Just got a new toy today, CISCO 871 that I want to use on my pppoe network. I as have little experience with CISCO at this time, I tried to configure the device based on my Linux iptables knowledge and logic, but went wrong.<\/p>\n
My primary goals were:
\n– Block all access on WAN interface (Dialer1) from internet.
\n– Forward some ports inside LAN from internet trough WAN\u00a0 interface.<\/p>\n
Well after some hours of trying to understand the logic of CISCO, I finally managed to get it working in a simple way, using ACL. You can do this in a more complicated way using CBAC but yea complicated.<\/p>\n
What you need to do, assuming that you have pppoe interface is Dialer1<\/p>\n
go on config mode:
\nrouter#conf t<\/p>\n
Let the router to keep a statefull inspection table for UDP and TCP and allow the packets to come back to itself after leaving the network.
\nrouter(conf)# ip inspect name FWOUT tcp
\nrouter(conf)# ip inspect name FWOUT udp<\/p>\n
Create the access list for inbound connections, I give example here for tcp 443 that will be forwarded to a LAN IP
\nrouter(conf)# ip access-list extended 110
\nrouter(config-ext-nacl)# permit tcp any any eq 443
\nrouter(config-ext-nacl)# deny ip any any<\/p>\n
Now setup the DNAT for 443 port so he can forward the traffic
\nrouter(conf)# ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443<\/p>\n
Apply the ip inspect and access-list to the Dialer1 interface
\nrouter(conf)# interface Dialer1
\nrouter(conf)# ip inspect FWOUT out
\nrouter(conf)# ip access-group 110 in<\/p>\n
If you do a nmap scan on you public IP, all the ports will be closed except the ones defined in access-list 110 and packets coming on port 443 will be redirected to 192.168.0.2 443<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Just got a new toy today, CISCO 871 that I want to use on my pppoe network. I as have little experience with CISCO at this time, I tried.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[539],"tags":[],"class_list":["post-257","post","type-post","status-publish","format-standard","hentry","category-cisco"],"_links":{"self":[{"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/posts\/257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/comments?post=257"}],"version-history":[{"count":6,"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/posts\/257\/revisions"}],"predecessor-version":[{"id":263,"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/posts\/257\/revisions\/263"}],"wp:attachment":[{"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/media?parent=257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/categories?post=257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.syshalt.net\/index.php\/wp-json\/wp\/v2\/tags?post=257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}