Allow DVR ports

Unanswered Question
Jul 23rd, 2008

Here's my config. The aim is to allow only VNC and the dvr ports (TCP/UDP 2000,2002,2003,2006,3001) to 192.168.0.5, all other traffic should be dropped. Can someone help? Thanks

Current configuration : 4067 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid vhwlan

authentication open

guest-mode

wpa-psk ascii 0 s1lv3r2005

!

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip name-server 194.74.65.68

ip name-server 194.74.65.69

!

!

!

!

!

!

archive

log config

hidekeys

!

!

!

bridge irb

!

!

interface ATM0

no ip address

atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

ssid vhwlan

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1380

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxx

crypto map ipsec-remoteoffice

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.0.5.0 255.255.255.0 192.168.0.2

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 10.0.5.0 0.0.0.255

access-list 101 permit tcp any host 192.168.0.5 eq 5900

access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 104 permit tcp any host 192.168.0.5 eq 2000

access-list 104 permit udp any host 192.168.0.5 eq 2000

access-list 105 permit tcp any host 192.168.0.5 eq 2002

access-list 105 permit udp any host 192.168.0.5 eq 2002

access-list 106 permit udp any host 192.168.0.5 eq 2003

access-list 106 permit tcp any host 192.168.0.5 eq 2003

access-list 107 permit tcp any host 192.168.0.5 eq 2006

access-list 107 permit udp any host 192.168.0.5 eq 2006

access-list 108 permit udp any host 192.168.0.5 eq 3001

access-list 108 permit tcp any host 192.168.0.5 eq 3001

access-list 109 permit tcp any host 192.168.0.2 eq 3389

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Wed, 07/23/2008 - 14:59

try this

no access-list 101 permit tcp any host 192.168.0.5 eq 5900

no access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

no access-list 104 permit tcp any host 192.168.0.5 eq 2000

no access-list 104 permit udp any host 192.168.0.5 eq 2000

no access-list 105 permit tcp any host 192.168.0.5 eq 2002

no access-list 105 permit udp any host 192.168.0.5 eq 2002

no access-list 106 permit udp any host 192.168.0.5 eq 2003

no access-list 106 permit tcp any host 192.168.0.5 eq 2003

no access-list 107 permit tcp any host 192.168.0.5 eq 2006

no access-list 107 permit udp any host 192.168.0.5 eq 2006

no access-list 108 permit udp any host 192.168.0.5 eq 3001

no access-list 108 permit tcp any host 192.168.0.5 eq 3001

no access-list 109 permit tcp any host 192.168.0.2 eq 3389

###### Now suppose you get an IP 1.1.1.1 for the Dialer0, then for allowing connections inside via the Dialer0, use this ACL's #####

access-list 101 permit tcp any host 1.1.1.1 eq 2000

access-list 101 permit tcp any host 1.1.1.1 range 2002 2003

access-list 101 permit tcp any host 1.1.1.1 eq 2006

access-list 101 permit tcp any host 1.1.1.1 eq 3001

access-list 101 permit tcp any host 1.1.1.1 eq 5900

access-list 101 permit tcp any host 1.1.1.1 eq 3389

access-list 101 permit udp any host 1.1.1.1 eq 2000

access-list 101 permit udp any host 1.1.1.1 range 2002 2003

access-list 101 permit udp any host 1.1.1.1 eq 2006

access-list 101 permit udp any host 1.1.1.1 eq 3001

int Dialer0

ip access-group 101 in

crmljc1976 Thu, 07/24/2008 - 07:15

Thanks, I did that and all outbound traffic was blocked too. how do i fix that?

Actions

This Discussion