Just got a new toy today, CISCO 871 that I want to use on my pppoe network. I as have little experience with CISCO at this time, I tried to configure the device based on my Linux iptables knowledge and logic, but went wrong.
My primary goals were:
– Block all access on WAN interface (Dialer1) from internet.
– Forward some ports inside LAN from internet trough WANÂ interface.
Well after some hours of trying to understand the logic of CISCO, I finally managed to get it working in a simple way, using ACL. You can do this in a more complicated way using CBAC but yea complicated.
What you need to do, assuming that you have pppoe interface is Dialer1
go on config mode:
router#conf t
Let the router to keep a statefull inspection table for UDP and TCP and allow the packets to come back to itself after leaving the network.
router(conf)# ip inspect name FWOUT tcp
router(conf)# ip inspect name FWOUT udp
Create the access list for inbound connections, I give example here for tcp 443 that will be forwarded to a LAN IP
router(conf)# ip access-list extended 110
router(config-ext-nacl)# permit tcp any any eq 443
router(config-ext-nacl)# deny ip any any
Now setup the DNAT for 443 port so he can forward the traffic
router(conf)# ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443
Apply the ip inspect and access-list to the Dialer1 interface
router(conf)# interface Dialer1
router(conf)# ip inspect FWOUT out
router(conf)# ip access-group 110 in
If you do a nmap scan on you public IP, all the ports will be closed except the ones defined in access-list 110 and packets coming on port 443 will be redirected to 192.168.0.2 443