05-12-2016 12:32 AM - edited 02-20-2020 09:44 PM
Hello,
I am trying to create ACL on Cisco router which will allow all traffic from inside to internet and only allow specific traffic from internet to inside.
This is what I've configured and puted on Router's interface connected to ISP:
So I can connect from my public IP to Customer's LAN via RDP and SSH (which is o.k.), but Customer's users can not Access Internet (which is not o.k.)!
Users are all in the same Vlan. Between Vlan interface and Outside interface (dialer 1) is PAT.
There are no other ALC on the router exept the one for PAT.
What am I missing here?
Thanks.
Solved! Go to Solution.
05-13-2016 01:56 AM
Is that why 192.168.0.0/24 is present in the 101 ACL? Is that the remote subnet you are connecting from to port 3389?
If your inside local subnet is a private class C then it should be your global outside address that you want to add to ACL 101.
Better still run an IPSec tunnel between the sites.
05-13-2016 04:35 AM
No, you don't need that line. The NTP-request is sent out and gets inspected by the router. The NTP-answer matches a "state-entry" that the router has build by the inspection. Based on this state-entry the NTP-answer is allowed. The ACL is only used when new connections arrive at the public interface, that is the incoming SSH and RDP in your case.
05-12-2016 12:45 AM
Hi there,
What does your NAT and NAT-ACL look like?
You may as well remove line 95 (permit tcp 192.168.0.0 0.0.0.255 any) from ACL 101 as it is redundant.
cheers,
Seb.
05-12-2016 02:22 AM
Hi, Thank you for your replay:
NAT:
ip nat inside source list 100 interface Dialer1 overload
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip any any
J
05-12-2016 02:44 AM
What is the output for:
sh ip nat statistics
05-12-2016 03:15 AM
This is from: Sh ip NAT statistics
J
05-12-2016 07:04 AM
Total active translations: 167 (0 static, 167 dynamic; 167 extended)
...looks like the PAT is working. Are you able to show some of the output from :
show ip nat trans
05-12-2016 10:40 PM
Hi Seb,
J
05-13-2016 12:05 AM
Ah I see. This behavior is due to the ACL being applied before outside-inside NAT, therefore line 100 is required for return traffic to be NAT'd.
If you are NAT'ing to a private inside network, do you really need an inbound ACL on your outside interface? Unless there is a static NAT statement, outside traffic cannot traverse the router.
I would remove the access-group from dialer1; you will not be exposing the inside unnecessarily.
cheers,
Seb.
05-13-2016 12:32 AM
o.k. But I do have one static nat translation, which allows me (from my public IP) to connect to their server on 3389.
J
05-13-2016 01:37 AM
In that case you will need to retain that line in the 101 ACL. Are you connecting from a fixed IP so that you can further secure the rule?
If you are connecting from various dynamic IPs and need to leave the ACL line as source-any, then the ACL no security and should be removed.
cheers,
Seb.
05-13-2016 01:43 AM
I have class C network that I am using for connection to client.
Should I put another ACL on Vlan interface?
05-13-2016 01:56 AM
Is that why 192.168.0.0/24 is present in the 101 ACL? Is that the remote subnet you are connecting from to port 3389?
If your inside local subnet is a private class C then it should be your global outside address that you want to add to ACL 101.
Better still run an IPSec tunnel between the sites.
05-13-2016 02:40 AM
Thank you Sep for all the effert.
This sollution with ACL is Quite complicated.
I've tried the suggestion which Karsten (above) posted with turning on the FW functionality and that worked.
Thanks again.
J
05-28-2016 12:21 AM
Would you mind posting your final config for the thread? Read through and some useful information, but it's in bits and pieces without the final story. Would appreciate it.
Thanks!
T
06-05-2016 11:50 PM
Helly Tyrone,
I added this to global configuration on router:
then this to my Outside Interface:
ip access-group 101 IN
ip inspect FW out
Access list 101:
access-list 101 permit icmp any any
access-list 101 permit tcp "My public IP" any eq 3389
access-list 101 permit tcp "My public IP" any eq 22
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq ntp
access-list 101 deny ip any any
So this configuration allows outside traffic from my Public Ip only. FW function on router takes care of traffic that is inicialized from inside. Probably the conf. could be optimized, but since it is working.....
J
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide