11-21-2013 07:26 AM - edited 03-11-2019 08:07 PM
Hi,
I have a Cisco 887 behind my ISP modem.
Is setup a inbound NAT-rule to router the 3389-port to a server.
How can i setup the firewall to allow only ip address i've added in the rule?
Below you''l find my configuration:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$Zw/5$a5r6xtBQsVR40v27N1uBP/
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3329446285
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3329446285
revocation-check none
rsakeypair TP-self-signed-3329446285
!
!
crypto pki certificate chain TP-self-signed-3329446285
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333239 34343632 3835301E 170D3132 31323035 31303333
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33323934
34363238 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009475 F7B360BF 10A5F0F0 B031341A 5E969804 171E3070 4539CC44 3C43F4B1
9BC3050A B401D3E1 B72D7061 3EDA7ACE 69C9B97D A8110577 5465AA89 B87932D2
A35208A5 C53B7967 098E0E60 CF0FFB44 DB4BB355 6A53F872 90421142 8308CE5D
0D8E33E5 2C56C19B 3FD59DB1 8E816305 1A298873 2EEBB2B1 9E4EFA47 FF304797
34550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6779AC0C
F43AE5E1 134304F6 5E2A5059 02F1B711 301D0603 551D0E04 16041467 79AC0CF4
3AE5E113 4304F65E 2A505902 F1B71130 0D06092A 864886F7 0D010104 05000381
81002A9A 9F20A8FF 81B275E9 92A32D01 FEC789BB 928CCFB1 2741D3AF 17795AD5
59D56D81 4BC6A4C5 4AFF9207 DC35EA9C D93B53DE 47F315F7 A158ADB3 E6133418
A678C128 79EA4643 5BA45B44 94DD42CE BC2FC144 A9406783 F9092BF5 9B37C358
E273DB2F 44FFC382 1EB013A0 A01F6A3D DF7C7FA2 1DC24436 36B7F07E 1EA52843 FDA8
quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 195.238.2.21
!
!
no ip bootp server
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
description WAN_Link
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.254.2 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.254.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Vlan2 overload
ip nat inside source static tcp 192.168.0.10 3389 192.168.254.2 3389 extendable
!
logging trap debugging
access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
11-21-2013 07:32 AM
Your WAN IP address is private you need to configure NAT or port forwarding on your ISP device
Value our effort and rate the assistance!
11-21-2013 07:42 AM
Hi,
NAT/Port Forwarding is already setup on my ISP device. The ISP is forwared all traffic to the cisco.
I now have excluded some ip addresses in Windows Firewall, but I want to do this in the cisco.
11-21-2013 07:40 AM
Instead of configuring NAT on the ISP-device as suggested by jumora, I would do it differently: Reconfigure the ISP-modem to be a real modem (at the moment it is configured as a router) so that you have your public IP on the router. Then you can control firewalling and NAT completely on the router.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-21-2013 07:43 AM
The ISP-modem cannot be configured, because the ISP has blocked the acces to this device. That why they have forwared every traffic to my cisco.
11-21-2013 08:55 AM
Check logs, if you don't see attempts getting to the ASA then traffic is not being forward.
Value our effort and rate the assistance!
11-25-2013 07:01 AM
Hi,
RDP traffic is forwarded to the server throught the ISP-modem and Cisco.
I want to add a rule so that RDP is firewalled in the Cisco and not with Windows Firewall.
11-25-2013 07:08 AM
Ok Joost,
if you don´t check the logs and you don´t see hit counts on the ACL then traffic is not getting to the router but you need to follow instructions so we can help you out, did you check logs.
If you need assistance and maybe our instructions are not helping you out you should open a TAC case.
Value our effort and rate the assistance!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: