Just a couple of questions.

Do I put the Gateway address here, or just one of the 5 static IPs.

interface Gi0/0

description INTERNET_UPLINK

ip address X.X.X.X 255.255.255.248

Also

remark *** Allowed traffic ***

permit ip XYZ (What should go here for XYZ)

remark *** Deny traffic not permited by IOS-statefull-firewall ***

deny   ip any any

!

ip access-list extended MGMT

permit ip X.X.X.X X.X.X.X any (And here for X.X.X.X X.X.X.X)

deny ip any any

I really appreciate this.

Hi Jamie

In first post you wrote ->

The outside gateway is xx.xx.xx.137

subnet is 255.255.255.248

I assume that ISP gave you some IP from /29 prefix, this ip address will be configured on Gi0/0 uplink interface, for example:

GW is 100.0.0.137 with subnet mask 255.255.255.248

it means network is 100.0.0.137/29 so one IP from range 100.0.0.138 - 100.0.0.142 will be configure on Gi0/0

[you should know which one IP was delegated to you by ISP, or entire range belongs to you?]

ip access-list extended MGMT

here you configure all IPs from which you would like to access router via telnet/ssh, if you will manage router only from local LAN, you will add this:

permit ip 192.168.0.0 0.0.0.255 any

deny ip any any

remark *** Allowed traffic ***

permit ip XYZ (What should go here for XYZ)

remark *** Deny traffic not permited by IOS-statefull-firewall ***

deny   ip any any

This part is little bit tricky. You can move along two ways:

1) deny traffic which you do not want to allow and permit everything else

2) permit traffic which is desirable and deny everything else

First posibility is used when you do not know exactly what traffic will pass through routerm (common internet acces) but you know what you should deny (deny management access from public addresses and allow only some which you will use).

Second possibility is used when you know exactly what traffic will pass through router (some IPsec tunnels, connection to HQ,...) so you allow that traffic and deny everything else because entire traffic which is desirable is already allowed.

Best Regards

Please rate helpful posts

Ok, I believe I've got all of the info in the right places. Though there were a couple of errors I recieved when

applying the config to the router. I am getting an "Invalid input detected at '^' marker" under each one of the

"inspect" commands. Every other command went in ok.

!

service password-encryption

!

hostname ABS2911RTR2

!

logging buffered 128000

enable secret xxxxxxxxxxx

!

aaa new-model

!

aaa authentication login default local

aaa authentication enable default enable

!

aaa session-id common

!

ip dhcp pool LAN_POOL

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

domain-name xxxxxxx.com

dns-server xx.xx.xx.xx

lease 0 8

!

ip cef

no ip domain-lookup

!

ip inspect alert-off

ip inspect max-incomplete low 500

ip inspect max-incomplete high 3000

ip inspect one-minute high 2000

ip inspect one-minute low 800

ip inspect tcp max-incomplete host 800 block-time 0

ip inspect tcp reassembly queue length 1024

ip inspect name INET_STATE-FW icmp

ip inspect name INET_STATE-FW dns

ip inspect name INET_STATE-FW ftp

ip inspect name INET_STATE-FW ntp

ip inspect name INET_STATE-FW tftp

ip inspect name INET_STATE-FW pptp

ip inspect name INET_STATE-FW echo

ip inspect name INET_STATE-FW udp

ip inspect name INET_STATE-FW tcp

! 

!

interface Gi0/0

description INTERNET_UPLINK

ip address xx.xx.16.138 255.255.255.248

ip access-group INTERNET_IN in

ip access-group BLOCK_PRIV_ADDRS out

ip nat outside

ip inspect INET_STATE-FW out

load-interval 30

duplex auto

speed auto

no cdp enable

no shut

!

interface Gi0/1

description LAN

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip verify unicast reverse-path

load-interval 30

no shut

!

no ip http server

no ip http secure-server     

!

ip route 10.0.0.0 255.0.0.0 Null0 name DENY_RFC1918

ip route 172.16.0.0 255.240.0.0 Null0 name DENY_RFC1918

ip route 192.168.0.0 255.255.0.0 Null0 name DENY_RFC1918

ip route 0.0.0.0 0.0.0.0 67.216.16.137 name DEFAULT_ROUTE

!

ip nat inside source route-map RMAP-NAT interface Gi0/0 overload

!

ip access-list extended BLOCK_PRIV_ADDRS

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

permit ip any any

!

ip access-list extended NAT_ACL

deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 any

deny ip any any

!

ip access-list extended INTERNET_IN

remark *** Allowed traffic ***

permit ip X.X.16.138 255.255.255.248 any

remark *** Deny traffic not permited by IOS-statefull-firewall ***

deny   ip any any

!

ip access-list extended MGMT

permit ip 192.168.3.0 0.0.0.255 any

deny ip any any

!

route-map RMAP-NAT

match ip address NAT_ACL

!

line con 0

exec-timeout 60 0

logging synchronous

line vty 0 4

exec-timeout 30 0

logging synchronous

access-class MGMT in

!

end

Hi Jamie

By ip inspect you will configure stateful firewall on your router, but it is not essential so you can ommit that.

Insted you can configure zone-based firewall or you do not have to configure any firewall, it is up to you.

Best Regards

Please rate helpful posts

Thank you very much, it's working now. One other question though. I was not able to RDP onto the server I have connected to the router. Could you tell me how to add that to the config? I thought it might have been under "

ip access-list extended NAT_ACL"  as permit tcp 192.168.3.246 eq 3389, but I wasn't sure.

Ting to RDP from LAN or Public.

Please rate helpful posts

I'm outside the network. So I'm trying to RDP through the router I just set up. I can connect to the Internet just fine from the server.

Do a static NAT

ip nat inside source static tcp (RDP Server IP) 3389 (one Public IP form address Pool) 3389

*** Do Rate Helpful posts ***

you need to do static port forward

in configuration mode:

# ip nat inside source static tcp SERVER_IP_ADDR SERVER_PORT int_Gi0/0_IP_ADDR OUTSIDE_PORT

in practice:

your WAN IP is 100.0.0.1

SERVER IP is 192.168.3.99

ip nat inside source static tcp 192.168.3.99 3389 100.0.0.1 22222

Now when you try to connect to server in your LAN from outside, use WAN IP 100.0.0.1 port 22222 (or one whatever you configure) and you will be forwarded to serve with ip 192.168.2.99 port 3389, only tcp protocol.

Also add this rule into allowed traffic so it will not be filtered

ip access-list extended INTERNET_IN

permit tcp any host 100.0.0.1 eq 22222

you can replace "any" with some network if you want restric access to RDP only on particular IPs.

Best Regards

Please rate helpful posts

Ok, I seem to have a problem. I was given an IP and such on the server, but cannot get anywhere but Google. I can search for things on Google, but I can't get to anything, the page just times out lol. I can't ping anything, and when I try and ping the IP from outside the network I get no response. I can ping the gateway from outside and inside I can ping the router. Any thoughts lol?

Could you post configuration of access list INTERNET_IN ?

Last time you post configuration, there was allowed only communication with some network /29, did you add something there? I think this would be the problem.

ip access-list extended INTERNET_IN

remark *** Allowed traffic ***

permit ip X.X.16.138 255.255.255.248 any

remark *** Deny traffic not permited by IOS-statefull-firewall ***

deny   ip any any

Best Regards

Please rate helpful posts

Good Morning,

All I did was change it so it would use the 192.168.2.0 range instead of the 3.0 range

ip access-list extended INTERNET_IN

remark *** Allowed traffic ***

permit ip 0.0.0.2 255.255.255.248 any (This keeps reverting back to 0.0.0.2, each time I reload the config)

permit tcp any host xx.xx.16.138 eq 3389

remark *** Deny traffic not permited by IOS-statefull-firewall ***

deny   ip any any

It should look like this;

ip access-list extended INTERNET_IN

remark *** Allowed traffic ***

permit ip xx.xx.16.138 255.255.255.248 any

permit tcp any host xx.xx.16.138 eq 3389

remark *** Deny traffic not permited by IOS-statefull-firewall ***

deny   ip any any

**update**

I got the http up on the router so I could login to the web interface. I can ping the server, but I still can't ping anything outside the network including the gateway. Everything looks like it's set up correctly on CP Express.

Thank You!

Hi

I dont know what this even mean -> permit ip 0.0.0.2 255.255.255.248 any

Syntax of ACLs is:

0.0.0.0/8 is reserved range, I really do not know what did you trying to accomplish. Also wildcard mask has opposite meaning than network mask. It is written as f.e. 0.0.0.255 so first three zeros means that first three octets must be matched.

Here is document for some more info:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Your WAN interface should be Gi0/0, delete ip access-group INTERNET_IN in from configuration of this interface, if everything wil be working than, you can be sure that problem is with ACL. Than modify ACL to your needs.

Best Regards

Please rate helpful posts