Solved

Cisco 2911 Router Rule Outside to Inside

Posted on 2013-06-13
4
739 Views
Last Modified: 2013-06-15
Group, morning, I hope a simple question. Using CCP I am trying to allow traffic from the outside into the LAN for some services but a port scan shows the port closed, the application is not responding to the outside traffic so I suspect something is still block the port. Wanted to see if I missed anything. Firewall is Off. Thanks!

Under ACL -->NAT Rules I have the following:
Action: Permit
Source: any
Destination: 192.168.10.29
Service tftp/udp, dest tftp/udp
0
Comment
Question by:Ross Mccullough
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39245375
I believe the destination needs to be the public IP which is nat'd to the private IP. So if you had a nat of 192.168.10.29 --> 1.1.1.1, your rule would have a destination of 1.1.1.1. Also make sure that the source doesn't have a service set in the rule (as only the destination will have the service port numbers) and that you have the proper nat in place.
0
 

Author Comment

by:Ross Mccullough
ID: 39245625
Rauenpc,
Thanks for the follow up, I have played with it some more via CCP and getting nowhere fast. I have included the running config output. I think there are some commands in there that go nowhere so let me know your thoughts. TY.


ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
!
ip access-list extended NAT_ACL
 remark Master NAT List
 remark CCP_ACL Category=18
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
 remark FileZilla FTP Server
 permit tcp host 192.168.10.2 eq ftp any eq ftp
 permit ip any any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 103 permit ip 192.168.10.0 0.0.0.31 any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.10.0 0.0.0.31 172.25.0.0 0.0.0.31
access-list 104 permit ip 192.168.10.0 0.0.0.31 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
route-map RMAP-NAT permit 10
 match ip address NAT_ACL
!
!
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 300 total points
ID: 39245770
I don't see anything necessarily wrong with that configuration, but it definitely isn't doing what you are looking for. Here is some sample config to allow www through to an inside device

!this is one line on the acl applied to the outside interface.
access-list 105 permit tcp any host 71.13.116.194 eq www

!This is the PAT to do the translation
ip nat inside source static tcp 192.168.37.31 80 x.x.x.194 80 extendable


On a basic level, that is all that is needed to allow inbound services - a specific allow statement, and a matching nat entry.
0
 

Author Closing Comment

by:Ross Mccullough
ID: 39250411
Hello, I went back to the CLI and started with a clean sheet of paper per say and your statements worked perfectly. Also had to make some adjustments on the Windows computers because the FW is disabled via GPO but it considered its connection "Work / Private" not domain hence some of the services were still being blocked making it look as if the statements weren't working. Thanks again!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 Subnets, 2 routes, failover routing ? 3 56
Blacked by spamhaus? 26 72
FTP Transfer Speeds ... 6 55
Public DNS  Vs BGP 20 26
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question