Solved: Re: Configure Cisco 1921 to Allow DNS and Teamviewer ONLY - Page 2

jearl · ‎10-23-2017

Hello All,

First off, I'd like to mention that this has been my 1st time touching Cisco configs in the better part of a decade. Needless to say, im rather rusty. Basically what im attempting to do is allow access TeamViewer Only for the time being. AS I've been reading for the past few days I've found out that you have to allow a few ports and DNS to allow TeamViewer Access. I have an extended access list created in "WHAT I THINK" is the correct fashion. I have my config below, please someone save me from this maze!

Thank you in advance.

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ********
enable password ********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 ********
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended TeamViewer
permit tcp any eq 5938 any eq 5938
permit udp any eq domain any eq domain
permit udp any eq netbios-ns any eq netbios-ns
permit udp any eq 5938 any eq 5938
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *****
login
transport input none
!
scheduler allocate 20000 1000
!
end

paul driver · ‎10-26-2017

Hello

okay let's strip all acl and cbac configuration off the interfaces and test internet connectivity and teamvierer access with Just basic nat and default route being applied .

please confirm this access works

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

trevor240 · ‎10-25-2017

My question based on the configuration, how is the router supposed to get DHCP if it falls under the implicit deny ip any any, I would add "permit udp any eq bootpc any eq bootps" into the config so that it can grab an ip address from the provider's DHCP server.

Georg Pauwen · ‎10-26-2017

Hello,

I have done some debugging, and it looks like TeamViewer also needs UDP ports 53 and 137. Either way, I have changed the access list you are using. The entire (hopefully working) configuration would look like below:

Current configuration : 1678 bytes
!
! Last configuration change at 18:35:23 UTC Wed Oct 25 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
enable password *********
!
no aaa new-model
memory-size iomem 25
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 sn *******
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group TeamViewer in
ip access-group TeamViewer out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended TeamViewer
permit tcp any any eq 80 443 5938
permit tcp any eq 80 443 5938 137 any
permit udp any any eq 137 5938
permit udp any eq 137 5938 any
permit udp any any eq 53
permit udp any eq 53 any
permit tcp any any eq 53
permit tcp any eq 53 any
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *********
login
transport input none
!
scheduler allocate 20000 1000
!
end

jearl · ‎10-26-2017

Thank you all for the help. I couldn't have done it without you. All 3 of you contributed useful information that ended with a working finished product. Below is the working config based upon the work we've done in this thread combined with about 200 more random articles found on various forums. This config allows for DNS resolution through the firewall and Teamviewer access ONLY. Ping, HTTP Traffic, etc, are all denied. I am leaving this here in the hopes that it helps someone, in this same predicament, in the future. Thank you again!

Current configuration : 1853 bytes
!
! Last configuration change at 18:24:30 UTC Thu Oct 26 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname manor-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *********
enable password *********
!
no aaa new-model
memory-size iomem 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip inspect name STAN udp
ip inspect name STAN tcp
ip inspect name STAN icmp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn ************
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_WAN Interface
ip address dhcp hostname manor-router
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.10.5 255.255.0.0
ip access-group DNS in
ip nat inside
ip inspect STAN in
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended DNS
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq netbios-ns
permit udp any any eq 5938
permit tcp any any eq 5938
!
!
!
access-list 1 permit 172.16.10.0 0.0.0.255
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *********
login
transport input none
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎10-26-2017

Good stuff, and great solution from Paul ! Just be aware that with CBAC, you can only initiate the TeamViewer connection from the inside. Anyone trying to initiate the TeamViewer session from the outside will be denied...

jearl · ‎10-26-2017

Thanks Again Georg,

It is actually tested and working. I think the reason for this is that TeamViewer has to "phone home" initially to even work. So the Teamviewer connection is always initiated from the internal network. Once that connection is initiated, the little green light at the bottom of the teamviewer host window lights up and allows incoming connections from whatever relay you're connecting in from over the ports in the ACL.

Georg Pauwen · ‎10-26-2017

Again, good stuff ! I'll definitely keep that working configuration on file for future reference !