cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
670
Views
0
Helpful
9
Replies

ADSL / NAT (Port Forwarding)

craigrobertson
Level 1
Level 1

Hi guys,

Just wondering if someone can please help me with a configuration issue on a 857w router?

I would like to only accept email traffic from two public IP addresses to the internal mail server. I have configured "ip nat inside source... " command which works fine, however is there any way to create an access list on the outside interface? Currently "any" connection is possible to the mail server. I have tried with the access-group command in Dialer0 however as soon as it is applied, I loose all outbound connections from my LAN. The ADSL connection is using Dialer0. I have pasted the relevant config below.

Thanks for any help you can provide.

Regards

Craig

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

protocol ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

< omitted config >

!

interface Vlan1

description LAN

ip address 192.168.x.254 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp chap hostname ********

ppp chap password *******

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.15.12 25 interface Dialer0 25

!

access-list 101 permit ip host 192.168.15.0 any

access-list 101 permit ip any any

1 Accepted Solution

Accepted Solutions

Hi,

the correct acl would be:

permit tcp host host eq smtp

permit tcp host host eq smtp

deny ip any host eq smtp

permit ip any any

hope this helps, please rate post if it does!

View solution in original post

9 Replies 9

paolo bevilacqua
Hall of Fame
Hall of Fame

Hello,

can you explain again what exactly you are trying to limit and which access-list have you tried ?

Gday,

All our email comes from two of our anti spam appliances which have public IP addresses. I would like our email to only accept smtp traffic from the two anti spam appliances.

The anti spam servers are offsite in a data centre, all our MX records point to the anti spam appliances which then forward to our public IP address.

We are trying to confgiure the 857 to only accept smtp traffic from those two appliances via their public IPs.

I have attempted to create an access list that went something like "access-list 101 permit tcp host x.x.x.x host eq smtp"

When we use the "ip access-group 101 in" on the dialer0 interface, we loose all outbound access from the LAN.

Thanks again for your help

Regards

Craig

Hi,

the correct acl would be:

permit tcp host host eq smtp

permit tcp host host eq smtp

deny ip any host eq smtp

permit ip any any

hope this helps, please rate post if it does!

Good morning,

Thanks for your reply. The access list you have given is basically what I originally had. However, how can I apply this to the interface?

As can be seen in my original post (with config), I have an access list for traffic from the LAN to the internet. The access list is applied using the "ip access-group 101 in" on the LAN interface.

How does the same apply to inbound traffic from the internet through dialer0 interface, as trying to apply the access-group command to the dialer0 interface causes all traffic to stop?

Thanks again for your help

regards

Craig

Craig,

You need to create a different ACL since 101 is used for NAT and perhaps that's the reason is not working.

Follow Paolo's advise on the ACL syntax. Use ACL 102 for this task. Apply it on the dialer interface.

ip access-group 102 in

should do it.

Good morning,

Thanks for your reply. I have actaully used a different access list / group for the dialer0 interface. However, when applied to the dialer0 interface, I loose all connectivity to the internet. Removing the "ip access-gorup in" returns my connectivity immediately.

Please see post below. Post below is using ACL 120. Internet connectivity is not available using this config.

I have configured numerous PIX, and while the commands are slightly different, the idea is still the same. However, I seem to be missing something with regards to the dialer0 config ???? :-)

Thanks again for your help

interface Vlan1

description LAN

ip address 192.168.15.254 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description ADSL

ip address negotiated

ip access-group 120 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp chap hostname *****

ppp chap password 0 ******

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.15.12 25 interface Dialer0 25

!

access-list 101 permit ip host 192.168.15.0 any

access-list 101 permit ip any any

access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp

access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp

If you carefully see Paolo's reply, you are missing two vital entries on that ACL.

Your ACL should look like this:

access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp

access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp

access-list 120 deny tcp any any eq smtp

access-list 120 permit ip any any

The last 2 entries will deny smtp from other sources and you need to allow ip any any, else you will get an implicit deny all.

Sorry guys, my bad. I didn't read those last two line.

Thanks very much for the help. My apologies for dragging it out :-) should have read Paolos's config more closely.

Thanks again guys,

Regards

Craig

Thanks for the nice rating and good luck!

I will use big lettering to empathize important points next time :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: