Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

887va - NAT and Firewall Question

Hi,

I've recently got a Cisco 887va. I have followed this guide to setting the ADSL2+ up and it worked fine:

https://supportforums.cisco.com/message/3578292#3578292

My 887va is also on 192.168.1.1

I can get out onto the internet - everything is working great.

What I want to do now is to be able to access my router remotely for SSH over the internet. (At another office).

I would therefore like to SSH to the dialer0 interface and have it connect to my 192.168.0.1 IP

I understand I need a NAT statement but i'm confused if I need an ACL or a Firewall rule (or both).

Is it possible someone could give me an example of how to do this correctly?

My 887va needs to be as secure as possible so I want to restrict the remote access to 2 IPs that I know and own at remote offices and for the ssh protocol only. Nobody else external should access this.

I very much look forward to your help.

John.

  • WAN Routing and Switching
Everyone's tags (6)
29 REPLIES
Purple

887va - NAT and Firewall Question

Hi,

if you want to access your router remotely for management with ssh from 2 Public IPs and internally, I suppose ssh is already configured:

access-list 10 permit host x.x.x.x

access-list 10 permit host y.y.y.y

access-list 10 permit 192.168.1.0 0.0.0.255

line vty 0 15

login local

transport input ssh

access-class 10 in

Now if you want to ssh to an internal machine from the 2 public IPs and internally, you'l need to configure static PAT(aka port forwarding) and either use CBAC or ZFW, if this is the case I will provide you a basic firewall config along with NAT.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: 887va - NAT and Firewall Question

Thank you very much. Yes SSH is already configured and working well fromt the inside.

I've a few questions - hopefully you can help to clarify.

With the ACL list you have provided (and acl 'in' statement under the SSH section) do I still require a NAT statement for my dialer0 interface to my 192.168.1.1 router address or is the NAT statement not required - does the ACL work without? What should the NAT statement be if so?

Yes that would be great if you can give me the basic firewall and PAT information as I will want to do this as well. (I'll likely be having a web server so allowing 80 and 443 but to restricted sites. The web server will eventually sit on 192.168.1.2

I would also like to allow HTTPS as well as SSH so we can view the web interface as well as PING to perform a basic check - again these need to be restricted to the 2 internet IPs - the destination will be the router IP of 192.168.1.1

I very much look forward to your response and will rate as helpful.

Thanks.

EDIT: I had asked the ping question separately - not sure where it is best to answer it: https://supportforums.cisco.com/thread/2258656

Purple

887va - NAT and Firewall Question

Hi,

With the ACL list you have provided (and acl 'in' statement under the  SSH section) do I still require a NAT statement for my dialer0 interface  to my 192.168.1.1 router address or is the NAT statement not required -  does the ACL work without? What should the NAT statement be if so?

You won't need NAT because you'll be sshing to the public IP of your router.

You will need to ssh to FQDN provided by no-ip.org or dyndns.org because you have a dynamic IP through PPP.

here is a  thread discussing the dyndns configuration: https://supportforums.cisco.com/thread/2167081

Yes that would be great if you can give me the basic firewall and PAT  information as I will want to do this as well. (I'll likely be having a  web server so allowing 80 and 443 but to restricted sites. The web  server will eventually sit on 192.168.1.2

here is a config example for the static PAT:

int vlan1

ip nat inside

int dialer0

ip nat outside

ip nat inside source static tcp 192.168.1.2 80 interface dialer0 80

ip nat inside source static tcp 192.168.1.2 443 interface dialer0 4430

no ip http server

ip http secure-server

I would also like to allow HTTPS as well as SSH so we can view the web  interface as well as PING to perform a basic check - again these need to  be restricted to the 2 internet IPs - the destination will be the  router IP of 192.168.1.1

for securing https access to router you can use the same access-class like this:

ip http access-class 10

Now for firewall config,you could do something like this:

ip access-list extended Outside-Inside-acl

permit tcp host x.x.x.x  host 192.168.1.2 eq https

permit tcp host x.x.x.x  host 192.168.1.2 eq http

ip access-list extended Outside-Mgmt-acl

permit tcp host x.x.x.x any eq 443

permit tcp host x.x.x.x any eq 22

permit tcp host y.y.y.y any eq 443

permit tcp host y.y.y.y any eq 22

zone security Inside

zone security Outside

int vlan1

zone-member security Inside

int dialer 0

zone-member security Outside

class-map type inspect match-any Inside-Outside-class

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-any Outside-Inside-class

match access-group name Outside-Inside-acl

class-map type inspect match-any Outside-Mgmt-class

match access-group name Outside-Mgmt-acl

policy-map type inspect Inside-Outside-policy

class type inspect Inside-Outside-class

inspect

class class-default

drop

policy-map type inspect Outside-Inside-policy

class type inspect Outside-Inside-class

inspect

class class-default

drop

policy-map type inspect Outside-Mgmt-policy

class type inspect Outside-Mgmt-class

inspect

class class-default

drop

zone-pair security Outside-Inside source Outside destination Inside

service-policy type inspect Outside-Inside-policy

zone-pair security Inside-Outside source Inside destination Outside

service-policy type inspect Inside-Outside-policy

zone-pair security Outside-self source Outside destination self

service-policy type inspect Outside-Mgmt-policy

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: 887va - NAT and Firewall Question

Again thank you.

Just a few points to clarify:

When you say 'You won't need NAT because you'll be sshing to the public IP of your router' is that because it does some kind of nat behind the scenes? - and therefore don't need a nat statement for this?

ip http access-class 10 - where would this statement go?

Does your firewall part include icmp?

Lastly i'm confused why I would use ACLs and not firewall rules. (I come from a firewall background, just not Cisco - hence my earlier NAT question about the mgmt interface). Is it possible to use firewall rules as well (or instead of acl) for the management access to the router for ssh, https and icmp from 2 known external IPs?

Purple

887va - NAT and Firewall Question

Hi,

you don't need NAT to access your device from public location as it has a WAN public IP

the ip http access-class is a configuration mode command

yes, the firewall config I provided takes icmp,ssh and https access to router into account.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: 887va - NAT and Firewall Question

Thank you.

So I've learnt that for the WAN public IP of the router no NAT statement is required but for additional IPs then a NAT statement would be required.

Can you clarify this point - why would I use ACLs for the Management access instead of firewall rules - what's the benefit?

Purple

887va - NAT and Firewall Question

Hi,

using access-class for http/https and telnet/ssh is less demanding on the router than using firewall feature.

And also easier to configure.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: 887va - NAT and Firewall Question

Excellent thanks. That makes sense - I want my router to be as secure as possible but at the same time I want the performance and don't want to make it CPU intensive so I will not use the firewall feature for now.

I have got the following configured now on my Router:

no ip http server

ip http access-class 10

ip http secure-server

access-list 10 permit xx.xx.xx.xx (external IP 1 of my head office over the internet)

access-list 10 permit yy.yy.yy.yy (external IP 2 of my head office over the internet)

access-list 10 permit 192.168.1.0 0.0.0.255 (my internal vlan1 network and what the router sits on).

line vty 0 4

access-class 10 in

password 7 ***********

login authentication local_auth

transport input ssh

I've not tested this yet as I need to visit my remote office.

Now finally - How do i allow ping to the WAN IP (to check it is up and wokring remotely) with an ACL?

Purple

887va - NAT and Firewall Question

Hi,

for this you would have to use an inbound ACL on the WAN interface but in this case you'd be better with a firewall config because ACLs are stateless so if you permit your icmp and deny everything else you will also deny return traffic in response to LAN initiated traffic.

You could in this case use CBAC:

ip inspect name myfirewall tcp

ip inspect myfirewall udp

ip inspect myfirewall icmp

ip access-list extended remote-access

permit icmp host x.x.x.x any echo

permit icmp host y.y.y.y any echo

permit tcp host x.x.x.x any eq ssh

permit tcp host y.y.y.y any eq ssh

permit tcp host x.x.x.x any eq https

permit tcp host y.y.y.y any eq https

deny ip any any

int dialer0

ip access-group remote-access in

int vlan 1

ip inspect myfirewall out

As you can see here the problem is that as your WAN IP is dynamic so you must specify any as destination in your inbound ACL which opens up corresponding access to any forwarded address for the http(s)/ssh protocols.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
1703
Views
5
Helpful
29
Replies