09-23-2008 02:26 AM - edited 03-03-2019 11:39 PM
Hi,
I have a guest ADSL line at work for people needing full access to the internet. It's on a Cisco 877 and the config is below. Thing is I need to provide 3389 to a PC on the guest network, however when I apply "ip access-list 101 in" to dialer 1, the internet doesn't work.
I need users to access anything they want, but allow 1.2.3.4 to access 10.0.0.108 on 3389.
When I aneable access 101 on the dialre I get lots of deny errors on ports 53 for DNS and 80 for http.
ADSL#sh run
Building configuration...
Current configuration : 2753 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ADSL
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 notifications
enable password 7 *
!
no aaa new-model
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool client
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
lease 0 2
!
!
no ip cef
ip domain name guestdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username * password 7 *
!
!
ip tftp source-interface Ethernet0
ip ssh version 2
!
!
!
!
interface Ethernet0
ip address 10.0.0.2 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip unreachables
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
cdp enable
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *
ppp chap password 7 *
ppp pap sent-username * password 7 *
ppp ipcp dns request
ppp ipcp wins request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.108 3389 interface Dialer1 3389
!
logging trap notifications
logging facility local4
logging source-interface Ethernet0
access-list 50 permit 1.2.3.4
access-list 101 permit tcp host 1.2.3.4 any eq 3389 log
access-list 101 permit udp host 194.74.65.69 eq domain any
access-list 101 permit udp host 194.72.9.34 eq domain any
access-list 101 deny ip any any log
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
banner login ^C Authorised access only! Disconnect IMMEDIATELY if you are not an authorised user! ^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 50 in
exec-timeout 5 0
login local
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
ADSL#
Solved! Go to Solution.
09-23-2008 09:14 AM
Hello Andy,
your acl 101 should be reviewed:
first of all it is applied inbound to the nat outside interface:
dialer1 is the L3 interface to the internet
so to allow web surfing you need to add previous the last line :
access-list 101 permit tcp any eq 80 any
because the well-known port is on the server side
for DNS to work
access-list 101 permit udp any eq 53 any
for the same reason but this is already present for two specific servers
Try to change the ACL as I suggested above and make a try
Hope to help
Giuseppe
09-23-2008 09:14 AM
Hello Andy,
your acl 101 should be reviewed:
first of all it is applied inbound to the nat outside interface:
dialer1 is the L3 interface to the internet
so to allow web surfing you need to add previous the last line :
access-list 101 permit tcp any eq 80 any
because the well-known port is on the server side
for DNS to work
access-list 101 permit udp any eq 53 any
for the same reason but this is already present for two specific servers
Try to change the ACL as I suggested above and make a try
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: