cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2308
Views
5
Helpful
29
Replies
Highlighted
Beginner

887va - NAT and Firewall Question

Hi,

I've recently got a Cisco 887va. I have followed this guide to setting the ADSL2+ up and it worked fine:

https://supportforums.cisco.com/message/3578292#3578292

My 887va is also on 192.168.1.1

I can get out onto the internet - everything is working great.

What I want to do now is to be able to access my router remotely for SSH over the internet. (At another office).

I would therefore like to SSH to the dialer0 interface and have it connect to my 192.168.0.1 IP

I understand I need a NAT statement but i'm confused if I need an ACL or a Firewall rule (or both).

Is it possible someone could give me an example of how to do this correctly?

My 887va needs to be as secure as possible so I want to restrict the remote access to 2 IPs that I know and own at remote offices and for the ssh protocol only. Nobody else external should access this.

I very much look forward to your help.

John.

Everyone's tags (6)
29 REPLIES 29
Advisor

887va - NAT and Firewall Question

Hi,

if you want to access your router remotely for management with ssh from 2 Public IPs and internally, I suppose ssh is already configured:

access-list 10 permit host x.x.x.x

access-list 10 permit host y.y.y.y

access-list 10 permit 192.168.1.0 0.0.0.255

line vty 0 15

login local

transport input ssh

access-class 10 in

Now if you want to ssh to an internal machine from the 2 public IPs and internally, you'l need to configure static PAT(aka port forwarding) and either use CBAC or ZFW, if this is the case I will provide you a basic firewall config along with NAT.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

Re: 887va - NAT and Firewall Question

Thank you very much. Yes SSH is already configured and working well fromt the inside.

I've a few questions - hopefully you can help to clarify.

With the ACL list you have provided (and acl 'in' statement under the SSH section) do I still require a NAT statement for my dialer0 interface to my 192.168.1.1 router address or is the NAT statement not required - does the ACL work without? What should the NAT statement be if so?

Yes that would be great if you can give me the basic firewall and PAT information as I will want to do this as well. (I'll likely be having a web server so allowing 80 and 443 but to restricted sites. The web server will eventually sit on 192.168.1.2

I would also like to allow HTTPS as well as SSH so we can view the web interface as well as PING to perform a basic check - again these need to be restricted to the 2 internet IPs - the destination will be the router IP of 192.168.1.1

I very much look forward to your response and will rate as helpful.

Thanks.

EDIT: I had asked the ping question separately - not sure where it is best to answer it: https://supportforums.cisco.com/thread/2258656

Advisor

887va - NAT and Firewall Question

Hi,

With the ACL list you have provided (and acl 'in' statement under the  SSH section) do I still require a NAT statement for my dialer0 interface  to my 192.168.1.1 router address or is the NAT statement not required -  does the ACL work without? What should the NAT statement be if so?

You won't need NAT because you'll be sshing to the public IP of your router.

You will need to ssh to FQDN provided by no-ip.org or dyndns.org because you have a dynamic IP through PPP.

here is a  thread discussing the dyndns configuration: https://supportforums.cisco.com/thread/2167081

Yes that would be great if you can give me the basic firewall and PAT  information as I will want to do this as well. (I'll likely be having a  web server so allowing 80 and 443 but to restricted sites. The web  server will eventually sit on 192.168.1.2

here is a config example for the static PAT:

int vlan1

ip nat inside

int dialer0

ip nat outside

ip nat inside source static tcp 192.168.1.2 80 interface dialer0 80

ip nat inside source static tcp 192.168.1.2 443 interface dialer0 4430

no ip http server

ip http secure-server

I would also like to allow HTTPS as well as SSH so we can view the web  interface as well as PING to perform a basic check - again these need to  be restricted to the 2 internet IPs - the destination will be the  router IP of 192.168.1.1

for securing https access to router you can use the same access-class like this:

ip http access-class 10

Now for firewall config,you could do something like this:

ip access-list extended Outside-Inside-acl

permit tcp host x.x.x.x  host 192.168.1.2 eq https

permit tcp host x.x.x.x  host 192.168.1.2 eq http

ip access-list extended Outside-Mgmt-acl

permit tcp host x.x.x.x any eq 443

permit tcp host x.x.x.x any eq 22

permit tcp host y.y.y.y any eq 443

permit tcp host y.y.y.y any eq 22

zone security Inside

zone security Outside

int vlan1

zone-member security Inside

int dialer 0

zone-member security Outside

class-map type inspect match-any Inside-Outside-class

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-any Outside-Inside-class

match access-group name Outside-Inside-acl

class-map type inspect match-any Outside-Mgmt-class

match access-group name Outside-Mgmt-acl

policy-map type inspect Inside-Outside-policy

class type inspect Inside-Outside-class

inspect

class class-default

drop

policy-map type inspect Outside-Inside-policy

class type inspect Outside-Inside-class

inspect

class class-default

drop

policy-map type inspect Outside-Mgmt-policy

class type inspect Outside-Mgmt-class

inspect

class class-default

drop

zone-pair security Outside-Inside source Outside destination Inside

service-policy type inspect Outside-Inside-policy

zone-pair security Inside-Outside source Inside destination Outside

service-policy type inspect Inside-Outside-policy

zone-pair security Outside-self source Outside destination self

service-policy type inspect Outside-Mgmt-policy

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

Re: 887va - NAT and Firewall Question

Again thank you.

Just a few points to clarify:

When you say 'You won't need NAT because you'll be sshing to the public IP of your router' is that because it does some kind of nat behind the scenes? - and therefore don't need a nat statement for this?

ip http access-class 10 - where would this statement go?

Does your firewall part include icmp?

Lastly i'm confused why I would use ACLs and not firewall rules. (I come from a firewall background, just not Cisco - hence my earlier NAT question about the mgmt interface). Is it possible to use firewall rules as well (or instead of acl) for the management access to the router for ssh, https and icmp from 2 known external IPs?

Advisor

887va - NAT and Firewall Question

Hi,

you don't need NAT to access your device from public location as it has a WAN public IP

the ip http access-class is a configuration mode command

yes, the firewall config I provided takes icmp,ssh and https access to router into account.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

Re: 887va - NAT and Firewall Question

Thank you.

So I've learnt that for the WAN public IP of the router no NAT statement is required but for additional IPs then a NAT statement would be required.

Can you clarify this point - why would I use ACLs for the Management access instead of firewall rules - what's the benefit?

Advisor

887va - NAT and Firewall Question

Hi,

using access-class for http/https and telnet/ssh is less demanding on the router than using firewall feature.

And also easier to configure.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

Re: 887va - NAT and Firewall Question

Excellent thanks. That makes sense - I want my router to be as secure as possible but at the same time I want the performance and don't want to make it CPU intensive so I will not use the firewall feature for now.

I have got the following configured now on my Router:

no ip http server

ip http access-class 10

ip http secure-server

access-list 10 permit xx.xx.xx.xx (external IP 1 of my head office over the internet)

access-list 10 permit yy.yy.yy.yy (external IP 2 of my head office over the internet)

access-list 10 permit 192.168.1.0 0.0.0.255 (my internal vlan1 network and what the router sits on).

line vty 0 4

access-class 10 in

password 7 ***********

login authentication local_auth

transport input ssh

I've not tested this yet as I need to visit my remote office.

Now finally - How do i allow ping to the WAN IP (to check it is up and wokring remotely) with an ACL?

Advisor

887va - NAT and Firewall Question

Hi,

for this you would have to use an inbound ACL on the WAN interface but in this case you'd be better with a firewall config because ACLs are stateless so if you permit your icmp and deny everything else you will also deny return traffic in response to LAN initiated traffic.

You could in this case use CBAC:

ip inspect name myfirewall tcp

ip inspect myfirewall udp

ip inspect myfirewall icmp

ip access-list extended remote-access

permit icmp host x.x.x.x any echo

permit icmp host y.y.y.y any echo

permit tcp host x.x.x.x any eq ssh

permit tcp host y.y.y.y any eq ssh

permit tcp host x.x.x.x any eq https

permit tcp host y.y.y.y any eq https

deny ip any any

int dialer0

ip access-group remote-access in

int vlan 1

ip inspect myfirewall out

As you can see here the problem is that as your WAN IP is dynamic so you must specify any as destination in your inbound ACL which opens up corresponding access to any forwarded address for the http(s)/ssh protocols.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

Re: 887va - NAT and Firewall Question

Hmm I'm a bit lost now.

So the config above would replace any of the previous ways of allowing https and ssh as well?

My WAN IP if fixed from my ISP - can i just put 'dialer0' instead of 'any'?

Edit: I said I wanted to allow ping before but if SNMP can be done via ACL I think that would be OK to avoid having to set up the firewall and allowing ping.

Advisor

887va - NAT and Firewall Question

Hi,

if you have a static IP on the WAN interface then of course you can explictly allow traffic to this IP instaed of using any keyword.

of course you can restrict SNMP access to some IPs with access-list.

So if you only want to restrict access for Management of your router you don't specifically need an ACL or firewall feature but you can use access-list specifying legitimate IP addresses and use this ACL with http/https( ip http access-class),telnet/ssh( access-class under vty line) and SNMP( access-list with snmp-server command).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

Re: 887va - NAT and Firewall Question

That's great thanks.

So my config now looks like this. I hope it will allow me to SSH, HTTPs and SNMP into it via both the internal 192.168.0.1 address range AND 2 external IPs at my head office via the WAN port. I hope it blocks everything else incoming so if you were to port scan you would not see any open ports.

Is that the correct assumption and does the code now look accurate?

no ip http server

ip http access-class 10

ip http secure-server

access-list 10 permit xx.xx.xx.xx (external IP 1 of my head office over the internet)

access-list 10 permit yy.yy.yy.yy (external IP 2 of my head office over the internet)

access-list 10 permit 192.168.1.0 0.0.0.255 (my internal vlan1 network and what the router sits on).

snmp-server community nagios-svr RO 10 (where 10 is the access list so it allows those IPs in?)

snmp-server location xxxxx

snmp-server contact xxxxxxx

line vty 0 4

access-class 10 in

password 7 ***********

login authentication local_auth

transport input ssh

Advisor

887va - NAT and Firewall Question

Hi,

I hope it blocks everything else incoming so if you were to port scan you would not see any open ports.

No, it just won't let any other IP access https/ssh/snmp on the router.

if you want to hide open ports from scan then you need a firewall and disable unneeded services.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

Re: 887va - NAT and Firewall Question

Ah OK. I perhaps will need a firewall after all then (or deny ACL for the other services ports available) - otherwise it will fail an external audit - usually a Nessus scan and nmap - i presume loads will show as open wihout? Would ACL be enough for the ports to not show on a Nessus report or does that HAVE to be a firewall?

Thank you for your help and sorry for all the questions.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards