09-06-2012 07:12 PM - edited 03-04-2019 05:30 PM
Dear All,
Could you let me know configuration for allow port from Outside to inside( 80,21,https...) and i want to allow traffice from outsidt to inside only 80,https and 21.
please help to let me know command on this?
Best Regards,
Rechard
09-06-2012 07:51 PM
I'm assuming that you want to do this for internet traffic coming into your router. You'll need to enable nat. You could try the following config:
int
ip nat outside
int
ip nat inside
ip address 192.168.12.1 255.255.255.0
ip access-list ext Inside
permit ip 192.168.12.0 0.0.0.255 any
ip nat inside source list Inside interface
ip nat inside source static tcp 192.168.12.50 80 interface
ip nat inside source static tcp 192.168.12.51 21 interface
If you have real addresses that your ISP has assigned, you'd plug those in the "wan interface" section in the nat statement:
ip nat inside source static tcp 192.168.12.50 80 205.40.32.50 80 extend
ip nat inside source static tcp 192.168.12.50 21 205.40.32.51 21 extend
HTH,
John
09-06-2012 08:10 PM
Dear John,
Thanks you for advice!
how can i block from other port from outside to inside? should i fullow command as below:
interface g0/0
ip access-group outside_inside in
ip nat outside
ip access-list extended outside_inside
permit tcp any eq www host 203.189.0.90
permit tcp any eq 8080 host 203.189.0.90
permit tcp any eq 21 host 203.189.0.90
deny ip any any
ip nat inside source list Inside interface
ip nat inside source static tcp 192.168.12.50 80 interface
ip nat inside source static tcp 192.168.12.51 21 interface
ip nat inside source static tcp 192.168.12.50 80 205.40.32.50 80 extend
ip nat inside source static tcp 192.168.12.50 21 205.40.32.51 21 extend
Please help to edite my config if i'm wrong.
Best Regards,
Rechard
09-07-2012 03:46 AM
Yes, you'd need an acl applied to the outside interface in order to block the other ports that you don't want to allow in. The acl should look like:
ip access-list ext outside_inside
permit tcp any host 203.189.0.90 eq www
permit tcp any host 203.189.0.90 eq 8080
permit tcp any host 203.189.0.90 eq ftp
deny ip any any
Assuming that your public address is 203.189.0.90...
HTH,
John
**** Please rate all useful posts ****
09-09-2012 06:57 PM
Dear John,
now i have one problem that when i apply access list as below all my client cannot access internet ( inside to outside)
ip access-list ext outside_inside
permit tcp any host 203.189.0.90 eq www
permit tcp any host 203.189.0.90 eq 8080
permit tcp any host 203.189.0.90 eq ftp
deny ip any any
interface g0/0
ip access-group outside_inside in
ip nat outside
command as above all my client cannot access internet but if i permit ip any any they can use fine.
so i don't want to use any any i want to allow outside to inside only www,https,ftp and from inside to outside can access all.
Please help to solve me on this issue.
Best Regards,
Rechard
09-10-2012 12:07 AM
Hi,
your ACL is blocking the replies from the internet with your deny ip any any
You need to modify your ACL to permit DNS replies and TCP replies if you want browsing to work
ip access-list extended outside_inside
40 permit udp host x.x.x.x any
50 permit udp host x.x.x.x any
These are for your primary/secondary external DNS servers
60 permit tcp any any established this is for the TCP 3 way handshake and following segments belonging to the flow initiated from inside hosts.
Regards.
Alain
Don't forget to rate helpful posts.
09-10-2012 03:34 AM
Dear Alain,
if i set permit tcp any any established is working( can access internet) but if i permit tcp any any that not my point for block, i would like to block and allow www, https and ftp .
please help to advice on this
Best Regards,
Rechard
09-10-2012 04:09 AM
Hi,
if you want still your inside users to get out to internet then you need the established keyword to permit return traffic.
all communications initiated from outside except for http/https and ftp will get dropped by the implicit deny at the end of the ACL
Regards.
Alain
Don't forget to rate helpful posts.
09-12-2012 09:25 PM
Dear Alain and ALL,
now i stall problem with ACL on this please see command that i configure for testing as below:
interface GigabitEthernet0/0
description Link to Internet
ip address 192.168.7.61 255.255.255.0
ip access-group outside_inside in
!
interface GigabitEthernet0/1
description Link to LAN
ip address 10.10.10.1 255.255.255.0
ip nat pool nat_pool 192.168.7.61 192.168.7.61 netmask 255.255.255.0
ip nat inside source static tcp 10.10.10.2 80 interface GigabitEthernet0/0 80
ip nat inside source list nat pool nat_pool overload
ip route 0.0.0.0 0.0.0.0 192.168.7.1
ip access-list extended nat
permit ip any any
!
ip access-list extended outside_inside
permit icmp any any
permit tcp any eq www host 192.168.7.61 #######for inside access outside######
permit udp any eq domain host 192.168.7.61
permit tcp any any eq www ###### for outside access inside####
Router#
Extended IP access list outside_inside
10 permit icmp any any
40 permit tcp any eq www host 192.168.7.61 (181 matches)
50 permit udp any eq domain host 192.168.7.61 (21 matches)
60 permit tcp any any eq 3389 (5 matches)
-------
All command as above is working from outside to inside and inside to outside, but my issue that all my client inside can access internet but if the want to remote desktop to outside it not work because command above we did not allow other service ( we allow only www) .
my question is:
1- how can i allow all service from inside to outside ( like permit ip any any)
2- How can i allow some service from outside to inside ( only www,HTTPS,..) bec i want to allow www, HTTPs and other service from outside i and to deny.
Best Regards,
Rechard
09-18-2012 02:00 AM
Dear All Expert,
Do you have any update on this ?
i need support from all of you.
Best Regards,
Rechard
09-18-2012 02:03 AM
You have been give the correct reply above already.
You do not even need an ACL to block anything, because you are using NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide