Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
1
Replies

ACL configuration Help

nishit.patel
Level 1
Level 1

‎12-03-2009 06:46 AM - edited ‎03-11-2019 09:45 AM

We have CISCO 877 ROUTER WITH A SINGLE EXTERNAL IP ADDRESS

INSIDE (VLAN1)  = 192.168.0.0/24

OUTSIDE (DIALER1) = 195.149.45.229

We have clients on INSIDE who have full internet access.

We have NAT working – a one to many NAT.

ip nat inside source static tcp 192.168.0.8 5003 interface Dialer1 5003

ip nat inside source static tcp 192.168.0.8 5090 interface Dialer1 5090

ip nat inside source static udp 192.168.0.8 6000 interface Dialer1 6000

ip nat inside source static tcp 192.168.0.10 4899 interface Dialer1 4899

So now I can talk to these ports from an EXTERNAL IP so the NAT is working fine.

However….. I need to lock down access to these ports to specific IP address ranges.

I require INSIDE to still have full internet access to OUTSIDE but restricted access from OUTSIDE to TCP PORTS 4899, 5003, 5090 & UDP PORT 6000

What is the easiest way of applying this ACL? I am assuming on DIALER1 I apply an INBOUND ACL but am having issues with TCP & UDP replies on high port numbers. I don’t want to be blocking legitimate reply traffic which will also be INBOUND on a high port number…

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎12-03-2009 10:22 AM 

nishit.patel wrote:
We have CISCO 877 ROUTER WITH A SINGLE EXTERNAL IP ADDRESS
 
INSIDE (VLAN1)  = 192.168.0.0/24
OUTSIDE (DIALER1) = 195.149.45.229
 
We have clients on INSIDE who have full internet access.
 
We have NAT working – a one to many NAT.
 
ip nat inside source static tcp 192.168.0.8 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.0.8 5090 interface Dialer1 5090
ip nat inside source static udp 192.168.0.8 6000 interface Dialer1 6000
ip nat inside source static tcp 192.168.0.10 4899 interface Dialer1 4899
 
 
So now I can talk to these ports from an EXTERNAL IP so the NAT is working fine.
However….. I need to lock down access to these ports to specific IP address ranges.
 
I require INSIDE to still have full internet access to OUTSIDE but restricted access from OUTSIDE to TCP PORTS 4899, 5003, 5090 & UDP PORT 6000
 
What is the easiest way of applying this ACL? I am assuming on DIALER1 I apply an INBOUND ACL but am having issues with TCP & UDP replies on high port numbers. I don’t want to be blocking legitimate reply traffic which will also be INBOUND on a high port number…

If you don't have the IOS firewall running on you router then the next best thing would be to use reflexive access-lists. These allow return traffic back in if it has been allowed out but you can still control what traffic can be initiated from outside -

RACL configuration

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card