Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 887va - Allow Remote Access to a Web Server

Hello.

I have a Cisco 887va which is connected to an ADSL line.

The internal network is a 192.168.1.x nework (255.255.255.0).

My WAN is a staticly assigned IP from the ISP - to save giving my actual IP I'll give an example 50.50.50.50

I have a webserver which serves https (tcp 443). This sits on 192.168.1.10. This has outbound internet through the Cisco.

I would like to make the https of the web server available externally, but only to 1 source IP (60.60.60.60).

How do I make this available?

My ISP have said I can use 50.50.60.61 - that is one of the IPs i'm allowed to use.

I'd like this as simple as possible. I don't have a firewall (cbac/zbf). Just standard ACLs for management access to my WAN for SSH.

I look forward to hearing from you.

John.

7 REPLIES
Purple

Cisco 887va - Allow Remote Access to a Web Server

Hi,

ip nat inside source static tcp 192.168.1.10 443 50.50.60.61 443

then  edit inbound ACL on WAN like this: this is an example so change with your real ACL number or name already applied inbound on WAN interface

ip access-list extended 100

10 permit tcp host 60.60.60.60 50.50.60.61 eq 443

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Cisco 887va - Allow Remote Access to a Web Server

Thanks Alain,

My existing access-lists look like this:

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 10 permit 60.60.60.60

access-list 10 permit 80.80.80.80

access-list 10 permit 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

The access-list 10 is then used in 2 places. For the https access:

ip http access-class 10

and for the SSH access.

line vty 0 4

access-class 10 in

First of all - where does the NAT statement go? Anywhere specific in the config?

Then the ACL - I think I'd best create a new one?

Would it just be:

ip access-list extended 100

permit tcp host 60.60.60.60 50.50.60.61 eq 443 (This command didn't seem to enter correclty for me have i missed something?).

Then for an additional source IP i'd do:

permit tcp host 80.80.80.80 50.50.60.61 eq 443

I'd rather not edit my original ACLs if possible.

Thanks.

Purple

Cisco 887va - Allow Remote Access to a Web Server

Hi,

ok if your only ACL is used in access-class then indeed you need a newer ACL to apply inbound on the WAN interface.

access-list 100 permit tcp host 60.60.60.60 host 50.50.50.61 eq 443

access-list 100 deny tcp any host 50.50.50.61 eq 443

access-list 100 permit ip any any

int x/x <<<<< your WAN interface

ip access-group 100 in

For the static  PAT you enter it in global config

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Cisco 887va - Allow Remote Access to a Web Server

Thank you. I have added the ip access-group 100 in under my interface Dialer0 (ADSL connection).

I will test and let you know. Is there any troubleshooting I can do to see why it is not hitting an ACL, if the router is listening correctly on the IP, etc?

Thank you.

Purple

Cisco 887va - Allow Remote Access to a Web Server

Hi,

you could enable logging on the ACL while testing it and for NAT you can look at sh ip nat translation.

this is not the securest config but as you asked not to use any firewalling feature, now we could edit the ACL to make it less permissive if you want to  like this:

ip access-list extended 100

10 permit icmp any any echo-reply

11 permit udp any eq domain  any

31 deny ip any any log

in ACE 11 replace the first any by host x.x.x.x where x.x.x.x is your  external DNS server

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Cisco 887va - Allow Remote Access to a Web Server

Thanks Alain,

Can I just check this looks right:

What I want to achieve.

Keep my Management acces (SSH) with access-list 10. Deny anything else other than a remote IP of 70.70.70.70 for SSH access. It should only have ssh and no other ports.

Allow one remote IP (60.60.60.60) through to my web server (192.168.1.10 via the ext IP of 50.50.50.61).

Nothing else should be allowed access to the web server on 443.

Nothing else should be allowed access to anything from external.

Interface Dialer0

ip access-group 100 in

ip nat inside source static tcp 192.168.1.10 443 50.50.50.61 443 extendable

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 10 permit 70.70.70.70

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 100 permit tcp host 60.60.60.60 host 50.50.50.61 eq 443

access-list 100 deny   tcp any host 50.50.50.61 eq 443

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

line vty 0 4

access-class 10 in

Purple

Cisco 887va - Allow Remote Access to a Web Server

Hi,

Given the fact that you don't want to use firewall or reflexive ACL, I would say that it pretty does the job you are asking for, except that everyone will be able to ping or traceroute to your external IP.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
532
Views
5
Helpful
7
Replies