Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
4
Replies

Nat through firewall.

Go to solution
rbblue234
Level 1
Level 1

‎11-16-2011 06:02 PM - edited ‎03-04-2019 02:18 PM

Hi all,

My config is below.  I need a way to figure out how to allow my nat traffic through the firewall.  Every time i enable an access-list 122 all communication gets blocked unless i apply a specific rule for the traffic destination.  My local net is attached to fa0/1 and ip ranges of 10.0.1.x

Current configuration : 1519 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname route01

!

boot-start-marker

boot-end-marker

!

enable password #####

!

no aaa new-model

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

ip ssh break-string

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

no ftp-server write-enable

!

!

!

!

!

!

!

interface FastEthernet0/0

description "cable modem"

ip address dhcp

ip access-group 122 in

ip nat outside

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 10.0.1.1 255.255.255.0

ip access-group 121 in

ip nat inside

duplex auto

speed auto

!

interface Virtual-Template1

no ip address

peer default ip address pool net

ppp encrypt mppe auto

ppp authentication pap chap ms-chap

!

ip local pool net 10.0.1.20 10.0.1.25

ip default-gateway 10.0.1.1

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 10.0.1.10 443 interface FastEthernet0/0 443

ip nat inside source static tcp 10.0.1.10 25 interface FastEthernet0/0 9987

ip classless

no ip http server

no ip http secure-server

!

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 121 permit ip 10.0.1.0 0.0.0.255 any

access-list 121 permit udp any eq bootps any

!

!

!

line con 0

line aux 0

line vty 0 4

password ####

login

line vty 5 15

password ####

login

!

!

!

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajay chauhan
Level 7
Level 7
In response to rbblue234

‎11-17-2011 05:00 AM

If you just want to block your router to respond telnet then use VTY access-list. Only in case you some device inside network for you want to block telnet then use acl on outside interface.

access-list extended 122 deny tcp any any eq 23

access-list extended 122 permit any any

For VTY you can choose -

ip access-list extended TelnetAccess
permit tcp host x.x.x.x any eq telnet log
permit tcp any any eq 22 log
deny tcp any any log
!
line vty 0 4
access-class TelnetAccess in
 
 Thanks
 Ajay

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ajay chauhan
Level 7
Level 7

‎11-16-2011 09:16 PM

Ofcourse once you allow outside access-list 122 on router outside interface it is suppose to block things unless you do not specify what destination you want to open from internet /outside network.

Very simple thing is to understand ACLs are used to block things based on interface and the direction you specify .

However i dont see any config for acl 122 in your post.

Thanks

Ajay

0 Helpful

Go to solution
rbblue234
Level 1
Level 1
In response to ajay chauhan

‎11-17-2011 04:52 AM

Hi!

Thanks for the response.  As the post said as soon as i add a 122 config traffic starts to get blocked.  That's why i left it out.  I have to many programs that use to many different ports to go through and add each and every port combo in an ACL.

My goal here is to block telnet from responding on 0/0. 

When i do the following all inbound traffic is blocked!

access-list 122 block tcp any telnet any

Adding the following allows traffic and again telnet responds on int 0/0

access-list 122 permit tcp any any

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to rbblue234

‎11-17-2011 05:00 AM

If you just want to block your router to respond telnet then use VTY access-list. Only in case you some device inside network for you want to block telnet then use acl on outside interface.

access-list extended 122 deny tcp any any eq 23

access-list extended 122 permit any any

For VTY you can choose -

ip access-list extended TelnetAccess
permit tcp host x.x.x.x any eq telnet log
permit tcp any any eq 22 log
deny tcp any any log
!
line vty 0 4
access-class TelnetAccess in
 
 Thanks
 Ajay
0 Helpful

Go to solution
rbblue234
Level 1
Level 1

‎11-17-2011 06:55 AM

Is there anyway to have an ACL on the outside interface to block the traffic except the nat / port forward traffic?

herm...  I guess nat is doing that already.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card