I have a subsidiary office A that uses cisco1841 as the internet gateway. No access-list were applied to the internal or external interface. Now i need to allow a specific external ip from another office B to connect to 1 of my servers in office A.
I did a NAT as below to allow my server in office A to be accessible from external.
ip nat inside source static tcp 192.168.0.2 3389 188.8.131.52 3389 extendable
I then applied the below access-list 100 to my external interface of the router in office A which faces the internet.
access-list 101 permit tcp host 184.108.40.206 host 220.127.116.11 eq 3389
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit tcp any any established
After the above is done, my internal network in office A could not access internet but could ping internet ip addresses.
What is wrong with the above accesslist? My objective is to restrict access to my server in office A to 18.104.22.168 only and to allow all outgoing traffic from my internal network in office A to the internet. Pls advise. Thks in advance.
I am glad to know that adding the permit for TCP 53 was successful in resolving the issue with DNS.
There is an obvious explanation for why your VPN does not work once the access list is applied. For the IPSec VPN to work it requires 2 kinds of traffic to be permitted. It requires ISAKMP to negotiate the working keys which uses UDP port 500 by default. And this traffic would be permitted by your access list. The VPN also requires ESP which is IP protocol 50 to carry the encrypted traffic. And this traffic is being denied by your access list. So to fix it you should add a line to your access list which would look something like this:
access-list 101 permit esp host host
or you could simplify it to this:
access-list 101 permit esp any any
Give this a try and let us know how it works.