cisco allowing only certain ips to certain ports.

[jdannan]

I need to access port 22 of a box inside my network here from my house. I have a static ip at home..

Is there a way to allow only outside x.x.x.x IP to 192.168.0.62 port 22, etc on the router?

I have a Cisco 831 Router, currently port forwarding web, vpn from router.

thanks.

 

[JOAMON]

Please post config and we will have a look.

 

[jdannan]

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lanrouter
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5
enable password
!
username admin privilege 15 password 0
clock timezone PST -8
no aaa new-model
ip subnet-zero
!
!
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
description Internal LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface Ethernet1
description External WAN
ip address x.x.x.x 255.255.255.224
ip nat outside
no ip mroute-cache
duplex auto
!
ip default-gateway x.x.x.129
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.129
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.63 1723 interface Ethernet1 1723
ip nat inside source static tcp 192.168.0.63 4561 interface Ethernet1 4561
ip nat inside source static tcp 192.168.0.63 4560 interface Ethernet1 4560
ip nat inside source static tcp 192.168.0.62 80 interface Ethernet1 80
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.0.0.0 0.255.255.255
snmp-server community run RW
snmp-server enable traps tty
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 120 0
password
login local
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17180075
ntp server 200.254.129.253
!
end

 

[ChrisAC]

Set up another port forwarding rule for SSH and then put an inbound access list on the external interface allowing only your IP address to that server on SSH.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jdannan]

can you fill me in a bit, on how to do that. sorry i'm still trying to learn.

 

[ChrisAC]

Well, firstly, do your port forwarding rule;

ip nat inside source static tcp 192.168.0.62 22 interface Ethernet1 22

And then put an inbound access list on the external interface that allows ssh only from your desired address.

access-list 101 permit tcp host x.x.x.x host y.y.y.y eq 22
access-list 101 deny tcp any host y.y.y.y eq 22 log
access-list 101 deny <any thing else you want to block>
access-list 101 permit ip any any

interface Ethernet 1
ip access-group 101 in

This will map SSH from the external address on Ethernet 1 <y.y.y.y> and then allow ssh from your IP address <x.x.x.x> to the router <y.y.y.y> and then block ssh from anyone else. The final line of the acl makes sure that reply traffic is allowed back in (ie. anything that has not being blocked by a previous rule).

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jdannan]

I want to make sure I'm getting this right before i go ahead.

I want host 4.24.13.2 and 4.22.1.3 to access 24.1.2.3 via port 22, and only these hosts.

Does the following look correct to do so?

Thanks again for the help.



ip nat inside source static tcp 192.168.0.62 22 interface Ethernet1 22

access-list 101 permit tcp host 4.24.13.2 host 24.1.2.3 eq 22
access-list 101 permit tcp host 4.22.1.3 host 24.1.2.3 eq 22
access-list 101 deny tcp any host 24.1.2.3 eq 22 log
access-list 101 permit ip any any

interface Ethernet 1
ip access-group 101 in

 

[ChrisAC]

That looks pretty much okay. You should be good to go.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jdannan]

works great, thanks!

as far as adding another host into to allow it through. will it be before the deny, or after. will that make a difference?

thanks again.

 

[schofs]

if it was me my final accesslist statement would be this

access-list 101 permit ip any any established

The established keyword will ensure that only reply traffic from a seesion set up from the internal Lan is allowed back in and stop others from creating a seesion other than those matched and allowed in previous statements.

Also NAT traversal is a tricky thing I think you may need a NAT Traversal rule comming in the other way to map the port to your internal server from the clients trying to connect from outside..


ip nat outside source static tcp 24.1.2.3 22 192.168.0.62 22


(NOTE IP NAT OUTSIDE)
might be worth a shot

regards

Simon

 

[ChrisAC]

You don't need an ip nat outside to do this. A static translation with 'ip nat inside' will work just fine. This will map connections from the outside inbound to the internal server. I have this set up on a number of routers.

You're right about the access-list though. Having an entry that allows established traffic is a good idea although as routers are really stateful it dosn't always work with some protocols.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[jdannan]

should i add something?

 

[ChrisAC]

You could change;

access-list 101 permit ip any any


to

access-list 101 permit ip any any established

which should ensure that any traffic initiated from the inside will be allowed back in.

Give it a go and see how it works out.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[schofs]

Yes i do agree that the ip nat iside should work
in 90% they work fine
although i have sometimes found that if you tell the router what you explictly want to do you can track whats happening better instead of implicltly relying on a router to do what it thinks it should do not what you want to do


Any rules must be before the deny rule as the router act sequentionallly

 

[jdannan]

how can i just remove

access-list 101 permit ip any any

and not the whole access list?

 

[ChrisAC]

You can't remove an individual line. You have to remove the access-list and re-write it. I normally write another acl with the required changes but a different acl number and then apply it to the interface thus removing the old acl from the interface which can then be removed from the config.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[schofs]

in notepad write the following

no access-list 101
access-list 101 permit tcp host 4.24.13.2 host 24.1.2.3 eq 22
access-list 101 permit tcp host 4.22.1.3 host 24.1.2.3 eq 22
access-list 101 deny tcp any host 24.1.2.3 eq 22 log
access-list 101 permit ip any any established


once this is in notpad write any other lines of list you want in the right places remeber routers start bat top and process rukes in order

once complete copy list to clipboard

open console or telnet

go enable
config t
then use paste to host
the first line clears the access list then re-writes it