Sorry its taken so long to get back with you, but I want deny traffic with the same address as a source (spoofed traffic) and I want to allow ssh to it (this only temporary, until I can get my openVPN server working correctly. Which brings me to another question-- if I put the ip nat inside static commands on (forwarding the ports for openVPN) and permit access for those ports to my server (ie-- permit tcp any host 192.168.0.5 eq 1194), will it permit it or not? I ask this because my vpn client will obviously be targeting the external address, so without an access-list to permit that to the interface does the nat rule combined with the ACL permit allow it through (and I really don't want to put any as the destination). Or is that what you are telling me halijenn ?
For SSH access to the router, you can configure standard access-list and assign it to "line vty" to only allow specific ip address to SSH into the router.
For port forwarding, the NAT statement will be to port forward traffic coming to the interface on specific port, hence even if you configure access-list to permit to destination any with the port#, it will only allow inbound traffic towards 1 server that you configure the nat translation on. Even if you configure "permit ip any any" ACL, if you do not have NAT translation for it, traffic won't be able to traverse in.
I've got everything else working (including ssh from my internal network) so I'm only posting configs directly related to the issues I'm wanting to resolve (IE trying to keep it short, sweet and to the point)...
So my NAT rules will need to be as follows, are they correct (I also want 443 to that as well)?
ip nat inside source list 102 interface FastEthernet0/1 overload
If I apply 103 to my line vty then I'll have to add my private network as well so I'll just want to add permit tcp "work's public IP" any eq ssh to my inboundfilters access-list, then not put the access-group 103 on the external interface, and add the line permit tcp 192.168.0.0 0.0.0.255any eq ssh to ACL 103 (I'll have to make it extended of course).
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...