08-07-2022 12:24 AM - last edited on 09-29-2022 10:02 AM by Translator
I have an ACL like this
..... access-list 101 permit tcp any any eq 32100 log....
problem is I have to open it "WIDE TO THE WORLD"
I have a server behind the ROUTER ...192.168.0.34
So I tried
....access-list 101 permit tcp host 192.168.0.34 eq 32100 any log........
so it would JUST anwser to that server but it does not work...am I missing something??
Thanks...
Solved! Go to Solution.
09-28-2022 10:38 PM
I want to thank everyone for the help.... I am closing this Topic because I now have a Cisco 3925 Router.
So thanks to all
08-07-2022 03:22 AM - edited 08-23-2022 01:27 PM
check below my comment
08-07-2022 03:22 AM
- Did you also apply the access list to an interface ?
M.
08-07-2022 05:24 AM - last edited on 09-29-2022 10:05 AM by Translator
Hello..thanks for the look at the issue...so here is what I have:
OUTSIDE INTERFACE:
interface GigabitEthernet0/1
description SPECTRUM$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/1
ip access-group 101 in
This entry to let it in the ROUTER:
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.0.34 32100 interface GigabitEthernet0/1 32100
My ORIGINAL ACL: access-list 101 permit tcp host 192.168.0.34 eq 32100 any log (Shows OPEN on port scan-ACCESS OK)
Your ACL: access-list 101 permit tcp any host 192.168.0.3 eq 32100 log (Shows FILTERED on port scan-NO ACCESS)
08-07-2022 06:18 AM - edited 08-23-2022 01:27 PM
check below my comment
08-07-2022 06:37 AM
Thanks for the reply...TYPO on my part
Checked my config file and it is OK there
08-07-2022 06:44 AM - last edited on 09-29-2022 10:06 AM by Translator
share
show ip access-list
08-07-2022 09:21 AM - last edited on 09-29-2022 10:07 AM by Translator
I run small lab and test the NAT with ACL
you need to for TCP permit to specify the Global NAT IP not Local NAT IP, and because the Global NAT IP is learn via DHCP so we cannot use static ip, instead I use any then in second ACL line I deny all TCP traffic.
this allow only 32100 and drop other TCP port.
interface GigabitEthernet0/1
description SPECTRUM$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/1
ip access-group 101 in <<-OK
This entry to let it in the ROUTER:
ip nat inside source list 1 interface GigabitEthernet0/1 overload <<-OK
ip nat inside source static tcp 192.168.0.34 32100 interface GigabitEthernet0/1 32100 <<-OK
access-list 101 permit tcp any any eq 32100 log
access-list 101 deny tcp any any
08-07-2022 03:47 PM
Why we need Global not Local NAT IP ?
because of NAT order, here the NAT for ingress is come after ACL, so ACL need to include the Global IP.
since the Global via DHCP (dynamic) we need ANY.
08-07-2022 09:06 AM
Hello
the access-list will not do any good as you CANNOT open it to the world as it a non routable private address which isn’t allowed to be advertised onto the public internet - the only way for external public networks to be able to reach that internal server would be via static port address translation (PAT)
08-07-2022 01:41 PM - last edited on 09-29-2022 10:08 AM by Translator
Hi...
I already have a PAT entry as follows:
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 192.168.0.0 0.0.0.255
08-08-2022 12:51 AM - last edited on 09-29-2022 10:09 AM by Translator
Hello
So you already are using PAT then that server is "Hidden" plus it only going to be accessible via that particular PAT translation .
What you may want to implement is something like CBAC..
Basic CBAC
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
access-list permit 101 permit tcp any any eq 32100
access-list 101 permit udp any any eq bootpc
access-list permit 101 deny ip any any
interface x/x
WAN
ip verify unicast source reachable-via rx access-list 100
ip access-group 101 in
ip inspect CBAC out
08-15-2022 02:35 PM
I apologize for what seems my lack of contact about this problem you all have been helping me with...however I just got released from a rather lengthy stay at the VA Hospital.
I plan to get back to this problem and let you know where I am at with it.
Thank You.
08-23-2022 12:56 PM - last edited on 09-29-2022 10:10 AM by Translator
So I am able toget back to this issue.
Paul I setup just like you wanted...the ports showed Filtered-But no access to my Network
So I tried these:
access-list 101 permit tcp any any eq xxxxxx log-All ports are WIDE OPEN, and I can access my network.
access-list 101 permit tcp any host xxx.xxx.x.xx eq xxxxxx log-All ports show as FILTERED-No access to my Network
access-list 101 permit tcp any eq xxxxxx any log-All ports show as FILTERED-No access to my Network
I have Attached my startup-config file
Thanks........
08-24-2022 12:59 AM
Hello David
CBAC will only return traffic through the router that was established internally, your acl 101 is quite large and tbh all the deny aces you show at the end of that acl are not really required as by default the acl has an implicit deny all.
Also, the acl is allowing a lot more traffic then you initially stated, you mention in your OP that certain traffic to be allowed to a specific server “.so it would JUST answer to that server” which I then assumed was based on a single pat now you show multiple static pat statements.
Can you elaborate a little more on what traffic you wish to be allowed to initiate sessions externally this should then provide a better understanding for all and obviously assist in a definitive solution for you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: