1921 Router ACL/NAT issue?

Robert Ansell · ‎07-06-2012

Hi,

I have configured my 1921 with nat overload for my network. NAT/PAT is working fine and everyone can access the internet, and my static address translations for remote desktop are working as well.

However, when I go to apply access list 101 to my inbound outside interface, all internet connectivity is lost. For some reason my RDP connections are being allowed when the access list isn't applied to the interface.

Also, port 23 (telnet) is showing as open to the outside (canyouseeme.org) without an access list. I want only the ports in the access list (RDP, ect.) to be accessible from the outside, and I want SSH access to the router from the outside as well. Any help would be appriciated...thanks!

This config is without the access list outside_access_in applied to the outside interface.

Building configuration...

Current configuration : 2274 bytes

!

! Last configuration change at 01:01:13 UTC Sat Jul 7 2012 by ADMIN

! NVRAM config last updated at 00:59:39 UTC Sat Jul 7 2012 by ADMIN

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname *****1921

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1921/K9 sn *******

!

username ******* privilege 15 secret *****

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address X.X.X.X 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.254.51.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

router eigrp 1

network 10.0.0.0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.100.51.10 3389 interface GigabitEthernet0/0 3389

ip nat inside source static tcp 10.100.51.251 1723 interface GigabitEthernet0/0 1723

ip route 0.0.0.0 0.0.0.0 gi0/0

!

access-list 100 remark Allow PAT

access-list 100 permit ip 10.0.0.0 0.255.255.255 any

access-list 101 remark Outside_Access_in

access-list 101 permit icmp any any echo

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

transport input all

!

scheduler allocate 20000 1000

end

John Blakley · ‎07-07-2012

Try adding:

access-list 101 permit tcp any any established

This line should fix your browsing issues. You'll need to allow DNS back in specifically though by also adding:

access-list 101 permit udp any any eq 53

To enable only ssh, you'll need to set a domain name:

ip domain-name

Generate keys:

crypto key generate rsa modu 1024

Create a user:

username secret

Create an enable password:

enable secret

Enable SSH on your vty lines and authenticate against the local account database:

line vty 0 4

transport input ssh

login local

At this point, you should only be able to ssh into the router and not telnet.

HTH,

John

HTH, John *** Please rate all useful posts ***