cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20814
Views
0
Helpful
10
Replies

Allow port from outside to inside on Router 2911?

rechard_david
Level 1
Level 1

Dear All,

Could you let me know configuration for allow port from Outside to inside( 80,21,https...) and i want to allow traffice from outsidt to inside only 80,https and 21.

please help to let me know command on this?

Best Regards,

Rechard

10 Replies 10

John Blakley
VIP Alumni
VIP Alumni

I'm assuming that you want to do this for internet traffic coming into your router. You'll need to enable nat. You could try the following config:

int

ip nat outside

int

ip nat inside

ip address 192.168.12.1 255.255.255.0

ip access-list ext Inside

permit ip 192.168.12.0 0.0.0.255 any

ip nat inside source list Inside interface overload

ip nat inside source static tcp 192.168.12.50 80 interface 80 extended

ip nat inside source static tcp 192.168.12.51 21 interface 21 extended

If you have real addresses that your ISP has assigned, you'd plug those in the "wan interface" section in the nat statement:

ip nat inside source static tcp 192.168.12.50 80 205.40.32.50 80 extend

ip nat inside source static tcp 192.168.12.50 21 205.40.32.51 21 extend

HTH,

John

HTH, John *** Please rate all useful posts ***

Dear John,

Thanks you for advice!

how can i block from other port from outside to inside? should i fullow command as below:

interface g0/0

ip access-group outside_inside in

ip nat outside

ip access-list extended outside_inside

permit tcp any eq www host 203.189.0.90

permit tcp any eq 8080 host 203.189.0.90

permit tcp any eq 21 host 203.189.0.90

deny ip any any

ip nat inside source list Inside interface overload

ip nat inside source static tcp 192.168.12.50 80 interface 80 extended

ip nat inside source static tcp 192.168.12.51 21 interface 21 extended

ip nat inside source static tcp 192.168.12.50 80 205.40.32.50 80 extend

ip nat inside source static tcp 192.168.12.50 21 205.40.32.51 21 extend

Please help to edite my config if i'm wrong.

Best Regards,

Rechard

Yes, you'd need an acl applied to the outside interface in order to block the other ports that you don't want to allow in. The acl should look like:

ip access-list ext outside_inside

permit tcp any host 203.189.0.90 eq www

permit tcp any host 203.189.0.90 eq 8080

permit tcp any host 203.189.0.90 eq ftp

deny ip any any

Assuming that your public address is 203.189.0.90...

HTH,

John

**** Please rate all useful posts ****

HTH, John *** Please rate all useful posts ***

Dear John,

now i have one problem that when i apply access list as below all my client cannot access internet ( inside to outside)

ip access-list ext outside_inside

permit tcp any host 203.189.0.90 eq www

permit tcp any host 203.189.0.90 eq 8080

permit tcp any host 203.189.0.90 eq ftp

deny ip any any

interface g0/0

ip access-group outside_inside in

ip nat outside

command as above all my client cannot access internet but if i permit ip any any they can use fine.

so i don't want to use any any i want to allow outside to inside only www,https,ftp and from inside to outside can access all.

Please help to solve me on this issue.

Best Regards,

Rechard

Hi,

your ACL is blocking the replies from the internet with your deny ip any any

You need to modify your ACL to permit DNS replies and TCP replies if you want browsing to work

ip access-list extended outside_inside

40 permit udp host x.x.x.x any

50 permit udp host x.x.x.x any

These are for your primary/secondary external DNS servers

60 permit tcp any any established    this is for the TCP 3 way handshake and following segments belonging to the flow initiated from inside hosts.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Dear Alain,

if i set permit tcp any any established is working( can access internet) but if i permit tcp any any that not my point for block, i would like to block and allow www, https and ftp .

please help to advice on this

Best Regards,

Rechard

Hi,

if you want still your inside users to get out to internet then you need the established keyword to permit return traffic.

all communications initiated from outside except for http/https and ftp will get dropped by the implicit deny at the end of the ACL

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Dear Alain and ALL,

now i stall problem with ACL on this please see command that i configure for testing as below:

interface GigabitEthernet0/0

description Link to Internet

ip address 192.168.7.61 255.255.255.0

ip access-group outside_inside in

!

interface GigabitEthernet0/1

description Link to LAN

ip address 10.10.10.1 255.255.255.0

ip nat pool nat_pool 192.168.7.61 192.168.7.61 netmask 255.255.255.0

ip nat inside source static tcp 10.10.10.2 80 interface GigabitEthernet0/0 80

ip nat inside source list nat pool nat_pool overload

ip route 0.0.0.0 0.0.0.0 192.168.7.1

ip access-list extended nat

permit ip any any

!

ip access-list extended outside_inside

permit icmp any any

permit tcp any eq www host 192.168.7.61    #######for inside access outside######

permit udp any eq domain host 192.168.7.61

permit tcp any any eq www         ###### for outside access inside####

Router#  

Extended IP access list outside_inside

    10 permit icmp any any

    40 permit tcp any eq www host 192.168.7.61 (181 matches)

    50 permit udp any eq domain host 192.168.7.61 (21 matches)

    60 permit tcp any any eq 3389 (5 matches)

-------

All command as above is working from outside to inside and inside to outside, but my issue that all my client inside can  access internet but if the want to remote desktop to outside it not work because command above we did not allow other service ( we allow only www) .

my question is:

1- how can i allow all service from inside to outside ( like permit ip any any)

2- How can i allow some service from outside to inside ( only www,HTTPS,..) bec i want to allow www, HTTPs and other service from outside i and to deny.

Best Regards,

Rechard

Dear All Expert,

Do you have any update on this ?

i need support from all of you.

Best Regards,

Rechard

You have been give the correct reply above already.

You do not even need an ACL to block anything, because you are using NAT.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: