cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
5
Helpful
18
Replies

ACL clarification...i am a bit rusty...

DAVID RICHWALSKI
Beginner
Beginner

 

I have an ACL like this

..... access-list 101 permit tcp any any eq 32100 log....

problem is I have to open it "WIDE TO THE WORLD"

I have a server behind the ROUTER ...192.168.0.34

So I tried

....access-list 101 permit tcp host 192.168.0.34 eq 32100 any log........

so it would JUST anwser to that server but it does not work...am I missing something??

Thanks...

1 Accepted Solution

Accepted Solutions

I want to thank everyone for the help.... I am closing this Topic because I now have a Cisco 3925 Router.

So thanks to all

View solution in original post

18 Replies 18

check below my comment 

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

  - Did you also apply the access list to an interface ?

 M.

Hello..thanks for the look at the issue...so here is what I have:

OUTSIDE INTERFACE:

interface GigabitEthernet0/1
description SPECTRUM$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/1
ip access-group 101 in

This entry to let it in the ROUTER:

ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.0.34 32100 interface GigabitEthernet0/1 32100

My ORIGINAL ACL:  access-list 101 permit tcp host 192.168.0.34 eq 32100 any log    (Shows OPEN on port scan-ACCESS OK)

Your ACL:  access-list 101 permit tcp any host 192.168.0.3 eq 32100 log    (Shows FILTERED on port scan-NO ACCESS)

check below my comment 

Thanks for the reply...TYPO on my part

Checked my config file and it is OK there

share

show ip access-list 

 

I run small lab and test the NAT with ACL
you need to for TCP permit to specify the Global NAT IP not Local NAT IP, and because the Global NAT IP is learn via DHCP so we cannot use static ip, instead I use any then in second ACL line I deny all TCP traffic.
this allow only 32100 and drop other TCP port.


 
interface GigabitEthernet0/1
description SPECTRUM$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/1
ip access-group 101 in <<-OK

This entry to let it in the ROUTER:

ip nat inside source list 1 interface GigabitEthernet0/1 overload <<-OK
ip nat inside source static tcp 192.168.0.34 32100 interface GigabitEthernet0/1 32100 <<-OK

access-list 101 permit tcp any any eq 32100 log 

access-list 101 deny tcp any any

cisco-ios-order-operations-01.jpg
Why we need Global not Local NAT IP ?
because of NAT order, here the NAT for ingress is come after ACL, so ACL need to include the Global IP.
since the Global via DHCP (dynamic) we need ANY.

paul driver
VIP Expert VIP Expert
VIP Expert

Hello
the access-list will not do any good as you CANNOT open it to the world as it a non routable private address which isn’t allowed to be advertised onto the public internet - the only way for external public networks to be able to reach that internal server would be via static port address translation (PAT)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi...

I already have a PAT entry as follows: 

 

  access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 192.168.0.0 0.0.0.255

 

Hello
So you already are using PAT then that server is "Hidden" plus it only going to be accessible via that particular PAT translation .
What you may want to implement is something like CBAC..

Basic CBAC


ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

access-list permit 101 permit tcp any any eq 32100
access-list 101 permit udp any any eq bootpc
access-list permit 101 deny ip any any

interface x/x
WAN
ip verify unicast source reachable-via rx access-list 100
ip access-group 101 in

ip inspect CBAC out 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I apologize for what seems my lack of contact about this problem you all have been helping me with...however I just got released from a rather lengthy stay at the VA Hospital.

I plan to get back to this problem and let you know where I am at with it.

Thank You.

 

So I am able toget back to this issue.

Paul I setup just like you wanted...the ports showed Filtered-But no access to my Network

So I tried these:

 

access-list 101 permit tcp any any eq xxxxxx log-All ports are WIDE OPEN, and I can access my network.

access-list 101 permit tcp any host xxx.xxx.x.xx eq xxxxxx log-All ports show as FILTERED-No access to my Network

access-list 101 permit tcp any eq xxxxxx any log-All ports show as FILTERED-No access to my Network

I have Attached my startup-config file

Thanks........

Hello David

CBAC will only return traffic through the router that was established internally, your acl 101 is quite large and tbh all the deny aces you show at the end of that acl are not really required as by default the acl has an implicit deny all.

Also, the acl is allowing a lot more traffic then you initially stated, you mention in your OP that certain traffic to be allowed to a specific server .so it would JUST answer to that server” which I then assumed was based on a single pat now you show multiple static pat statements.
Can you elaborate a little more on what traffic you wish to be allowed to initiate sessions externally this should then provide a better understanding for all and obviously assist in a definitive solution for you.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers