-list 105 permit tcp any host 71.13.116.194 eq www

!This is the PAT to do the translation
ip nat inside source static tcp 192.168.37.31 80 x.x.x.194 80 extendable


On a basic level, that is all that is needed to allow inbound services - a specific allow statement, and a matching nat entry.
0
 

Author Closing Comment

by:Ross Mccullough
ID: 39250411
Hello, I went back to the CLI and started with a clean sheet of paper per say and your statements worked perfectly. Also had to make some adjustments on the Windows computers because the FW is disabled via GPO but it considered its connection "Work / Private" not domain hence some of the services were still being blocked making it look as if the statements weren't working. Thanks again!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question