07-23-2008 03:53 AM - edited 03-03-2019 10:51 PM
Here's my config. The aim is to allow only VNC and the dvr ports (TCP/UDP 2000,2002,2003,2006,3001) to 192.168.0.5, all other traffic should be dropped. Can someone help? Thanks
Current configuration : 4067 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret xxx
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid vhwlan
authentication open
guest-mode
wpa-psk ascii 0 s1lv3r2005
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 194.74.65.68
ip name-server 194.74.65.69
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid vhwlan
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1380
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password 0 xxxxxx
crypto map ipsec-remoteoffice
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.5.0 255.255.255.0 192.168.0.2
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 10.0.5.0 0.0.0.255
access-list 101 permit tcp any host 192.168.0.5 eq 5900
access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 104 permit tcp any host 192.168.0.5 eq 2000
access-list 104 permit udp any host 192.168.0.5 eq 2000
access-list 105 permit tcp any host 192.168.0.5 eq 2002
access-list 105 permit udp any host 192.168.0.5 eq 2002
access-list 106 permit udp any host 192.168.0.5 eq 2003
access-list 106 permit tcp any host 192.168.0.5 eq 2003
access-list 107 permit tcp any host 192.168.0.5 eq 2006
access-list 107 permit udp any host 192.168.0.5 eq 2006
access-list 108 permit udp any host 192.168.0.5 eq 3001
access-list 108 permit tcp any host 192.168.0.5 eq 3001
access-list 109 permit tcp any host 192.168.0.2 eq 3389
07-23-2008 02:59 PM
try this
no access-list 101 permit tcp any host 192.168.0.5 eq 5900
no access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
no access-list 104 permit tcp any host 192.168.0.5 eq 2000
no access-list 104 permit udp any host 192.168.0.5 eq 2000
no access-list 105 permit tcp any host 192.168.0.5 eq 2002
no access-list 105 permit udp any host 192.168.0.5 eq 2002
no access-list 106 permit udp any host 192.168.0.5 eq 2003
no access-list 106 permit tcp any host 192.168.0.5 eq 2003
no access-list 107 permit tcp any host 192.168.0.5 eq 2006
no access-list 107 permit udp any host 192.168.0.5 eq 2006
no access-list 108 permit udp any host 192.168.0.5 eq 3001
no access-list 108 permit tcp any host 192.168.0.5 eq 3001
no access-list 109 permit tcp any host 192.168.0.2 eq 3389
###### Now suppose you get an IP 1.1.1.1 for the Dialer0, then for allowing connections inside via the Dialer0, use this ACL's #####
access-list 101 permit tcp any host 1.1.1.1 eq 2000
access-list 101 permit tcp any host 1.1.1.1 range 2002 2003
access-list 101 permit tcp any host 1.1.1.1 eq 2006
access-list 101 permit tcp any host 1.1.1.1 eq 3001
access-list 101 permit tcp any host 1.1.1.1 eq 5900
access-list 101 permit tcp any host 1.1.1.1 eq 3389
access-list 101 permit udp any host 1.1.1.1 eq 2000
access-list 101 permit udp any host 1.1.1.1 range 2002 2003
access-list 101 permit udp any host 1.1.1.1 eq 2006
access-list 101 permit udp any host 1.1.1.1 eq 3001
int Dialer0
ip access-group 101 in
07-24-2008 01:24 AM
do I leave the ip nat inside source static rules in?
07-24-2008 01:59 AM
yes, that seems ok.
07-24-2008 07:15 AM
Thanks, I did that and all outbound traffic was blocked too. how do i fix that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide