11-16-2011 06:02 PM - edited 03-04-2019 02:18 PM
Hi all,
My config is below. I need a way to figure out how to allow my nat traffic through the firewall. Every time i enable an access-list 122 all communication gets blocked unless i apply a specific rule for the traffic destination. My local net is attached to fa0/1 and ip ranges of 10.0.1.x
Current configuration : 1519 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname route01
!
boot-start-marker
boot-end-marker
!
enable password #####
!
no aaa new-model
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0/0
description "cable modem"
ip address dhcp
ip access-group 122 in
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 10.0.1.1 255.255.255.0
ip access-group 121 in
ip nat inside
duplex auto
speed auto
!
interface Virtual-Template1
no ip address
peer default ip address pool net
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
ip local pool net 10.0.1.20 10.0.1.25
ip default-gateway 10.0.1.1
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.1.10 443 interface FastEthernet0/0 443
ip nat inside source static tcp 10.0.1.10 25 interface FastEthernet0/0 9987
ip classless
no ip http server
no ip http secure-server
!
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 121 permit ip 10.0.1.0 0.0.0.255 any
access-list 121 permit udp any eq bootps any
!
!
!
line con 0
line aux 0
line vty 0 4
password ####
login
line vty 5 15
password ####
login
!
!
!
end
Solved! Go to Solution.
11-17-2011 05:00 AM
If you just want to block your router to respond telnet then use VTY access-list. Only in case you some device inside network for you want to block telnet then use acl on outside interface.
access-list extended 122 deny tcp any any eq 23
access-list extended 122 permit any any
For VTY you can choose -
ip access-list extended TelnetAccess
permit tcp host x.x.x.x any eq telnet log
permit tcp any any eq 22 log
deny tcp any any log
!
line vty 0 4
access-class TelnetAccess in
Thanks
Ajay
11-16-2011 09:16 PM
Ofcourse once you allow outside access-list 122 on router outside interface it is suppose to block things unless you do not specify what destination you want to open from internet /outside network.
Very simple thing is to understand ACLs are used to block things based on interface and the direction you specify .
However i dont see any config for acl 122 in your post.
Thanks
Ajay
11-17-2011 04:52 AM
Hi!
Thanks for the response. As the post said as soon as i add a 122 config traffic starts to get blocked. That's why i left it out. I have to many programs that use to many different ports to go through and add each and every port combo in an ACL.
My goal here is to block telnet from responding on 0/0.
When i do the following all inbound traffic is blocked!
access-list 122 block tcp any telnet any
Adding the following allows traffic and again telnet responds on int 0/0
access-list 122 permit tcp any any
11-17-2011 05:00 AM
If you just want to block your router to respond telnet then use VTY access-list. Only in case you some device inside network for you want to block telnet then use acl on outside interface.
access-list extended 122 deny tcp any any eq 23
access-list extended 122 permit any any
For VTY you can choose -
ip access-list extended TelnetAccess
permit tcp host x.x.x.x any eq telnet log
permit tcp any any eq 22 log
deny tcp any any log
!
line vty 0 4
access-class TelnetAccess in
Thanks
Ajay
11-17-2011 06:55 AM
Is there anyway to have an ACL on the outside interface to block the traffic except the nat / port forward traffic?
herm... I guess nat is doing that already.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: