cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
889
Views
65
Helpful
21
Replies
Highlighted
Beginner

Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello All,

 

First off, I'd like to mention that this has been my 1st time touching Cisco configs in the better part of a decade. Needless to say, im rather rusty. Basically what im attempting to do is allow access TeamViewer Only for the time being. AS I've been reading for the past few days I've found out that you have to allow a few ports and DNS to allow TeamViewer Access. I have an extended access list created in "WHAT I THINK" is the correct fashion. I have my config below, please someone save me from this maze!

 

Thank you in advance.

 

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 ********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit udp any eq 5938 any eq 5938
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *****
login
transport input none
!
scheduler allocate 20000 1000
!
end

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY SOLVED!!!!!!!!!!!!

Thank you all for the help. I couldn't have done it without you. All 3 of you contributed useful information that ended with a working finished product. Below is the working config based upon the work we've done in this thread combined with about 200 more random articles found on various forums. This config allows for DNS resolution through the firewall and Teamviewer access ONLY. Ping, HTTP Traffic, etc, are all denied. I am leaving this here in the hopes that it helps someone, in this same predicament, in the future. Thank you again!

 

 

 

Current configuration : 1853 bytes
!
! Last configuration change at 18:24:30 UTC Thu Oct 26 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
enable password *********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip inspect name STAN udp
ip inspect name STAN tcp
ip inspect name STAN icmp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn ************
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group DNS in
ip nat inside
ip inspect STAN in
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended DNS
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq netbios-ns
permit udp any any eq 5938
permit tcp any any eq 5938
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *********
login
transport input none
!
scheduler allocate 20000 1000
!
end

21 REPLIES 21
VIP Mentor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

the access list looks good, you just have not applied it yet. I have also added access list 1 for NAT ro work. Additions are in bold:

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 ********
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip nat inside
ip access-group TeamViewer in
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit udp any eq 5938 any eq 5938
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *****
login
transport input none
!
scheduler allocate 20000 1000
!
end

Beginner

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Thanks for the quick reply. I THINK i entered the info you suggested into the correct spots. However, Teamviewer will not connect and i am no longer able to ping the Cisco 1921 at 172.16.10.5. Ideally I'd like to be able to ping the gateway and other devices on the LAN while on the LAN. I am assuming i have to add some more rules to do so. I'd also like to be able to ping and access 8.8.8.8 for DNS. We wont be running a local DNS server here in the form of a Windows or Linux server, we were just going to point to Google's 8.8.8.8. Would you recommend this setup? Or, would you enable DNS on the 1921? See the config file below. 

 

 

Thanks again,

 

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
enable password *********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit udp any eq 5938 any eq 5938
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *********
login
transport input none
!
scheduler allocate 20000 1000
!
end

VIP Mentor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

we forgot one final thing, the default route. Add the following to your configuration:

 

ip route 0.0.0.0 0.0.0.0 interface GigabitEthernet0/0

Beginner

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Thanks but Still a no go... I added the stuff @ access-list 112 area to attempt to trouble shoot. Still not working

When i have the TeamViewer list deleted, I can access the whole internet. AS soon as i add the following, i lose all connectivity. I cant even ping 8.8.8.8

 

Again, thank you for all the help so far. 

 

 

ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns

 

 

FULL CONFIG BELOW

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *******
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip access-group 102 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

VIP Mentor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

is this a typo ?

 

ip access-group 102 in --> should be 112

 

Either way, try to remove all access lists applied to interface in order to check if you get Internet connectivity at all. So the config should look like this:

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 sn *******
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane

!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

Beginner

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello, Thanks again and again. 

 

That was a typo and i have corrected it. When i test the config WITHOUT the access lists, it works. When I test it as below, which is the same as WITHOUT the access lists but with the access lists, I cant access Teamviewer or DNS. I also cant ping 172.16.10.5 or 8.8.8.8 regardless of ACL's being in or not.  

 

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn ********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip access-group 112 in
ip access-group 112 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group 112 in
ip access-group 112 out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

VIP Mentor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

try and remove the access lists from the WAN interface and leave them just on the WAN interface...

 

interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
--> no ip access-group 112 in
--> no ip access-group 112 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

Beginner

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

OK, I tried that. No good on the Teamviewer connection or the DNS for 8.8.8.8. Interestingly enough, Windows thinks it is online... See Screenshot. Teamviewer Still does not. Also, still cannot ping out or the gateway ip.

 

Current Config Below. 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip access-group TeamViewer out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit tcp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit tcp any eq 137 any eq 137
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

 

 

 

VIP Mentor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

what if you change the access list to just:

 

ip access-list extended TeamViewer

permit tcp any any eq 5389

permit tcp any any eq 53

 

Also, as far as I recall, TeamViewer also uses port 443 and 80 as fallback ports ?

 

Beginner

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

Thanks again. Sorry for the delay in response. I've been away from this project for a few days. 

 

TeamViewer does use those as fall back ports but only in the event of not being able to connect on the regular ports. I Tried to add those as well and it was a no go. 

 

So I changed this, which gave me full internet access:

 

 

Standard IP access list 1
10 permit 172.16.10.0, wildcard bits 0.0.0.255 (259 matches)
Extended IP access list 112
10 permit udp any any eq domain (398 matches)
20 permit udp any eq domain any (375 matches)
30 permit tcp any any eq domain
40 permit tcp any eq domain any
Extended IP access list TeamViewer
10 permit tcp any eq 5938 any eq 5938
20 permit udp any eq 5938 any eq 5938
30 permit udp any eq domain any eq domain
40 permit tcp any eq domain any eq domain
50 permit udp any eq netbios-ns any eq netbios-ns (14 matches)
60 permit tcp any eq 137 any eq 137

 

 

to this, which gives me no access:

 


Standard IP access list 1
10 permit 172.16.10.0, wildcard bits 0.0.0.255 (837 matches)
Extended IP access list TeamViewer
10 permit tcp any any eq 5389
20 permit tcp any any eq domain

 

Here is my current config.

 

Current configuration : 1678 bytes
!
! Last configuration change at 18:35:23 UTC Wed Oct 25 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
enable password *********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *******
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip access-group TeamViewer out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended TeamViewer
permit tcp any any eq 5389
permit tcp any any eq domain
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *********
login
transport input none
!
scheduler allocate 20000 1000
!
end

 


 

VIP Mentor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

ok. I have done some more research, and it is possible that the TeamViewer client uses port 80 for outbound connections. Try and add the line in bold to your access list:

 

ip access-list extended TeamViewer
permit tcp any any eq 5389
permit tcp any any eq domain

permit tcp any eq 80 any eq 5389

VIP Mentor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello,

 

turn debugging on to find out which ports TeamViewer is trying to use:

 

debug ip tcp packet

VIP Advisor

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello

Just like to add, Your missing a access-list for your NAT to relate to  ( as georg stated) and a default route for internet traffic

 

I would also suggest to apply some context based control to allow initiation from external traffic for teamviewer -

Note: - the below config will NOT negate all internal traffic just for teamviewer but if you wish just amend the LAN acl accordingly

 

conf t
access-list 1 permit 172.16.0.0  <--- for your nat statement

ip access-list extended LAN  <------For cbac
permit ip 172.16.0.0 0.0.255.255 any

 

ip access-list extended TeamViewer <----allow teamviewer and dns/dhcp from outside
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq netbios-ns
permit udp any any eq 5938

permit tcp any any eq 5938




ip inspect name STAN udp
ip inspect name STAN tcp
ip inspect name STAN Icmp

interface GigabitEthernet0/1
ip access-group LAN in
ip inspect STAN in

interface GigabitEthernet0/0
ip access-group TeamViewer in

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp  1


res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Thank you both for you help so far. Unfortunately with the config listed below Is not allowing teamviewer access. Its not letting anything else through either. I think its that I dont fully understand what you mean by "Note: - the below config will NOT negate all internal traffic just for teamviewer but if you wish just amend the LAN acl accordingly"

 

 

 

 

Current configuration : 1946 bytes
!
! Last configuration change at 01:33:14 UTC Thu Oct 26 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip inspect name STAN udp
ip inspect name STAN tcp
ip inspect name STAN icmp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip access-group TeamViewer in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group LAN in
ip nat inside
ip inspect STAN in
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended LAN
permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended TeamViewer
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq netbios-ns
permit udp any any eq 5938
permit tcp any any eq 5938
!
!
!
access-list 1 permit 172.16.0.0
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards