Cisco 1841 ACL

Deven Gandhi · ‎09-22-2013

I have a question about ACL. I have friend setup with Hub and Spoke setup with IPSEC over GRE and it's working just fine. He has few employee whom need remote access outside of office so until he purchases VPN module and licenses, I need to set him up with RDP (port 3389) access to one of his terminal server. I've created static NAT and the problem is when there is an existing ACL on interface, static NAT does not work. When I remove ACL from interface, static NAT works just fine. Only problem is now router is wide open. Is there a way to have static NAT and apply ACL on Interface?

Thanks

Deven

cadet alain · ‎09-23-2013

Hi,

Yes it is possible by editing the ACL to permit the RDP traffic,for example I suppose your external IP for NAT is 192.168.1.1 and you want 192.168.2.1 to reach your internal natted machine:

ip nat inside source static tcp x.x.x.x 3389 192.168.1.1 3389

ip access-list extended xxx

5 permit tcp host 192.168.2.1 host 192.168.1.1 eq 3389

Regards

Alain

Don't forget to rate helpful posts.

Deven Gandhi · ‎09-23-2013

Hi Cadet

I've already tried that prior to posting on cisco support forum and it doed not work. Here is what I have tried...

ip nat inside source static tcp 10.x.x.x 3389 interface FastEthernet0/1 3389

access-list 101 permit tcp any eq 3389 host 10.x.x.x eq 3389 log

access-list 101 permit udp host x.x.x.x host x.x.x.x eq isakmp log

access-list 101 permit esp host x.x.x.x host x.x.x.x log

access-list 101 permit gre host x.x.x.x host x.x.x.x log

access-list 101 deny ip any any (this is optional since there is implicit deny all)

When I apply above acl on outside interface fa0/1 checking traffic inbound, I can not RDP. Only way, RDP will work if I apply following acl on outside interface fa0/1 checking traffic inbound...

access-list 101 deny icmp any any echo log

access-list 101 deny tcp any any eq telnet log

access-list 101 permit ip any any log

I am using IOS version 12.4(24)T8

Any other ideas???

stephen.stack · ‎09-24-2013

This looks wrong to me...

access-list 101 permit tcp any eq 3389 host 10.x.x.x eq 3389 log

Should be

access-list 101 permit tcp any host 10.x.x.x eq 3389 log

In the first ACE you are saying, allow if the source port is 3389 and the destination port is 3389. RDP connections will be generated client side form the ephemeral port range, therefore the client side, or source prot could be anything

http://en.wikipedia.org/wiki/Ephemeral_port

==========================
http://www.rConfig.com

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Deven Gandhi · ‎09-24-2013

HI Stephen

Thanks for your suggestion. I will try it in few days and let you know the outcome.

Thanks,
Deven

Deven Gandhi · ‎09-29-2013

Hello Stephen

I've made changes to access list as you suggested and it's same result as before.

ip nat inside source list NAT_ACL interface FastEthernet0/1 overload

ip nat inside source static tcp 10.x.x.x 3389 interface FastEthernet0/1 3389

access-list 101 permit tcp any host 10.x.x.x eq 3389 log

access-list 101 permit udp any host x.x.x.x eq isakmp log

access-list 101 permit esp any host x.x.x.x log

access-list 101 permit gre any host x.x.x.x log

access-list 101 deny ip any any log

*Sep 29 2013 20:47:27 CST: %SEC-6-IPACCESSLOGP: list 101 denied tcp x.x.x.x(49171) -> 10.x.x.x(3389), 2 packets

Any other suggestions...

Thanks,

Deven

stephen.stack · ‎10-02-2013

HI,

The issue is ACLs are not stateful on their own. You either need to use Reflexive Access Lists or a firewall like Cisco IOS CBAC or ZBF.

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

==========================
http://www.rconfig.com

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Deven Gandhi · ‎10-07-2013

Hello Stephen

We have CBAC in place from inside to outside traffic. I will read up on article you referrenced above and let you know if I have more questions or problem.

Thanks

Deven