cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1965
Views
65
Helpful
21
Replies
jearl
Beginner

Configure Cisco 1921 to Allow DNS and Teamviewer ONLY

Hello All,

 

First off, I'd like to mention that this has been my 1st time touching Cisco configs in the better part of a decade. Needless to say, im rather rusty. Basically what im attempting to do is allow access TeamViewer Only for the time being. AS I've been reading for the past few days I've found out that you have to allow a few ports and DNS to allow TeamViewer Access. I have an extended access list created in "WHAT I THINK" is the correct fashion. I have my config below, please someone save me from this maze!

 

Thank you in advance.

 

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 ********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit udp any eq 5938 any eq 5938
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *****
login
transport input none
!
scheduler allocate 20000 1000
!
end

1 ACCEPTED SOLUTION

Accepted Solutions

Thank you all for the help. I couldn't have done it without you. All 3 of you contributed useful information that ended with a working finished product. Below is the working config based upon the work we've done in this thread combined with about 200 more random articles found on various forums. This config allows for DNS resolution through the firewall and Teamviewer access ONLY. Ping, HTTP Traffic, etc, are all denied. I am leaving this here in the hopes that it helps someone, in this same predicament, in the future. Thank you again!

 

 

 

Current configuration : 1853 bytes
!
! Last configuration change at 18:24:30 UTC Thu Oct 26 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
enable password *********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip inspect name STAN udp
ip inspect name STAN tcp
ip inspect name STAN icmp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn ************
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group DNS in
ip nat inside
ip inspect STAN in
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended DNS
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq netbios-ns
permit udp any any eq 5938
permit tcp any any eq 5938
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *********
login
transport input none
!
scheduler allocate 20000 1000
!
end

View solution in original post

21 REPLIES 21
Georg Pauwen
VIP Master

Hello,

 

the access list looks good, you just have not applied it yet. I have also added access list 1 for NAT ro work. Additions are in bold:

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 ********
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip nat inside
ip access-group TeamViewer in
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit udp any eq 5938 any eq 5938
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *****
login
transport input none
!
scheduler allocate 20000 1000
!
end

Thanks for the quick reply. I THINK i entered the info you suggested into the correct spots. However, Teamviewer will not connect and i am no longer able to ping the Cisco 1921 at 172.16.10.5. Ideally I'd like to be able to ping the gateway and other devices on the LAN while on the LAN. I am assuming i have to add some more rules to do so. I'd also like to be able to ping and access 8.8.8.8 for DNS. We wont be running a local DNS server here in the form of a Windows or Linux server, we were just going to point to Google's 8.8.8.8. Would you recommend this setup? Or, would you enable DNS on the 1921? See the config file below. 

 

 

Thanks again,

 

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
enable password *********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit udp any eq 5938 any eq 5938
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *********
login
transport input none
!
scheduler allocate 20000 1000
!
end

Hello,

 

we forgot one final thing, the default route. Add the following to your configuration:

 

ip route 0.0.0.0 0.0.0.0 interface GigabitEthernet0/0

Thanks but Still a no go... I added the stuff @ access-list 112 area to attempt to trouble shoot. Still not working

When i have the TeamViewer list deleted, I can access the whole internet. AS soon as i add the following, i lose all connectivity. I cant even ping 8.8.8.8

 

Again, thank you for all the help so far. 

 

 

ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns

 

 

FULL CONFIG BELOW

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *******
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip access-group 102 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

Hello,

 

is this a typo ?

 

ip access-group 102 in --> should be 112

 

Either way, try to remove all access lists applied to interface in order to check if you get Internet connectivity at all. So the config should look like this:

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 sn *******
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane

!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

Hello, Thanks again and again. 

 

That was a typo and i have corrected it. When i test the config WITHOUT the access lists, it works. When I test it as below, which is the same as WITHOUT the access lists but with the access lists, I cant access Teamviewer or DNS. I also cant ping 172.16.10.5 or 8.8.8.8 regardless of ACL's being in or not.  

 

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn ********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip access-group 112 in
ip access-group 112 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group 112 in
ip access-group 112 out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end

Hello,

 

try and remove the access lists from the WAN interface and leave them just on the WAN interface...

 

interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
--> no ip access-group 112 in
--> no ip access-group 112 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

OK, I tried that. No good on the Teamviewer connection or the DNS for 8.8.8.8. Interestingly enough, Windows thinks it is online... See Screenshot. Teamviewer Still does not. Also, still cannot ping out or the gateway ip.

 

Current Config Below. 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn *********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip access-group TeamViewer out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit tcp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit tcp any eq 137 any eq 137
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
access-list 112 permit udp any any eq domain
access-list 112 permit udp any eq domain any
access-list 112 permit tcp any any eq domain
access-list 112 permit tcp any eq domain any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password ********
login
transport input none
!
scheduler allocate 20000 1000
!
end