Solved: Re: allow internet traffic to a single workstation

jazzybrakes · ‎06-02-2020

I have a ISP wireless router which connects to my lan. The gateway/dhcp server is connected directly to the isp via fa 0/1. Gateway fa 0/0 is connected to another router "local_router" and is a client of dhcp server. Everything is up and running and working fine but my extended access list wont work as intended.

GATEWAY-ROUTER#
GATEWAY-ROUTER#sh run
Building configuration...

Current configuration : 1259 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GATEWAY-ROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$XN.E$ioR/54rQq83qvcj244SJU0
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool NET-192-168-1

network 192.168.1.0 255.255.255.224
dns-server 8.8.8.8
default-router 192.168.1.1
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.3 area 0
network 192.168.2.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.31

Seb Rupik · ‎06-03-2020

Hi there,

I would make the following changes:

!GATEWAY-ROUTER
!
no ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 dhcp
!
router ospf 1
  default-information originate
!

!LOCAL-ROUTER
!
no ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
access-list 101 permit tcp 192.168.1.0 0.0.0.31 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.31 any eq 443
access-list 101 permit tcp 192.168.1.0 0.0.0.31 any eq 53
access-list 101 permit udp 192.168.1.0 0.0.0.31 any eq 53
!

I think crucially with the ACL the modified version above permits the entire subnet specified in the DHCP scope. Plus it also permits TCP/UDP traffic to the bare minimum of ports required for web browsing.

cheers,

Seb.

View solution in original post

jazzybrakes · ‎06-02-2020

Below is the Local_router config file

Local-Router#
Local-Router#
Local-Router#sh run
Building configuration...

Current configuration : 1038 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Local-Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
!
!
!
!
ip cef
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.224
ip access-group 101 in
ip helper-address 10.0.0.1
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.31 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
no ip http server
!
access-list 101 permit tcp host 192.168.1.13 any eq www
!
!
control-plane
!
banner motd ^C Inside Router configuration ^C
!
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
transport input telnet
!
scheduler allocate 20000 1000
end

Seb Rupik · ‎06-03-2020

Hi there,

I would make the following changes:

!GATEWAY-ROUTER
!
no ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 dhcp
!
router ospf 1
  default-information originate
!

!LOCAL-ROUTER
!
no ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
access-list 101 permit tcp 192.168.1.0 0.0.0.31 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.31 any eq 443
access-list 101 permit tcp 192.168.1.0 0.0.0.31 any eq 53
access-list 101 permit udp 192.168.1.0 0.0.0.31 any eq 53
!

I think crucially with the ACL the modified version above permits the entire subnet specified in the DHCP scope. Plus it also permits TCP/UDP traffic to the bare minimum of ports required for web browsing.

cheers,

Seb.

jazzybrakes · ‎06-03-2020

you are correct i was only blocking port 80. thank you for your help

paul driver · ‎06-03-2020

Hello
If it’s a static port address translation that you are trying to achieve so external hosts can reach that intrernal host on port 80 via your public ip address then this needs to be applied on the Gateway router not the Local router accompanied with a PAT statement?

Please see attached file.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jazzybrakes · ‎06-03-2020

Thank you for your assistance. i am using PAT and not static nat. I have an network with 6 workstation was trying to restrict/block only 1 from accessing the internet. Its sorted out not i was not blocking all the ports thats why thank you