cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
723
Views
0
Helpful
21
Replies

837 config advise

abolton291078
Level 1
Level 1

i have created this config to do NO-NAT on my 837 but it does seem to work.

im not sure if its an auth problem or a routing issue.

!

interface ethernet0

no shut

ip address 81.xxx.xxx.97 255.255.255.240

no ip directed-broadcast

!

interface ATM0

no ip address

ip route-cache policy

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer0

ip unnumbered Ethernet0

encapsulation ppp

dialer pool 1

ppp chap hostname xxxxxx@isp.net

ppp chap password xxxxxx

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

21 Replies 21

thanks for the rommon thats fixed now (very scary)

this does block 135 out but doesent block anything coming in.

do i need to create a list and group for inbound traffic on the ATM0 interface or the dialer0 to prevent inbound and then specify other port etc which i want to permit in.

Hi Aaron,

You have to apply the ACL inbound on the dialer interface to filter inbound traffic.

In the absence of reflexive ACLs, the following should get you closer:

access-list 101 deny tcp any any eq 135

access-list 101 deny tcp any eq 135 any

access-list 101 permit ip any any

!

access-list 102 permit tcp any host1-ip eq 443

access-list 102 permit tcp any host1-ip eq 3389

access-list 102 permit tcp any any established

access-list 102 permit udp any any

!

interface ethernet 0

ip access-group 101 in

!

interface dialer 0

ip access-group 102 in

What this will do is block all incoming TCP sessions (except to port 443 and 3389 on the designated IPs). However, it will still allow UDP flows inbound...

You can profile your traffic and create tigher ACLs but I'm not sure that you can do much more with the features you have...

Hope that helps - pls rate helpful posts.

Regards,

Paresh.

Hi Paresh,

I have been using this config with great sucess although i would like to block udp inbound and any attempt to do so causes loss of all outbound traffic mainly http, can you offer any help on this?

Many Thanks ...... Aaron

access-list 101 deny tcp any any eq 135

access-list 101 deny tcp any eq 135 any

access-list 101 permit ip any any

!

access-list 102 permit tcp any host1-ip eq 443

access-list 102 permit tcp any host1-ip eq 3389

access-list 102 permit tcp any any established

access-list 102 permit udp any any

!

interface ethernet 0

ip access-group 101 in

!

interface dialer 0

ip access-group 102 in

Hi Aaron,

Unfortunately, with your IOS feature set, we cannot do anything that is gonna be rock-solid. However, there is one thing you can do - you can set up your incoming access-list so that it blocks all traffic received from non-well-known UDP source ports as such:

access-list 102 permit tcp any host1-ip eq 443

access-list 102 permit tcp any host1-ip eq 3389

access-list 102 permit tcp any any established

access-list 102 permit udp any range 0 1023 any

Once again, this should get you closer to where you want to be, without being totally perfect. What this config will do is to deny any inbound packets that have a source UDP port greater than 1023. Generally, well-known services run on UDP ports between 0 and 1023. Therefore, when your clients generate UDP packets to these servers, they will use a destination port between 0 and 1023. The return packets will have a source port between 0 and 1023.

Try this out. Undoubtedly this will result in your PCs unable to access certain UDP applications. If that happens all you need to do is go in an add a line for each such port to access-list 102 as such to:

access-list 102 permit udp any eq any

Hope that helps - pls rate the post if it does.

Regards,

Paresh.

which IOS release would you recommend

Hi Aaron,

The feature that would solve your problem is reflexive ACLs. Unfortunately, this feature is not supported on any of the images on the 837.

Have you tried the alternative solution I proposed in my last post.

Cheers

Paresh.

Not yet I thought a later release of the IOS might be a better solution such as 12.4T but I didn’t realise it didn’t support reflexive ACLs

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: