01-12-2006 12:59 PM - edited 03-03-2019 11:26 AM
i have created this config to do NO-NAT on my 837 but it does seem to work.
im not sure if its an auth problem or a routing issue.
!
interface ethernet0
no shut
ip address 81.xxx.xxx.97 255.255.255.240
no ip directed-broadcast
!
interface ATM0
no ip address
ip route-cache policy
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip unnumbered Ethernet0
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxx@isp.net
ppp chap password xxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
Solved! Go to Solution.
01-13-2006 05:05 AM
thanks for the rommon thats fixed now (very scary)
this does block 135 out but doesent block anything coming in.
do i need to create a list and group for inbound traffic on the ATM0 interface or the dialer0 to prevent inbound and then specify other port etc which i want to permit in.
01-13-2006 05:25 AM
Hi Aaron,
You have to apply the ACL inbound on the dialer interface to filter inbound traffic.
In the absence of reflexive ACLs, the following should get you closer:
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any eq 135 any
access-list 101 permit ip any any
!
access-list 102 permit tcp any host1-ip eq 443
access-list 102 permit tcp any host1-ip eq 3389
access-list 102 permit tcp any any established
access-list 102 permit udp any any
!
interface ethernet 0
ip access-group 101 in
!
interface dialer 0
ip access-group 102 in
What this will do is block all incoming TCP sessions (except to port 443 and 3389 on the designated IPs). However, it will still allow UDP flows inbound...
You can profile your traffic and create tigher ACLs but I'm not sure that you can do much more with the features you have...
Hope that helps - pls rate helpful posts.
Regards,
Paresh.
01-16-2006 04:08 PM
Hi Paresh,
I have been using this config with great sucess although i would like to block udp inbound and any attempt to do so causes loss of all outbound traffic mainly http, can you offer any help on this?
Many Thanks ...... Aaron
01-16-2006 04:38 PM
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any eq 135 any
access-list 101 permit ip any any
!
access-list 102 permit tcp any host1-ip eq 443
access-list 102 permit tcp any host1-ip eq 3389
access-list 102 permit tcp any any established
access-list 102 permit udp any any
!
interface ethernet 0
ip access-group 101 in
!
interface dialer 0
ip access-group 102 in
Hi Aaron,
Unfortunately, with your IOS feature set, we cannot do anything that is gonna be rock-solid. However, there is one thing you can do - you can set up your incoming access-list so that it blocks all traffic received from non-well-known UDP source ports as such:
access-list 102 permit tcp any host1-ip eq 443
access-list 102 permit tcp any host1-ip eq 3389
access-list 102 permit tcp any any established
access-list 102 permit udp any range 0 1023 any
Once again, this should get you closer to where you want to be, without being totally perfect. What this config will do is to deny any inbound packets that have a source UDP port greater than 1023. Generally, well-known services run on UDP ports between 0 and 1023. Therefore, when your clients generate UDP packets to these servers, they will use a destination port between 0 and 1023. The return packets will have a source port between 0 and 1023.
Try this out. Undoubtedly this will result in your PCs unable to access certain UDP applications. If that happens all you need to do is go in an add a line for each such port to access-list 102 as such to:
access-list 102 permit udp any eq
Hope that helps - pls rate the post if it does.
Regards,
Paresh.
01-16-2006 09:58 PM
which IOS release would you recommend
01-16-2006 10:06 PM
Hi Aaron,
The feature that would solve your problem is reflexive ACLs. Unfortunately, this feature is not supported on any of the images on the 837.
Have you tried the alternative solution I proposed in my last post.
Cheers
Paresh.
01-16-2006 10:16 PM
Not yet I thought a later release of the IOS might be a better solution such as 12.4T but I didnt realise it didnt support reflexive ACLs
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: