Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1983
Views
0
Helpful
7
Replies

Cisco 1841 ACL

Deven Gandhi
Level 1
Level 1

‎09-22-2013 07:10 PM - edited ‎03-03-2019 07:10 AM

I have a question about ACL.  I have friend setup with Hub and Spoke setup with IPSEC over GRE and it's working just fine.  He has few employee whom need remote access outside of office so until he purchases VPN module and licenses, I need to set him up with RDP (port 3389) access to one of his terminal server.  I've created static NAT and the problem is when there is an existing ACL on interface, static NAT does not work.  When I remove ACL from interface, static NAT works just fine.  Only problem is now router is wide open.  Is there a way to have static NAT and apply ACL on Interface?

Thanks

Deven

Labels:
0 Helpful
7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

‎09-23-2013 02:44 AM

Hi,

Yes it is possible by editing the ACL to permit the RDP traffic,for example I suppose your external IP for NAT is 192.168.1.1 and you want 192.168.2.1 to reach your internal natted machine:

ip nat inside source static tcp x.x.x.x 3389 192.168.1.1 3389

ip access-list extended xxx

5 permit tcp host 192.168.2.1 host 192.168.1.1 eq 3389

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Deven Gandhi
Level 1
Level 1
In response to cadet alain

‎09-23-2013 09:44 AM

Hi Cadet

I've already tried that prior to posting on cisco support forum and it doed not work.  Here is what I have tried...

ip nat inside source static tcp 10.x.x.x 3389 interface FastEthernet0/1 3389

access-list 101 permit tcp any eq 3389 host 10.x.x.x eq 3389 log

access-list 101 permit udp host x.x.x.x host x.x.x.x eq isakmp log

access-list 101 permit esp host x.x.x.x host x.x.x.x log

access-list 101 permit gre host x.x.x.x host x.x.x.x log

access-list 101 deny ip any any (this is optional since there is implicit deny all)

When I apply above acl on outside interface fa0/1 checking traffic inbound, I can not RDP.  Only way, RDP will work if I apply following acl on outside interface fa0/1 checking traffic inbound...

access-list 101 deny icmp any any echo log

access-list 101 deny tcp any any eq telnet log

access-list 101 permit ip any any log

I am using IOS version 12.4(24)T8

Any other ideas???

0 Helpful

stephen.stack
Level 4
Level 4
In response to Deven Gandhi

‎09-24-2013 02:43 AM

This looks wrong to me...

access-list 101 permit tcp any eq 3389 host 10.x.x.x eq 3389 log

Should be

access-list 101 permit tcp any host 10.x.x.x eq 3389 log

In the first ACE you are saying, allow if the source port is 3389 and the destination port is 3389. RDP connections will be generated client side form the ephemeral port range, therefore the client side, or source prot could be anything

http://en.wikipedia.org/wiki/Ephemeral_port

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Deven Gandhi
Level 1
Level 1
In response to stephen.stack

‎09-24-2013 07:08 PM

HI Stephen

Thanks for your suggestion.  I will try it in few days and let you know the outcome.

Thanks,
Deven

0 Helpful

Deven Gandhi
Level 1
Level 1
In response to Deven Gandhi

‎09-29-2013 07:06 PM

Hello Stephen

I've made changes to access list as you suggested and it's same result as before.

ip nat inside source list NAT_ACL interface FastEthernet0/1 overload

ip nat inside source static tcp 10.x.x.x 3389 interface FastEthernet0/1 3389

access-list 101 permit tcp any host 10.x.x.x eq 3389 log

access-list 101 permit udp any host x.x.x.x eq isakmp log

access-list 101 permit esp any host x.x.x.x log

access-list 101 permit gre any host x.x.x.x log

access-list 101 deny   ip any any log

*Sep 29 2013 20:47:27 CST: %SEC-6-IPACCESSLOGP: list 101 denied tcp x.x.x.x(49171) -> 10.x.x.x(3389), 2 packets

Any other suggestions...

Thanks,

Deven

0 Helpful

stephen.stack
Level 4
Level 4
In response to Deven Gandhi

‎10-02-2013 02:02 AM

HI,

The issue is ACLs are not stateful on their own. You either need to use Reflexive Access Lists or a firewall like Cisco IOS CBAC or ZBF.

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

==========================
http://www.rconfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Deven Gandhi
Level 1
Level 1
In response to stephen.stack

‎10-07-2013 06:58 AM

Hello Stephen

We have CBAC in place from inside to outside traffic.  I will read up on article you referrenced above and let you know if I have more questions or problem.

Thanks

Deven

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents