Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
285
Views
0
Helpful
0
Comments

Cisco 877W Portforwarding issue and ACL's

James Murray Curtis
Level 1
Level 1

‎03-12-2012 12:58 PM - edited ‎03-01-2019 04:47 PM

Been bashing my head round this... I am setting up an 877w Router for a Small business in UK, I have setup port forwarding but it simply does not want to work...

Even remote dial VPN & remote SSH etc... nothing works. Locally these services do work (I can ssh into the router from the LAN, and dial VPN).

I am setting this router up for deployment in UK. But before I deploy I need it working here hence the two dialer interfaces in the below config.

The router will be deployed in a small business with a couple of servers. Exchange, DNS, ftp etc...

I need port forwarding for the services RDP (servers), SSH (Router), VPN (router), Http (Exchange), https (Exchange) etc... going to the individual hosts on the network.

I have also tryed removing those statements ip access-group DMZ_ACL in & ip inspect DMZ_CBAC infrom th BVI1 and dialer 2 interfaces still cant SSH into router or VPN in remotely.

Basically I want to achieve is as follows:
• Unrestricted web usage on the DMZ + NO ACCESS to the CORP Lan (BVI1) from the DMZ Lan (BVI2). And Visa Versa
• Restricted usage on the Internal (Corp Network 192.168.2.0/24)
• Port forwarding to the appropriate hosts
• SSH access to the Router

The traffic I want to allow coming in and out of the corp lan is as follows
10 permit tcp 20
20 permit tcp 21
30 permit tcp eq smtp
40 permit tcp eq 443
50 permit tcp eq 80
60 permit tcp eq 9035
70 permit tcp eq pop3
80 permit tcp eq 3388
90 permit tcp eq 3389
100 permit udp eq tftp
120 permit tcp eq 22
130 permit tcp any any established

Could any one of you guys tell me what I have to do to achieve this, maybe an example of how my ACL’s should be (I think I am writing them correctly), in what direction and on which interface?

config below
SilkR1#sh run
Building configuration...

Current configuration : 9522 bytes
!

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!

hostname SilkR1
!

boot-start-marker
boot-end-marker
!

no logging buffered
enable secret 5 $1$.DKw$1W7yKThc.K6NBhm/8Slwp1
!

no aaa new-model
clock timezone zone 1
clock summer-time GMT date Mar 25 2012 1:00 Oct 30 2012 1:00
crypto pki token default removal timeout 0
!

crypto pki trustpoint TP-self-signed-973792425
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-973792425
revocation-check none
rsakeypair TP-self-signed-973792425
!

!
crypto pki certificate chain TP-self-signed-973792425
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373337 39323432 35301E17 0D303230 33303130 30353634
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 33373932
34323530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B52C9DE7 235772EA 431677C2 CF039053 1E364F2A DFCFFFE4 8768465C 702D8159
085590B1 E65C012D A5E1D112 638354DB B08286B6 8F332C93 CE5036FF DE80153C
7934200B 9F1D9616 CF73C8BE 604EF9E3 121D03DA 44CCE9FF F76330C3 29C480E2
539E5458 3D86B0BA 121B1EA6 4F106A9A A2FAF083 68D0DF43 309E27B3 0A8FC8E5
02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D
11041530 13821153 696C6B52 312E7369 6C6B2E6C 6F63616C 301F0603 551D2304
18301680 149842AA B3CC850E 9F492649 1980923D 750A1C18 20301D06 03551D0E
04160414 9842AAB3 CC850E9F 49264919 80923D75 0A1C1820 300D0609 2A864886
F70D0101 04050003 81810089 26182750 B3DB87DD BB7BA4D0 D2DC2201 D54E896A
F00A5C87 373A6F74 A80A80DA E5274503 5385F021 878989BE 98D788F4 C570258A
D543F86F D683475A FC4DDFF2 47D868D5 014688C6 C6290C72 7674EE9F A0FE6828
97AA4E62 CAC9491C F39F368D F6E763B1 A77F98F2 25BEA9E9 975438E6 F529566B
F7019024 2DEE96AB A43ABD
quit
dot11 syslog
!

dot11 ssid SILK CORP
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 03544D58145E714D4A48
!

dot11 ssid SILK DMZ
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 13364643002857243F257972
!

ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.211.1 192.168.211.100
ip dhcp excluded-address 192.168.211.200 192.168.211.254
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!

ip dhcp pool DMZ_Addresses
import all
network 192.168.211.0 255.255.255.0
default-router 192.168.211.254
dns-server 194.72.9.38 194.72.9.34 194.74.65.68 194.74.65.69 194.72.0.98 194.72.0.114 62.6.40.162 62.6.40.178
lease 3
!

ip dhcp pool Corp_Addresses
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 194.158.37.196 194.158.37.211
domain-name silk.local
lease 3
!

!
ip inspect udp idle-time 20
ip inspect tcp idle-time 120
ip inspect tcp synwait-time 15
ip inspect name internal_CBAC smtp audit-trail on
ip inspect name internal_CBAC ftp
ip inspect name internal_CBAC http
ip inspect name internal_CBAC https
ip inspect name internal_CBAC realaudio
ip inspect name internal_CBAC tcp
ip inspect name internal_CBAC udp
ip inspect name internal_CBAC icmp
ip inspect name DMZ_CBAC smtp audit-trail on
ip inspect name DMZ_CBAC http
ip inspect name DMZ_CBAC tcp
ip inspect name DMZ_CBAC udp
ip inspect name external_CBAC smtp audit-trail on
ip inspect name external_CBAC ftp
ip inspect name external_CBAC http
ip inspect name external_CBAC realaudio
ip inspect name external_CBAC tcp
ip inspect name external_CBAC udp
ip inspect name external_CBAC icmp
ip domain name silk.local
!

vpdn enable
!

vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!

!
!

username XXXXX privilege 15 password 7 070C285F4D06
username XXXXX privilege 15 password 7 096B6E1D4A12370B4A
username XXXXX privilege 10 password 7 121A0C041104
username XXXXX privilege 10 password 7 082C435B1A1C5445414A
username XXXXX privilege 15 password 7 02130A521D031D324D42
!

!
archive
log config
hidekeys
!

!
ip ssh version 2
!

bridge irb
!

!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!

interface ATM0.1 point-to-point
description BT Internet Connection
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!

interface ATM0.2 point-to-point
description Go internet connection
pvc 8/35
pppoe-client dial-pool-number 3
!
!

interface FastEthernet0
no cdp enable
!

interface FastEthernet1
no cdp enable
!

interface FastEthernet2
no cdp enable
!

interface FastEthernet3
description DMZ LAN
switchport access vlan 10
no cdp enable
!

interface Virtual-Template1
description VPN Interface
ip unnumbered Vlan1
peer default ip address pool clients
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 chap mschap
ppp ipcp dns 192.168.2.1 192.168.2.2
!

interface Dot11Radio0
no ip address
no ip route-cache cef
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 10 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid SILK CORP
!
ssid SILK DMZ
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
rts threshold 2312
!

interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!

interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!

interface Vlan1
description Corporate Vlan
no ip address
bridge-group 1
!

interface Vlan10
description DMZ Vlan
no ip address
bridge-group 2
!

interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXX@hg57.btclick.com
ppp chap password 7 15020A1F172B2327292767
!

interface Dialer2
ip address negotiated
ip access-group external_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 3
dialer-group 3
no keepalive
no cdp enable
ppp authentication pap callin
ppp pap sent-username XXXXXX@maltanet password 7 0608002F495A08
!

interface BVI1
description Corporate LAN
ip dhcp relay information trusted
ip address 192.168.2.254 255.255.255.0
ip access-group internal_ACL in
ip inspect internal_CBAC in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!

interface BVI2
description DMZ LAN
ip dhcp relay information trusted
ip address 192.168.211.254 255.255.255.0
ip access-group DMZ_ACL in
ip inspect DMZ_CBAC in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!

ip local pool clients 192.168.2.210 192.168.2.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer2
!

ip http server
ip http authentication local
ip http secure-server
ip nat inside source list DMZ_ACL interface Dialer2 overload
ip nat inside source list internal_ACL interface Dialer2 overload
ip nat inside source static tcp 192.168.2.1 3388 interface Dialer2 3388
ip nat inside source static tcp 192.168.2.1 443 interface Dialer2 443
ip nat inside source static tcp 192.168.2.1 80 interface Dialer2 80
ip nat inside source static tcp 192.168.2.1 110 interface Dialer2 110
ip nat inside source static tcp 192.168.2.1 25 interface Dialer2 25
ip nat inside source static tcp 192.168.2.2 3389 interface Dialer2 3389
ip nat inside source static tcp 192.168.2.1 20 interface Dialer2 20
ip nat inside source static tcp 192.168.2.1 21 interface Dialer2 21
ip nat inside source static tcp 192.168.2.254 22 interface Dialer2 22
!

ip access-list extended DMZ_ACL
deny ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
ip access-list extended external_ACL
permit tcp any host 192.168.2.1 eq smtp
permit tcp any host 192.168.2.1 eq pop2
permit tcp any host 192.168.2.1 eq pop3
permit tcp any host 192.168.2.1 eq www
permit tcp any host 192.168.2.1 eq 443
permit tcp any host 192.168.2.1 eq ftp
permit tcp any host 192.168.2.1 eq ftp-data
permit tcp any host 192.168.2.1 eq 3388
permit tcp any host 192.168.2.2 eq 3389
permit tcp any host 192.168.2.254 eq 1723
permit tcp any any established
ip access-list extended internal_ACL
permit tcp host 192.168.2.1 any eq smtp
permit tcp any 0.0.0.0 255.255.255.0 eq 1723
deny tcp any any eq pop2
deny tcp any any eq pop3
permit ip any any
!

dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!

!
!

control-plane
!

bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
banner motd ^CWARNING Restricted Access Only!!!^C
!

line con 0
exec-timeout 0 0
password 7 15352B18573D0B3D69
login local
no modem enable
line aux 0
line vty 0 4
password 7 072801581D1E391C56
login local
transport input ssh
!

scheduler max-task-time 5000
end

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents