Hi,
This has to be an easy one...
I have it connected to DSL on a subnet 255.255.255.248.
The main IP (113) needs to be stealthed with ssh open, 114 need asterisk on tcp 5060 open, everything else stealthed, 118 has a web server.
After 10 very difficult days with a new 877, I still cannot get the firewall to stealth mode only all ports closed. Also I cannot seem to be able to allow any 80 or 5060 traffic in.
The bits of my config are:
interface Dialer0
description Internet
ip address 1.2.3.113 255.255.255.248
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname mylogin@adsllogin.co.uk
ppp chap password 7 mypassword
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.7.114 5060 1.2.3.114 5060 extendable
ip nat inside source static tcp 192.168.7.118 80 1.2.3.118 80 extendable
logging trap debugging
access-list 1 remark NAT ACCESS
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 23 remark MANAGEMENT LIST
access-list 23 permit 192.168.7.0 0.0.0.255
access-list 150 remark INBOUND CONNECTIONS
access-list 150 permit tcp any host 1.2.3.118 eq www
access-list 150 permit ip any host 1.2.3.114
access-list 150 deny ip 10.0.0.0 0.255.255.255 any
access-list 150 deny ip 172.16.0.0 0.15.255.255 any
access-list 150 deny ip 192.168.0.0 0.0.255.255 any
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip host 255.255.255.255 any
access-list 150 deny ip host 0.0.0.0 any
access-list 150 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
(I still cannot find any docs on cisco.com that are in any way comprehensible)
BTW, SDM doesn't seem to work so I am forced into the rather cryptic CLI
Thanks,
David