twillstera
Technical User
Ok, here's my setup.
I'm working on the Cisco 1721. I'm trying to set up some pretty restrictive ACLs that will only allow certain traffic in and out via specific IPs. Here's the config I've got currently that is not working.
I want to only allow certain external IPs in (for VPN traffic) to my internal VPN device. Other external IPs should be able to ping the same internal device to verify that it is alive. I also want any traffic that was established from the internal address to be allowed back in as well. I know I have something hosed up in my ACL and also possibly in my interface configuration.
The 4 port ethernet card I have in is a switchport card so that's why I have to use the vlans. A more simple configuration without the ACLs seems to work fine.
One of the other catches is this, my ISP said I was "leaking" my 10.10.10.0/24 addresses to their network so they disabled my cable modem because it was causing problems with their VoIP customers which use the same IP subnet as my internal addresses.
Any help would be appreciated. I'm bordering on being able to grasp the ACLs and routing but i'm just not quite there.
Thanks,
Adam
Code:
Internet ---- Cable Modem ------ Cisco 1721 ----- Cisco VPN Router ------ Computer
172.17.2.1 72.17.2.5 (ext) 10.10.10.2
(pub IP) 10.10.10.1 (int)
I'm working on the Cisco 1721. I'm trying to set up some pretty restrictive ACLs that will only allow certain traffic in and out via specific IPs. Here's the config I've got currently that is not working.
Code:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.12.08 15:51:38 =~=~=~=~=~=~=~=~=~=~=~=
Building configuration...
Current configuration : 4383 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$gB8c$EYmW6DqwhG6TnT1GQ2l9B/
enable password 7 13081619021805
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
no crypto isakmp enable
!
!
interface FastEthernet0
ip address 172.17.2.5 255.255.255.248
ip access-group 101 in
ip nat outside
speed auto
full-duplex
!
interface FastEthernet1
switchport access vlan 15
no ip address
vlan-id dot1q 15
exit-vlan-config
!
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
ip address 10.10.10.1 255.255.255.248
ip access-group 102 in
ip nat inside
!
ip default-gateway 172.17.2.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.2.1
!
no ip http server
no ip http secure-server
ip nat inside source static 10.10.10.2 interface FastEthernet0
!
!
access-list 101 permit ip host 170.209.0.2 host 172.17.2.5 log;
access-list 101 permit ip host 170.209.0.3 host 172.17.2.5 log;
access-list 101 permit tcp any host 10.10.10.2 established log;
access-list 101 permit tcp any host 96.31.27.12 established log;
access-list 101 permit icmp host 204.146.172.230 host 172.17.2.5 log;
access-list 101 permit icmp host 12.129.203.103 host 172.17.2.5 log;
access-list 101 permit udp any host 255.255.255.255 log;
access-list 101 deny ip any any log;
access-list 102 permit ip host 10.10.10.2 host 170.209.0.3 log;
access-list 102 permit ip host 10.10.10.2 host 170.209.0.2 log;
access-list 102 permit icmp host 10.10.10.2 host 204.146.172.230 log;
access-list 102 permit icmp host 10.10.10.2 host 12.129.203.103 log;
access-list 102 deny ip any any log
!
!
control-plane
!
!
!
!
!
!
!
banner motd ^C
**********************************************************************
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without authorization,
or in excess of their authorization, are subject to having all their
activity on this computer network system monitored and recorded by
system personnel. To protect the computer network system from
unauthorized use and to ensure the computer network systems is
functioning properly, system administrators monitor this system.
Anyone using this computer network system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
conduct of criminal activity, system personnel may provide the
evidence of such activity to law enforcement officers.
!
Access is restricted to authorized users only. Unauthorized access is
a violation of state and federal, civil and criminal laws.
**********************************************************************^C
!
line con 0
password 7 151F0A070D3E2A
login
transport preferred none
line aux 0
password 7 151F0A070D3E2A
line vty 0 4
password 7 04560A0D06354D
login
!
no scheduler allocate
end
router#
I want to only allow certain external IPs in (for VPN traffic) to my internal VPN device. Other external IPs should be able to ping the same internal device to verify that it is alive. I also want any traffic that was established from the internal address to be allowed back in as well. I know I have something hosed up in my ACL and also possibly in my interface configuration.
The 4 port ethernet card I have in is a switchport card so that's why I have to use the vlans. A more simple configuration without the ACLs seems to work fine.
One of the other catches is this, my ISP said I was "leaking" my 10.10.10.0/24 addresses to their network so they disabled my cable modem because it was causing problems with their VoIP customers which use the same IP subnet as my internal addresses.
Any help would be appreciated. I'm bordering on being able to grasp the ACLs and routing but i'm just not quite there.
Thanks,
Adam