Thanks rizwan.....i have confuse if i configure vpn on the firewall , which ip can give client side for connecting vpn from out side ?

Thanks

Nisar

"Thanks rizwan.....i have confuse if i configure vpn on the firewall , which ip can give client side for connecting vpn from out side ?"

Brother Nisar,

It is natually the public address on the interface FastEthernet0/0/0 which is routed via public internet cloud.

I assume, this the interface down below on the public addresss.

interface FastEthernet0/0/0

WAN interface

ip address xxx.xxx.xxx.154 255.255.255.252

ip access-group RTP-BLOCK in

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

Thanks

Rizwan Rafeek

HI.....

Thanks for u r support.... now i cleared the configuration which one send send before. my ip address is  xxx.xxx.xxx.154 for giving vpn client .....so i can configure all type of vpn on the firewall means ipsec vpn, ssl vpn etc....is it righrt ??

Thanks

Nisar

"so i can configure all type of vpn on the firewall means ipsec vpn, ssl vpn etc....is it righrt ??"

Answer is yes, as long as you have respective ports are translated to: from public to private address on your FW.

thanks

Rizwan Rafeek

hi....

Thanks lot....pls see my wan interface i configured access group...its block some  ports....before we faced problem our ip phones someone hack our router and they are using our pstn line for their calling ,,, we got big invoice from our pstn provider..so thats why we block the ports...so please help me how to edit my access-list which one i configure my wan interface ...pls give me commandsss....persionally asking you r from whr ?? your sound and name like from india ...am from india, kerala.....if u dont mind give me contact detail...

Nisar

hello Nisar,

You need to entre in between below highlited entires to existing ACL RTP-BLOCK.

ip access-list extended RTP-BLOCK
permit ip host xxx.xxx.xxx.102 any
permit tcp host xxx.xxx.xxx.102 any
permit udp host xxx.xxx.xxx.102 any
permit ip host xxx.xxx.xxx.203 any
permit tcp host xxx.xxx.xxx.203 any
permit udp host xxx.xxx.xxx.203 any

permit esp any host xxx.xxx.xxx.154
permit udp any host xxx.xxx.xxx.154 eq isakmp
permit tcp any host xxx.xxx.xxx.154 eq 443
permit udp any host xxx.xxx.xxx.154 eq 10000
permit tcp any host xxx.xxx.xxx.154 eq 10000
permit udp any host xxx.xxx.xxx.154 eq non500-isakmp

deny tcp any host xxx.xxx.xxx.154 eq 22 <<<<    

when you VPN access is up running, you maybe able lock telnet acceess to outisde pubic addres, so that you will able to access the router via the inside ip address through vpn client.

deny   udp any host xxx.xxx.xxx.154 range 1024 65535
permit ip any any
permit tcp any any
permit udp any any

thanks

My contact info is on my Cisco profile.

hi Nisar,

at last, I just want to tell you that on your outside ACL name: RTP-BLOCK, there are three lines below are security threat.

permit ip any any

permit tcp any any

permit udp any any

FYI.. You may want to consider enabling a Firewall feature on your router (SMS-RYD-RTR), such as CBAC or ZoneBase Firewall.

config CBC.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Config Zone Base Firewall.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Take care

Thanks

Rizwan Rafeek

Brother Nisar,

"we have any security issues if i enable three line permit ip any any, permit udp any any , permit tcp any any ... ?"

Well, you have allowed preety much any and everything into your network by those three lines.

"how can i solve my security threats ??"

I posted above links to configure CBAC or Zone-Based Policy Firewall (ZFW), so please read it and understand it and it test and config it.

"the link i couldnt understand ...i am entry level in cisco"

I understand your position however if you read those documentation from top to bottom, you will know they are very easy to understand, you just have to put time and effort to learn it, test it and implement it.

Thanks

Rizwan Rafeek