topic Hello Julien- in Network Security

Router 1921 filter NAT inbound

julien.silverston — Tue, 12 Mar 2019 08:40:35 GMT

Hello,

I own a routeur 1921, version 15.1. We use it as a router and also to allow remote worker.

For example we NAT port TCP/8108

ip nat inside source static tcp 192.168.0.70 8101 interface GigabitEthernet0/1 8101

Doing this way anyone can connect to this port.

How I can allow just a list of IP to connect to and deny all the others ?

We just manage theses ACL :

ip access-list extended outside
deny   tcp any any eq 135
deny   tcp any any eq 139
deny   tcp any any eq 445
deny   udp any any eq 135
deny   udp any any eq netbios-ns
deny   udp any any eq netbios-dgm
deny   udp any any eq netbios-ss
permit ip any any
!
access-list 1 permit any
access-list 99 permit 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit

How can I do to control port TCP/8101 usage ?

Thank you,

Hello Julien-

nspasov — Tue, 20 Dec 2016 20:59:10 GMT

Hello Julien-

Here is what you will need to do:

1. Configure and extended ACL with the following ACEs:

1.1 Permit the specific host from the outside to the specific host on the inside on port 8101 (For this I would recommend using an object-group. That way you can add/remove additional IPs on the fly without the need to add/remove ACEs from the ACL)

1.2 Deny all other hosts/networks from the outside to the specific host on the inside on port 8101

1.3 Permit whatever else you need permitted (This can be a simple permit ip any any statement)

2. Then you will need to apply the ACL to the G0/1 interface in an "inbound" direction.

I hope this helps!

Thank you for rating helpful posts!

Hello Neno,

julien.silverston — Tue, 20 Dec 2016 21:14:02 GMT

Hello Neno,

Thank you for your complete and detailled answer.

May I ask a last favor ?

Can you provide me some configuration examples ?

Other IP, ports, ...

Thank you

Sure thing. I would recommend

nspasov — Wed, 21 Dec 2016 20:38:45 GMT

Sure thing. I would recommend checking out the post in the link below. It is very good, with a lot of details, diagrams and sample configs. The important thing to keep in mind is the order of operations (When does NAT, routing and ACLs takes place):

https://cciethebeginning.wordpress.com/2010/06/08/order-of-operations-nat-routing-acl/

Thank you for rating helpful posts!

Thank you but I have several

julien.silverston — Wed, 21 Dec 2016 21:26:26 GMT

Thank you but I have several other NAT rules and I don't want to lock me from the outside.

How to make sure ?

Well there are a couple of

nspasov — Sat, 24 Dec 2016 01:45:55 GMT

Well there are a couple of different things you can do here:

1. Replicate your setup in a test/lab environment (physical or virtual). This will allow you to test not only this change but future ones as well. Things you can use here are: GNS3, PacketTracer, VIRL, and many more

2. You can always use the "reload in time" command that will automatically reload the router in a set time. This is helpful when making changes remotely as if you make a change that locks you out, the router will automatically reload after the timer expires, thus reverting to the starting config that does not include your recent changes.

Thank you for rating helpful posts!