Solved

Cisco 2911 Router Rule Outside to Inside

Posted on 2013-06-13
4
724 Views
Last Modified: 2013-06-15
Group, morning, I hope a simple question. Using CCP I am trying to allow traffic from the outside into the LAN for some services but a port scan shows the port closed, the application is not responding to the outside traffic so I suspect something is still block the port. Wanted to see if I missed anything. Firewall is Off. Thanks!

Under ACL -->NAT Rules I have the following:
Action: Permit
Source: any
Destination: 192.168.10.29
Service tftp/udp, dest tftp/udp
0
Comment
Question by:Ross Mccullough
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
I believe the destination needs to be the public IP which is nat'd to the private IP. So if you had a nat of 192.168.10.29 --> 1.1.1.1, your rule would have a destination of 1.1.1.1. Also make sure that the source doesn't have a service set in the rule (as only the destination will have the service port numbers) and that you have the proper nat in place.
0
 

Author Comment

by:Ross Mccullough
Comment Utility
Rauenpc,
Thanks for the follow up, I have played with it some more via CCP and getting nowhere fast. I have included the running config output. I think there are some commands in there that go nowhere so let me know your thoughts. TY.


ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
!
ip access-list extended NAT_ACL
 remark Master NAT List
 remark CCP_ACL Category=18
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
 remark FileZilla FTP Server
 permit tcp host 192.168.10.2 eq ftp any eq ftp
 permit ip any any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 permit ip 192.168.10.0 0.0.0.31 any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 104 permit ip 192.168.10.0 0.0.0.31 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
route-map RMAP-NAT permit 10
 match ip address NAT_ACL
!
!
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 300 total points
Comment Utility
I don't see anything necessarily wrong with that configuration, but it definitely isn't doing what you are looking for. Here is some sample config to allow www through to an inside device

!this is one line on the acl applied to the outside interface.
access-list 105 permit tcp any host 71.13.116.194 eq www

!This is the PAT to do the translation
ip nat inside source static tcp 192.168.37.31 80 x.x.x.194 80 extendable


On a basic level, that is all that is needed to allow inbound services - a specific allow statement, and a matching nat entry.
0
 

Author Closing Comment

by:Ross Mccullough
Comment Utility
Hello, I went back to the CLI and started with a clean sheet of paper per say and your statements worked perfectly. Also had to make some adjustments on the Windows computers because the FW is disabled via GPO but it considered its connection "Work / Private" not domain hence some of the services were still being blocked making it look as if the statements weren't working. Thanks again!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now