09-23-2008 02:26 AM - edited 03-03-2019 11:39 PM
Hi,
I have a guest ADSL line at work for people needing full access to the internet. It's on a Cisco 877 and the config is below. Thing is I need to provide 3389 to a PC on the guest network, however when I apply "ip access-list 101 in" to dialer 1, the internet doesn't work.
I need users to access anything they want, but allow 1.2.3.4 to access 10.0.0.108 on 3389.
When I aneable access 101 on the dialre I get lots of deny errors on ports 53 for DNS and 80 for http.
ADSL#sh run
Building configuration...
Current configuration : 2753 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ADSL
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 notifications
enable password 7 *
!
no aaa new-model
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool client
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
lease 0 2
!
!
no ip cef
ip domain name guestdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username * password 7 *
!
!
ip tftp source-interface Ethernet0
ip ssh version 2
!
!
!
!
interface Ethernet0
ip address 10.0.0.2 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip unreachables
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
cdp enable
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *
ppp chap password 7 *
ppp pap sent-username * password 7 *
ppp ipcp dns request
ppp ipcp wins request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.108 3389 interface Dialer1 3389
!
logging trap notifications
logging facility local4
logging source-interface Ethernet0
access-list 50 permit 1.2.3.4
access-list 101 permit tcp host 1.2.3.4 any eq 3389 log
access-list 101 permit udp host 194.74.65.69 eq domain any
access-list 101 permit udp host 194.72.9.34 eq domain any
access-list 101 deny ip any any log
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
banner login ^C Authorised access only! Disconnect IMMEDIATELY if you are not an authorised user! ^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 50 in
exec-timeout 5 0
login local
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
ADSL#
Solved! Go to Solution.
09-23-2008 09:14 AM
Hello Andy,
your acl 101 should be reviewed:
first of all it is applied inbound to the nat outside interface:
dialer1 is the L3 interface to the internet
so to allow web surfing you need to add previous the last line :
access-list 101 permit tcp any eq 80 any
because the well-known port is on the server side
for DNS to work
access-list 101 permit udp any eq 53 any
for the same reason but this is already present for two specific servers
Try to change the ACL as I suggested above and make a try
Hope to help
Giuseppe
09-23-2008 09:14 AM
Hello Andy,
your acl 101 should be reviewed:
first of all it is applied inbound to the nat outside interface:
dialer1 is the L3 interface to the internet
so to allow web surfing you need to add previous the last line :
access-list 101 permit tcp any eq 80 any
because the well-known port is on the server side
for DNS to work
access-list 101 permit udp any eq 53 any
for the same reason but this is already present for two specific servers
Try to change the ACL as I suggested above and make a try
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide