Can I permit telnet/ssh through an ACL while blocking these ports from the outside?
I setup my 2821 router with the AutoSecure feature. Everything was fine, but I wanted to mess around with CCP and telneting to my switch. Of course, this opens up ports that can be seen from the outside. What I want to know, is there a way with an ACL that I can use CCP/Telnet/SSH from the router to the internal LAN interface, while blocking these ports from inbound traffic to my WAN interface. I hope this makes sense. Here are the two configs for both my interfaces...
interface GigabitEthernet0/1
description ISP Connection
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/0
description LAN Connection
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10 native
ip address 172.16.120.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no cdp enable
I'm comfortable creating standard and extended ACLs. My fear is breaking something... I have NAT overload configured and running. I don't want to create an ACL, apply it to an interface, and potentially break that. Seems my goal should be possible... but I'm not sure how to begin. I've found some ACLs while googling, but I'm still concerned about breaking NAT.
interface GigabitEthernet0/1
description ISP Connection
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/0
description LAN Connection
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10 native
ip address 172.16.120.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no cdp enable
I'm comfortable creating standard and extended ACLs. My fear is breaking something... I have NAT overload configured and running. I don't want to create an ACL, apply it to an interface, and potentially break that. Seems my goal should be possible... but I'm not sure how to begin. I've found some ACLs while googling, but I'm still concerned about breaking NAT.
Comments
-
Zartanasaurus Member Posts: 2,008 ■■■■■■■■■□What you want is lock and key ACL. At a high level it works like this:
Block certain types of traffic from transiting the router (no ssh/telnet/web from the outside interface destined to the inside).
Create a special dynamic ACE above the blanket "deny any to these sockets" that allows you to access the vty line and authenticate.
After authentication, the ACL is dynamically modified to allow you to transit that type of traffic from the authenticating host IP.
Also, since this is your home router, you only have 1 IP address assigned so you'll need to create some static NAT entries that will map ssh/telnet/web traffic to an inside IP address on a non-standard port since the router will have to be able to tell the difference between ssh to me and ssh to an inside host.
Lock-and-Key: Dynamic Access Lists - Cisco Systems
Configuring Static and Dynamic NAT Simultaneously - Cisco Systems
It's possible you can break something, but a copy run start followed by a reload in 10 while you figure out your config will work wonders. If you screw up bad enough to lock yourself out, you'll rollback to your old config after the reboot.
Better answer would be to setup VPN, but you need some trickery with the config because it expects a static IP and yours will change occasionally from the ISP. It's possible newer versions of IOS account for this, but I ran into this particular issue with my home router on an older 12.4T release.
If you have access to GNS3, you should be able to get this sorted out in an hour tops before changing your "production" router.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8%