05-18-2017 03:54 AM - edited 03-05-2019 08:33 AM
Hi, I have a Windows RRAS server running an IKEv2 VPN server that seems to work just fine internally. I have forwarded UDP ports 500, 4500 and 1701, as well as ESP through and I simply can't make it work. Here are my NAT rules:
ip nat inside source static udp 10.1.1.1 500 interface Dialer1 500
ip nat inside source static udp 10.1.1.1 4500 interface Dialer1 4500
ip nat inside source static udp 10.1.1.1 1701 interface Dialer1 1701
ip nat inside source static esp 10.1.1.1 interface Dialer1
Other than the IP I'm assigned from my ISP on Dialer1, I also have an additional IP block routed to me, and I happen to have some spare addresses.
I did a static NAT like this, where 10.1.1.1 in my inside server and 200.200.200.200 is part of the IP block assigned to me.
ip nat inside source static 10.1.1.1 200.200.200.200
This works perfectly and I'm okay with the VPN living on this IP address, however I want to apply an ACL so the entire Internet can't play with my server.
Feel like this is a dumb question... but I need a little nudge to help me formulate the ACL and know where to apply it. Is it correct to create a VLAN on the router and route that single IP inside so that I have an interface to apply the ACL to? That may be perverse to even suggest, I don't know :)
05-18-2017 04:11 AM
Not sure I follow what you are asking about the vlan on the router.
The router will have an interface that connects to your ISP and so that is where you would apply the acl in an inbound direction.
Have I misunderstood what you are asking ?
Jon
05-18-2017 04:17 AM
Hi Jon,
I have a Dialer1 interface that is assigned a single static IP from the ISP. In addition the ISP has routed a /29 IP address block to me and I just do PAT to a couple of internal services.
As I understand it this IPs aren't actually on the Dialer1 interface.
05-18-2017 04:28 AM
An acl filters traffic that goes through the router (usually) so it doesn't matter whether the public IP you are using for your VPN server is assigned to an interface or not.
Do you have any acls applied to any interfaces at the moment on your router ?
Do you have any firewalling anywhere ?
Jon
05-19-2017 02:38 AM
Hi!
It's not a big deal, if you need create ACL for one address you just have to create ACL like that:
ip access-list extended EXAMPLE
permit udp any host 10.1.1.1 eq 500
permit udp any (or pool of public address) host 10.1.1.1 eq 4500
deny ip any host 10.1.1.1
permit ip any any
And put it on your internet interface like (access-group EXAMPLE out)
This ACL can block connect to your address 10.1.1.1, and open connect to other address, if you need block connect to other address you have to remove from ACL (permit ip any any). ACL works from up to down
Valuate if it's help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide