Solved: Re: C1161X-8P basic setup without NAT - Cisco Community

842

Views

5

Helpful

6

Replies

Hi, I'm stuck and would appreciate some help.

My config is attached. Currently the acls are

ip access-list extended InsideToOutside_acl
10 permit ip any any
ip access-list extended OutsideToInside_acl
10 permit ip any any

if I change OutsideToInside_acl to be

10 permit tcp any any eq 3389

I find that RDP can be used to connect from the Internet to LAN computers but LAN traffic to the Internet (or more likely the return traffic) stops.

How can I fix this?

7 KB

1 Accepted Solution

Accepted Solutions

Hello

Try the following:

no policy-map type inspect avc Web_app_policy
no class-map type inspect match-all InsideToOutside

interface GigabitEthernet0/0/0
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/0/1
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/1/0
no ip access-group InsideToOutside_acl in

access-list 110 remark RDP
access-list 110 permit tcp any any eq 3389
access-list 110 permit udp any any eq 3389

class-map type inspect match-any InsideToOutside < you may have to remove the old class map before adding this
match protocol icmp
match protocol dns
match protocol http
match protocol https
match access-group 110

class-map type inspect match-any OutsideToInside
no match access-group name OutsideToInside_acl
match access-group 110

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

6 Replies 6

ip access-list extended InsideToOutside_acl
10 permit ip any any
ip access-list extended OutsideToInside_acl
10 permit ip any any

when you have this config all works ? ( then above still allow 3389 port part of any any right ?) are you able to connect 3389 ?

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello

Try the following:

no policy-map type inspect avc Web_app_policy
no class-map type inspect match-all InsideToOutside

interface GigabitEthernet0/0/0
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/0/1
no ip access-group OutsideToInside_acl in

interface GigabitEthernet0/1/0
no ip access-group InsideToOutside_acl in

access-list 110 remark RDP
access-list 110 permit tcp any any eq 3389
access-list 110 permit udp any any eq 3389

class-map type inspect match-any InsideToOutside < you may have to remove the old class map before adding this
match protocol icmp
match protocol dns
match protocol http
match protocol https
match access-group 110

class-map type inspect match-any OutsideToInside
no match access-group name OutsideToInside_acl
match access-group 110

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi @paul driver

thank you, this is exactly what I needed to get back on track. I think I was mixing two forms of packet access management.

One minor modification is needed. I would like to limit traffic coming in to 3389, but I don't want to limit traffic going out.

I understand that this command is limiting what packets can go out?

class-map type inspect match-any InsideToOutside
description InsideToOutside
match protocol icmp
match protocol dns
match protocol http
match protocol https
match access-group 110

How do I permit all traffic to go out from the user machines?

Regards

Mark

Hello,

I have not read through all the other posts, but zone based firewalls and access lists applied to zone member interfaces don't work well together.

Make the changes marked in bold, this allows all traffic outbound, and only RDP 3389 inbound. That said, you do not have any NAT configured, is that on purpose ?

Current configuration : 23172 bytes
!
! Last configuration change at 17:36:35 UTC Thu Jul 1 2021 by admin
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname netlab
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login a-eap-authen-local local
aaa authorization exec default local
aaa authorization network a-eap-author-grp local
!
aaa login success-track-conf-time 1
!
aaa session-id common
clock timezone UTC 10 0
clock summer-time UTC recurring 1 Sun Oct 1:00 1 Sun Apr 1:00
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
no ip domain lookup
ip domain name sece.company.com
ip dhcp excluded-address xxx.xxx.68.0 xxx.xxx.68.29
ip dhcp excluded-address xxx.xxx.68.50 xxx.xxx.68.255
!
ip dhcp pool VLAN68Pool
network xxx.xxx.68.0 255.255.255.0
default-router xxx.xxx.68.254
dns-server xxx.xxx.68.254 8.8.8.8
lease 7
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint quovadis.root
enrollment terminal pem
revocation-check none
!
crypto pki trustpoint quovadis.inter
enrollment terminal pem
serial-number none
fqdn netlab.sece.rmit.edu.au
ip-address none
subject-name C=xxxx
subject-alt-name netlab.company.com
chain-validation continue quovadis.inter2
revocation-check none
rsakeypair netlab.company.com 2048
!
crypto pki trustpoint quovadis.inter2
enrollment terminal pem
chain-validation continue quovadis.root
revocation-check none
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
quit
crypto pki certificate chain quovadis.root
certificate ca 445734245B81899B35F2CEB82B3B5BA726F07528
30820560 30820348 A0030201 02021444 5734245B 81899B35 F2CEB82B 3B5BA726
quit
crypto pki certificate chain quovadis.inter
certificate 234A05CD947BCE0C6C755EE05B1447CEA6DD3E68
3082071C 30820504 A0030201 02021423 4A05CD94 7BCE0C6C 755EE05B 1447CEA6
quit
certificate ca 2D2C802018B7907C4D2D79DF7FB1BD872727CC93
308206AB 30820493 A0030201 0202142D 2C802018 B7907C4D 2D79DF7F B1BD8727
quit
crypto pki certificate chain quovadis.inter2
certificate ca 2D2C802018B7907C4D2D79DF7FB1BD872727CC93
308206AB 30820493 A0030201 0202142D 2C802018 B7907C4D 2D79DF7F B1BD8727

quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
license feature hseck9
license udi pid C1161X-8P sn F
license boot level securityk9
memory free low-watermark processor 70177
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 xx
username Wb35lMa26ZzB password 0 xx
!
redundancy
mode none
!
crypto ikev2 proposal netlab.company
encryption aes-cbc-256
integrity sha256
group 14
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
class-map type inspect match-all InsideToOutside
description InsideToOutside
match access-group name InsideToOutside_acl
class-map type inspect match-all OutsideToInside
description OutsideToInside
match access-group name OutsideToInside_acl
!
policy-map type inspect avc Web_app_policy
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect InsideToOutside
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect OutsideToInside
--> pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
description WAN GE 0/0/0
ip address xxx.xxx.253.10 255.255.255.240
--> no ip access-group OutsideToInside_acl in
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN GE 0/0/1
no ip address
--> no ip access-group OutsideToInside_acl in
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/1/0
description VLAN68Port0
switchport mode access
--> no ip access-group InsideToOutside_acl in
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
description VLAN68
ip address xxx.xxx.68.254 255.255.255.0
--> no ip access-group InsideToOutside_acl in
zone-member security INSIDE
!
interface Vlan2
no ip address
zone-member security INSIDE
!
ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
ip http timeout-policy idle 600 life 600 requests 25
ip route 0.0.0.0 0.0.0.0 xxx.xxx.253.13
!
ip access-list extended InsideToOutside_acl
10 permit ip any any
ip access-list extended OutsideToInside_acl
--> permit tcp any any eq 3389
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 60 0
length 0
!
end

Hi @Georg Pauwen

thank you for your response. I followed your guide and I can no longer connect from outside to inside using RDP. I have carefully checked my edits.

I do not use NAT, because I have a public class C behind the device that I use. This is a historic implementation.

I would appreciate asking a couple of clarifying points to try to fix the problem.

1. the line --> pass

I'm assuming that I simply enter pass and hit return

2. the line permit tcp any any eq 3389

should that have a number in front?

e.g. the other statement has

10 permit ip any any

thank you

Regards,

Mark Gregory

Hello,

Indeed, pass is just one line.

For the access list you don,'t need a sequence number, since it only has one line anyway...

Review Cisco Networking products for a $25 gift card