cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1534
Views
10
Helpful
4
Replies

ACL for Internet-Facing Dialer Interface on 897VA

Abe_00
Level 1
Level 1

Please could someone offer some advice on what ACL to configure in order to achieve the following outcome?

 

1. Inbound traffic on ports 32400, 32783, 32782, 32785, 32784, 32789 and 32788is forwarded to internal host 192.168.5.80 

2. Inbound traffic on port 8067 is forwarded to internal host 192.168.7.2 

3. Inbound traffic on port 81 is forwarded to internal host 192.168.3.137 

3. All other inbound traffic is not allowed (achieve 'stealth' status on GRC ShieldsUp)

4. All outbound traffic is allowed from any internal host to any external host on any port

 

Currently, outbound traffic is ok (hosts are able to use internet services, but not ping external hosts), and the GRC ShieldsUp scan shows 'stealth'.

 

However, the port forwarding is not working.  If I remove access-group 105 from Dialer1 then the forwarding does work, but the GRC shieldsup check fails, all ports are wide open. 

 

Full config is below:

 

!
! Last configuration change at 21:44:22 UTC Wed Apr 29 2020
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
enable password 7 xxxxx
!
no aaa new-model
ethernet lmi ce
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.240 192.168.2.254
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.240 192.168.3.254
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.240 192.168.4.254
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.6.1 192.168.6.39
ip dhcp excluded-address 192.168.6.240 192.168.6.254
ip dhcp excluded-address 192.168.7.1 192.168.7.99
ip dhcp excluded-address 192.168.7.240 192.168.7.254
!
ip dhcp pool Cameras
 import all
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.254 
 dns-server 192.168.2.254 
 lease 7
!
ip dhcp pool Users
 import all
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.254 
 dns-server 192.168.3.254 
 lease 7
!
ip dhcp pool Secure
 import all
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.254 
 dns-server 8.8.8.8 8.8.4.4 
 lease 7
!
ip dhcp pool Servers
 import all
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.254 
 dns-server 192.168.5.254 
 lease 7
!
ip dhcp pool GuestWiFi
 import all
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.254 
 dns-server 192.168.6.254 
!
ip dhcp pool Management
 import all
 network 192.168.7.0 255.255.255.0
 default-router 192.168.7.254 
 dns-server 192.168.7.254 
 lease 7
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip ddns update method no-ip
 HTTP
  add xxxxx
 interval maximum 0 0 5 0
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license udi pid C897VA-M-K9 sn xxxxx
!
!
vtp mode transparent
!
!
controller VDSL 0
!
vlan 2
 name Cameras
!
vlan 3
 name Users
!
vlan 4
 name Secure
!
vlan 5
 name Servers
!
vlan 6
 name GuestWiFi
!
vlan 7 
!
vlan 10
 name LAN-VRF01666
!
vlan 30
 name LAN-VRF01667
!
! 
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 no ip redirects
 no ip proxy-arp
 ip virtual-reassembly in
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 3
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 4
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 5
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 6
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 7
 no ip address
!
interface GigabitEthernet8
 ip address 192.168.8.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan3
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan4
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map GE-WAN
!
interface Vlan5
 ip address 192.168.5.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan6
 ip address 192.168.6.254 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan7
 ip address 192.168.7.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description Dialer interface for VDSL
 mtu 1492
 ip ddns update hostname xxxxx
 ip ddns update no-ip
 ip address negotiated
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname bthomehub@btbroadband.com
 ppp chap password 7 xxxxx
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 192.168.5.80 32400 interface Dialer1 32400
ip nat inside source static tcp 192.168.5.80 32783 interface Dialer1 32783
ip nat inside source static tcp 192.168.5.80 32782 interface Dialer1 32782
ip nat inside source static tcp 192.168.5.80 32785 interface Dialer1 32785
ip nat inside source static tcp 192.168.5.80 32784 interface Dialer1 32784
ip nat inside source static tcp 192.168.5.80 32789 interface Dialer1 32789
ip nat inside source static tcp 192.168.5.80 32788 interface Dialer1 32788
ip nat inside source static tcp 192.168.7.2 8067 interface Dialer1 8067
ip nat inside source static tcp 192.168.3.137 81 interface Dialer1 81
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended GuestWiFi
 deny   ip any 192.168.1.0 0.0.0.255
 deny   ip any 192.168.2.0 0.0.0.255
 deny   ip any 192.168.3.0 0.0.0.255
 deny   ip any 192.168.4.0 0.0.0.255
 deny   ip any 192.168.5.0 0.0.0.255
 deny   ip any 192.168.7.0 0.0.0.255
 permit ip any any
!
!
route-map GE-WAN permit 10
 match ip address 100
 set ip next-hop 192.168.8.1
!
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 permit 192.168.6.0 0.0.0.255
access-list 2 permit 192.168.7.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 deny   tcp any any eq telnet
access-list 102 permit ip any any
access-list 105 permit icmp 192.168.0.0 0.0.255.255 any
access-list 105 permit tcp any host 192.168.5.80 eq 32400
access-list 105 permit tcp any host 192.168.5.80 eq 32783
access-list 105 permit tcp any host 192.168.5.80 eq 32782
access-list 105 permit tcp any host 192.168.5.80 eq 32785
access-list 105 permit tcp any host 192.168.5.80 eq 32784
access-list 105 permit tcp any host 192.168.5.80 eq 32789
access-list 105 permit tcp any host 192.168.5.80 eq 32788
access-list 105 permit tcp any host 192.168.7.2 eq 8067
access-list 105 permit tcp any host 192.168.3.137 eq 81
access-list 105 deny   ip any any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 password 7 xxxxx
 login
 no modem enable
line aux 0
line vty 0
 exec-timeout 40 0
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
line vty 1 4
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
!
scheduler allocate 20000 1000
!
end
1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

The ACL you applied on Dialer as the internal host as destination.

It should be your public IP. As your IP is dynamically assigned (unless your provider is always giving you the same), you will need to do any but by keeping the port. Or you will need to do some EEM to change them dynamically.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

The ACL you applied on Dialer as the internal host as destination.

It should be your public IP. As your IP is dynamically assigned (unless your provider is always giving you the same), you will need to do any but by keeping the port. Or you will need to do some EEM to change them dynamically.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks @Francesco Molino, your suggestion was very helpful.  I amended access-list 105 (code below), which improves the situation but it's not 100% working as desired.

When I apply the below, all the outbound traffic from internal VLANs to the Internet works ok, including being able to ping Internet hosts.

General inbound traffic from the Internal is also being blocked ('stealth' status on SheildsUp).

The specific ports that I want to be forwarded are showing as 'Open' on SheildsUp (as expected / desired).

HOWEVER, the traffic on those specific ports is not being forwarded to the internal hosts. 

 

access-list 105 permit icmp 192.168.0.0 0.0.255.255 any echo
access-list 105 permit icmp 192.168.0.0 0.0.255.255 any echo-reply
access-list 105 permit tcp any any eq 32400
access-list 105 permit tcp any any eq 32783
access-list 105 permit tcp any any eq 32782
access-list 105 permit tcp any any eq 32785
access-list 105 permit tcp any any eq 32784
access-list 105 permit tcp any any eq 32789
access-list 105 permit tcp any any eq 32788
access-list 105 permit tcp any any eq 8067
access-list 105 permit tcp any any eq 81
access-list 105 deny   ip any any

Hey @Francesco Molino , apologies, scratch my last message.

It's all working as desired, I was actually testing it incorrectly (trying to prove connectivity by connecting to the Dialer1 public IP from one of the internal hosts on VLAN 3).

Thanks again for the help.

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question