cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
8463
Views
5
Helpful
27
Replies
julijan.klancnik
Beginner

ACL on Cisco router - Block traffic from outside, allow all from inside

Hello,

I am trying to create ACL on Cisco router which will allow all traffic from inside to internet and only allow specific traffic from internet to inside.

This is what I've configured and puted on  Router's interface connected to ISP:

    10 permit icmp any any (411 matches)
    20 permit tcp "my public IP" any eq 3389 (46400 matches)
    30 permit tcp "my public IP" any eq 22 (9185 matches)
    40 permit ip "my public IP" any (3207 matches)
    50 permit tcp any any eq smtp (11 matches)
    60 permit tcp any any eq www (56 matches)
    70 permit tcp any any eq 443 (29 matches)
    80 permit tcp any any eq domain (5 matches)
    81 permit udp any any eq domain (7 matches)
    82 permit udp any eq domain any (10564 matches)
    83 permit tcp any eq domain any (10 matches)
    90 permit udp any any eq ntp (13317 matches)
    95 permit tcp 192.168.0.0 0.0.0.255 any
Interface Dialer 1
ip Access-group 101 IN

So I can connect from my public IP to Customer's LAN via RDP and SSH (which is o.k.), but Customer's users can not Access Internet (which is not o.k.)!

Users are all in the same Vlan. Between Vlan interface and Outside interface (dialer 1) is PAT.

There are no other ALC on the router exept the one for PAT.

What am I missing here?

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Is that why 192.168.0.0/24 is present in the 101 ACL? Is that the remote subnet you are connecting from to port 3389?

If your inside local subnet is a private class C then it should be your global outside address that you want to add to ACL 101.

Better still run an IPSec tunnel between the sites.

View solution in original post

No, you don't need that line. The NTP-request is sent out and gets inspected by the router. The NTP-answer matches a "state-entry" that the router has build by the inspection. Based on this state-entry the NTP-answer is allowed. The ACL is only used when new connections arrive at the public interface, that is the incoming SSH and RDP in your case.

View solution in original post

27 REPLIES 27
Seb Rupik
VIP Advisor

Hi there,

What does your NAT and NAT-ACL look like?

You may as well remove line 95 (permit tcp 192.168.0.0 0.0.0.255 any) from ACL 101 as it is redundant.

cheers,

Seb.

Hi, Thank you for your replay:

NAT:

ip nat inside source list 100 interface Dialer1 overload

access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny   ip any any

J

What is the output for:

sh ip nat statistics

This is from:    Sh ip NAT statistics

Total active translations: 167 (0 static, 167 dynamic; 167 extended)
Peak translations: 1669, occurred 22:11:14 ago
Outside interfaces:
  Dialer1, GigabitEthernet1, Virtual-Access1
Inside interfaces:
  Vlan1
Hits: 5765836  Misses: 0
CEF Translated packets: 2085942, CEF Punted packets: 61498
Expired translations: 103470
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 100 interface Dialer1 refcount 165
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

J

Total active translations: 167 (0 static, 167 dynamic; 167 extended)

...looks like the PAT is working. Are you able to show some of the output from :

show ip nat trans

Hi Seb,

10 permit icmp any any
20 permit tcp "my public IP" any eq 3389
30 permit tcp "my public IP" any eq 22
95 permit tcp 192.168.0.0 0.0.0.255 any
100 permit ip any any
Maybe I didn't stated my problem well. If I use ACL above, Everything is working, but all the traffice is captured on statement 100. So all traffic is allowed, if I remove statement 100, then local users don't have web Access. And that what is bothering me.

J

Ah I see. This behavior is due to the ACL being applied before outside-inside NAT, therefore line 100 is required for return traffic to be NAT'd.

If you are NAT'ing to a private inside network, do you really need an inbound ACL on your outside interface? Unless there is a static NAT statement, outside traffic cannot traverse the router.

I would remove the access-group from dialer1; you will not be exposing the inside unnecessarily.

cheers,

Seb.

o.k. But I do have one static nat translation, which allows me (from my public IP) to connect to their server on 3389.

J

In that case you will need to retain that line in the 101 ACL. Are you connecting from a fixed IP so that you can further secure the rule?

If you are connecting from various dynamic IPs and need to leave the ACL line as source-any, then the ACL no security and should be removed.

cheers,

Seb.

I have class C network that I am using for connection to client.

Should I put another ACL on Vlan interface?

Is that why 192.168.0.0/24 is present in the 101 ACL? Is that the remote subnet you are connecting from to port 3389?

If your inside local subnet is a private class C then it should be your global outside address that you want to add to ACL 101.

Better still run an IPSec tunnel between the sites.

View solution in original post

Thank you Sep for all the effert.

This sollution with ACL is Quite complicated.

I've tried the suggestion which Karsten (above) posted with turning on the FW functionality and that worked.

Thanks again.

J

Would you mind posting your final config for the thread? Read through and  some useful information, but it's in bits and pieces without the final story. Would appreciate it.

Thanks!

T

Helly Tyrone,

I added this to global configuration on router:

ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW smtp

then this to my Outside Interface:

ip access-group 101 IN
ip inspect FW out

Access list 101:

access-list 101 permit icmp any any
access-list 101 permit tcp "My public IP" any eq 3389
access-list 101 permit tcp "My public IP" any eq 22
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq ntp
access-list 101 deny   ip any any

So this configuration allows outside traffic from my Public Ip only. FW function on router takes care of traffic that is inicialized from inside. Probably the conf. could be optimized, but since it is working.....

J

Content for Community-Ad

This widget could not be displayed.