Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
5
Helpful
7
Replies

Help with NAT and ACL on C800 Series

Go to solution
Veridizer
Level 1
Level 1

‎01-26-2021 10:28 AM - edited ‎01-26-2021 10:31 AM

Hello,

 

I would like to request some help with making a few changes to this router, in order to get access from outside.

I have tried to do it myself but I have caused more damage than good. This is because I am honestly not at all familiar with the concept. Instead of giving up, I am counting on getting help from the experts. If anyone can provide the exact commands required to get it to work, then I would be forever grateful.

 

The requirements are as follows:

 

From the WAN side, all external connections to the Computers Vlan on TCP 2400 should be allowed.

From the WAN side, all external connections to the DMZ Vlan, host 192.168.10.10 UDP 1820 should be allowed.

From the DMZ end, all internal connections from the host 192.168.10.10 to the router 192.168.10.1 using SNMP should be permitted.

From the DMZ end, all internal connection from the host 192.168.10.10 to the router 192.168.10.1 using SSH should be permitted.

 

 

Here is the (obfuscated) config:

 


no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 32000
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-XXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXX
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.20.1 192.168.20.10
!
ip dhcp pool Computers
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
no spanning-tree vlan 2
no spanning-tree vlan 3
no spanning-tree vlan 4
vtp mode transparent
username admin privilege 15 secret 5 xxxxxxxxxxXXXXXXXXXXxxxXXxXxXXX
!
redundancy
!
!
!
!
!
controller VDSL 0
!
vlan 2-4
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
description Switch
switchport trunk allowed vlan 1-4
switchport mode trunk
no ip address
!
interface GigabitEthernet1
description DMZ
switchport access vlan 2
switchport mode access
no ip address
!
interface GigabitEthernet2
description Open
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet3
description Computers
switchport access vlan 4
switchport mode access
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 4
switchport mode access
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description WAN
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
arp timeout 300
!
interface Wlan-GigabitEthernet8
switchport access vlan 4
switchport mode access
no ip address
!
interface wlan-ap0
ip address 192.168.20.1 255.255.255.252
!
interface Vlan1
no ip address
!
interface Vlan2
description DMZ
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description Open
ip address 192.168.40.1 255.255.255.0
ip access-group OPEN-IN in
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description Computers
ip address 192.168.20.1 255.255.255.0
ip access-group COMPUTERS-IN in
ip nat inside
no ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http access-class 99
ip http secure-server
!
!
ip nat translation timeout 300
ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet8 443
ip nat inside source list NAT interface GigabitEthernet8 overload
ip ssh version 2
!
ip access-list standard VTY
permit 192.168.40.0 0.0.0.255
!
ip access-list extended COMPUTERS-IN
permit icmp any host 192.168.20.1 echo
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended NAT
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended OPEN-IN
permit tcp any host 192.168.40.1 eq 22
permit tcp any host 192.168.40.1 eq 443
permit icmp any any
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!
logging facility local1
ipv6 ioam timestamp
!
snmp-server community not-public RO VTY
access-list 99 permit 192.168.40.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
stopbits 1
line vty 0 4
access-class VTY in
transport input ssh
line vty 5 189
access-class VTY in
transport input ssh
!
end

 

I am hopeful that this is an easy task for many of you router jockeys

Kind regards!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions