cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3175
Views
5
Helpful
29
Replies

887va - NAT and Firewall Question

John Adams
Level 1
Level 1

Hi,

I've recently got a Cisco 887va. I have followed this guide to setting the ADSL2+ up and it worked fine:

https://supportforums.cisco.com/message/3578292#3578292

My 887va is also on 192.168.1.1

I can get out onto the internet - everything is working great.

What I want to do now is to be able to access my router remotely for SSH over the internet. (At another office).

I would therefore like to SSH to the dialer0 interface and have it connect to my 192.168.0.1 IP

I understand I need a NAT statement but i'm confused if I need an ACL or a Firewall rule (or both).

Is it possible someone could give me an example of how to do this correctly?

My 887va needs to be as secure as possible so I want to restrict the remote access to 2 IPs that I know and own at remote offices and for the ssh protocol only. Nobody else external should access this.

I very much look forward to your help.

John.

29 Replies 29

I've just done an internal scan using nmap and only 22 and 443 ports show as open. Therefore I think from an external point of view everyhting should be OK and no firewall required?

I presume it's not 'wrong' to place an ADSL router on the internet with the dialier0 wan interface only protected via ACLs?

Hi,

As long as the internal network is protected by a firewall this is no problem.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Oh - no - my internal network (machines, laptops/phones) get a 192.168.0.1 IP directly from the 887va so there would not be a firewall there.

I'm guessing this must be OK - the majority of configs i've seen on this forum for the 887va does not have the firewall settings enabled?

Hi,

as long as there is only dynamic nat overload, it shouldn't be a problem for your internal network.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Yes that's correct for my config - interesting bits below. So everything should be OK?

With this I will have allowed SSH, HTTPS and SNMP from my 2 Head Office IPs to the dialier0 interface of my 887va router and no other external IPs should have any access into my network from the internet. My intenral network (192.168.0.1) should be secure because I only have the nat overload command. The commands should also allow my 192.168.0.1 users outbound internet access on all ports.

Hopefully this below has cracked it and does everything I want?

(Interesting bits only).

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Dialer0

ip nat outside

no ip http server

ip http access-class 10

ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 10 permit xx.xx.xx.xx

access-list 10 permit yy.yy.yy.yy

access-list 10 permit 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

!

snmp-server community nagios-svr RO 10

line vty 0 4

access-class 10 in

transport input ssh

Hi,

Correct it achieves what you want.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Excellent - I will test and update this thread. Thank you.

Hi,

did you test the config ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

I tested the ADSL part today whch worked (so I could get outbound).

I've tested SSH remotely and that worked (thank you).

I need to scan it remotely to check all other ports are closed correctly and will then update again.

Thanks,

Hi,

I have managed to run an NMAP scan externally.

First my ssh and snmp and https access lists worked fine thank you.

However I've noticed the following - Nmap shows these ports as open:

53 - tcp - open

1720 - tcp - filtered

1863 - tcp - open

5190 - tcp - open

I'd be interested to know why that is and how to stop them and if it's anything to worry about.

Actually just checked more udp and dns, time and snmp are open to all

53/udp open|filtered domain

123/udp open ntp

161/udp open snmp

Show run of applicable settings:

!

ntp server 1.uk.pool.ntp.org

!

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 10 permit xx.xx.xx.xx(an external IP I own)

access-list 10 permit yy.yy.yy.yy(an external IP I own)

access-list 10 permit 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

!

snmp-server community nagios-SVR RO 10

ip dhcp pool myDHCPpool

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 192.168.0.1

!

!

!

ip domain name xxxxx.com

ip name-server 8.8.8.8

line vty 0 4

access-class 10 in

password 7 xxxxxxxxxx

login authentication local_auth

transport input ssh

Just wondered if anyone had any thoughts on this? Thank you.


Hi,

How did you check open ports and what were they from inside and outside ? Nmap internally and externally ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

Thank you for your reply.

From a completely serparate Internet connection and IP I tested over the internet to the WAN IP of the box.

So the test was external - much like I could run from my home for example.

I have opened another thread as it probably warrants its own thread.

https://supportforums.cisco.com/thread/2260671

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco