Solved: IOS Firewall Feature set - How to allow incoming traffic?

jilahbg · ‎02-02-2007

Hello

I have a C800-router that connects a local office LAN to internet. It?s configured like this

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address <yadayada>

ip access-group Outside_ACL_in2 in

ip nat outside

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.16.1 255.255.255.0

ip access-group Inside_ACL_in in

ip nat inside

!

ip nat inside source route-map NAT_RMAP_1 interface Dialer0 overload

(route map NAT_RMAP_1 is an ACL for split-tunneling, denying traffic going into a VPN-tunnel, everything else is nat:ed)

Now: I need to allow connections from internet (tcp/3389 and tcp/5900) to the outside ip address to be translated and forwarded to the inside host 192.168.16.100.

I am more used to pix/asa:s, and there I should simply add a few static and permit the traffic in the outside acl.

But, how do I do this in IOS?

Thanks for your help!

Regards jimmy

Collin Clark · ‎02-02-2007

Jimmy-

These are equivalent to 'statics' on PIX/ASA.

ip nat inside source static tcp 192.168.16.100 3389 3389

ip nat inside source static tcp 192.168.16.100 5900 5900

You will still need to give access via the ACL.

HTH and please rate.

View solution in original post

Collin Clark · ‎02-02-2007

Jimmy-

These are equivalent to 'statics' on PIX/ASA.

ip nat inside source static tcp 192.168.16.100 3389 3389

ip nat inside source static tcp 192.168.16.100 5900 5900

You will still need to give access via the ACL.

HTH and please rate.

jilahbg · ‎02-03-2007

Great. Thanks a lot!

Just to be sure... I assume I will permit traffic to the outside IP (not the NAT:ed one) in the outside acl, just the way it works in Pix/ASA?

Best Regards

Jimmy

Collin Clark · ‎02-05-2007

Yes.