Solved: Re: Help with NAT and ACL on C800 Series

Veridizer · ‎01-26-2021

Hello,

I would like to request some help with making a few changes to this router, in order to get access from outside.

I have tried to do it myself but I have caused more damage than good. This is because I am honestly not at all familiar with the concept. Instead of giving up, I am counting on getting help from the experts. If anyone can provide the exact commands required to get it to work, then I would be forever grateful.

The requirements are as follows:

From the WAN side, all external connections to the Computers Vlan on TCP 2400 should be allowed.

From the WAN side, all external connections to the DMZ Vlan, host 192.168.10.10 UDP 1820 should be allowed.

From the DMZ end, all internal connections from the host 192.168.10.10 to the router 192.168.10.1 using SNMP should be permitted.

From the DMZ end, all internal connection from the host 192.168.10.10 to the router 192.168.10.1 using SSH should be permitted.

Here is the (obfuscated) config:

no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 32000
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-XXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXX
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.20.1 192.168.20.10
!
ip dhcp pool Computers
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
no spanning-tree vlan 2
no spanning-tree vlan 3
no spanning-tree vlan 4
vtp mode transparent
username admin privilege 15 secret 5 xxxxxxxxxxXXXXXXXXXXxxxXXxXxXXX
!
redundancy
!
!
!
!
!
controller VDSL 0
!
vlan 2-4
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description Switch
switchport trunk allowed vlan 1-4
switchport mode trunk
no ip address
!
interface GigabitEthernet1
description DMZ
switchport access vlan 2
switchport mode access
no ip address
!
interface GigabitEthernet2
description Open
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet3
description Computers
switchport access vlan 4
switchport mode access
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 4
switchport mode access
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
arp timeout 300
!
interface Wlan-GigabitEthernet8
switchport access vlan 4
switchport mode access
no ip address
!
interface wlan-ap0
ip address 192.168.20.1 255.255.255.252
!
interface Vlan1
no ip address
!
interface Vlan2
description DMZ
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description Open
ip address 192.168.40.1 255.255.255.0
ip access-group OPEN-IN in
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description Computers
ip address 192.168.20.1 255.255.255.0
ip access-group COMPUTERS-IN in
ip nat inside
no ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http access-class 99
ip http secure-server
!
!
ip nat translation timeout 300
ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet8 443
ip nat inside source list NAT interface GigabitEthernet8 overload
ip ssh version 2
!
ip access-list standard VTY
permit 192.168.40.0 0.0.0.255
!
ip access-list extended COMPUTERS-IN
permit icmp any host 192.168.20.1 echo
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended NAT
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended OPEN-IN
permit tcp any host 192.168.40.1 eq 22
permit tcp any host 192.168.40.1 eq 443
permit icmp any any
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!
logging facility local1
ipv6 ioam timestamp
!
snmp-server community not-public RO VTY
access-list 99 permit 192.168.40.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
stopbits 1
line vty 0 4
access-class VTY in
transport input ssh
line vty 5 189
access-class VTY in
transport input ssh
!
end

I am hopeful that this is an easy task for many of you router jockeys

Kind regards!

Georg Pauwen · ‎01-26-2021

Hello,

not sure why your answers were deleted. Either way, try the below:

From the WAN side, all external connections to the Computers Vlan on TCP 2400 should be allowed.

--> does that mean connections initiated from anywhere on the outside ?

access-list 101 permit tcp any 192.168.20.0 0.0.0.255 eq 2400
!
ip nat pool VLAN_4 192.168.20.2 192.168.20.254 netmask 255.255.255.0 type match-host
ip nat outside source list 101 pool VLAN_4 add-route

From the WAN side, all external connections to the DMZ Vlan, host 192.168.10.10 UDP 1820 should be allowed.

--> same here: connections initiated from anywhere on the outside to the DMZ host ?

access-list 101 permit udp any 192.168.10.0 0.0.0.255 eq 1820
!
ip nat pool VLAN_2 192.168.10.2 192.168.10.254 netmask 255.255.255.0 type match-host
ip nat outside source list 101 pool VLAN_4 add-route

From the DMZ end, all internal connections from the host 192.168.10.10 to the router 192.168.10.1 using SNMP should be permitted.

--> this is permitted by default, as both are in the same subnet. Do you want to EXCLUDE everything else except that host ?

ip access-list extended ALLOW_SNMP
permit tcp host 192.168.10.10 host 192.168.10.1 eq 161
permit tcp host 192.168.10.10 host 192.168.10.1 eq 162
permit udp host 192.168.10.10 host 192.168.10.1 eq 161
permit udp host 192.168.10.10 host 192.168.10.1 eq 162
!
vlan access-map VACL_SNMP 10
action forward
match ip address ALLOW_SNMP
vlan access-map VACL_SNMP 20
action drop

From the DMZ end, all internal connection from the host 192.168.10.10 to the router 192.168.10.1 using SSH should be permitted.

--> same question here

ip access-list extended ALLOW_SSH
permit tcp host 192.168.10.10 host 192.168.10.1 eq 22
permit udp host 192.168.10.10 host 192.168.10.1 eq 22
!
vlan access-map VACL_SSH 10
action forward
match ip address ALLOW_SSH
vlan access-map VACL_SSH 20
action drop

View solution in original post

Georg Pauwen · ‎01-26-2021

Hello,

it is not really clear what you are trying to accomplish:

From the WAN side, all external connections to the Computers Vlan on TCP 2400 should be allowed.

--> does that mean connections initiated from anywhere on the outside ?

From the WAN side, all external connections to the DMZ Vlan, host 192.168.10.10 UDP 1820 should be allowed.

--> same here: connections initiated from anywhere on the outside to the DMZ host ?

From the DMZ end, all internal connections from the host 192.168.10.10 to the router 192.168.10.1 using SNMP should be permitted.

--> this is permitted by default, as both are in the same subnet. Do you want to EXCLUDE everything else except that host ?

From the DMZ end, all internal connection from the host 192.168.10.10 to the router 192.168.10.1 using SSH should be permitted.

--> same question here

Veridizer · ‎01-26-2021

Thanks for you reply.

From the WAN side, all external connections to the Computers Vlan on TCP 2400 should be allowed.

--> does that mean connections initiated from anywhere on the outside ?

Correct. Anywhere on or from the interweb using TCP 2400 can get access to the Computers Vlan.

-

From the WAN side, all external connections to the DMZ Vlan, host 192.168.10.10 UDP 1820 should be allowed.

--> same here: connections initiated from anywhere on the outside to the DMZ host ?

Correct. Anywhere on or from the interweb using UDP 1820 will get access but only to the host in the DMZ Vlan with the IP 192.168.10.10.

-

From the DMZ end, all internal connections from the host 192.168.10.10 to the router 192.168.10.1 using SNMP should be permitted.

--> this is permitted by default, as both are in the same subnet. Do you want to EXCLUDE everything else except that host ?

I just tried using SNMP from behind the host 192.168.10.10 (a firewall) in the DMZ Vlan, against the router 192.168.10.1 and it failed.

Currently, the only ones who have SNMP access permission are hosts in the Open Vlan. Checked that the firewall is not blocking SNMP traffic and that is not the case. Only that host and the Open Vlan may have access to the router itself using SNMP.

-

From the DMZ end, all internal connection from the host 192.168.10.10 to the router 192.168.10.1 using SSH should be permitted.

--> same question here

As with SNMP, this is blocked. Tried using putty form behind the host 192.168.10.10 (firewall) in the DMZ Vlan against the router 192.168.10.1 and the connection was refused. This would indicate that the router is refusing it and not the firewall in the DMZ.

Veridizer · ‎01-26-2021

Twice now my replies to your follow up have been deleted after a short time.

Georg Pauwen · ‎01-26-2021