Announcement

Collapse
No announcement yet.

Cisco 1921 Router Config

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1921 Router Config

    Hi,

    this is my first post in this forum and I am not that experienced in routing so please forgive my ignorance.

    I was wondering if someone could point me in the right direction considering the config of our Cisco 1921 router. We have two Windows servers in an offshore location which we would like to access via RDP. The servers are connected to the internet by a 1921 router with one interface (Gi0/0) connected to the internal network and interface (Gi0/1) connected to the internet via VSAT.

    I can successfully connect to either server from our office but I cannot get internet access from our servers to download antivirus updates. I have used 'ip nat inside source static' to forward RDP traffic to the servers (see attached config) and used an access-list to limit access to only from our office IP address (x.x.x.x in the config file). When I delete the three access-list's I can then get internet access but then obviously access to our servers can be made from any IP address.

    I googled and found that I might require another access-list for the outgoing traffic so added another ip access-group 101 out to interface Gi0/1 together with an access-list 101 permit ACL but no success.

    If anyone could offer some assistance I would be most grateful and indeed maybe even explain a better way to achieve access.

    Regards

    Neil
    Attached Files

  • #2
    Re: Cisco 1921 Router Config

    Hey,

    Are you using PAT because you only have 1 interface address available?

    The extra ACL you mention needs to be applied to the Internal Interface, not the External.

    Code:
    interface GigabitEthernet0/0
     ip address 192.168.0.254 255.255.255.0
     ip access-group 101 in
     ip nat inside
     ip virtual-reassembly in
     duplex auto
     speed auto
    ...
    access-list 101 permit tcp any any eq 80
    access-list 101 permit tcp any any eq 443
    * Shamelessly mentioning "Don't forget to add reputation!"

    Comment


    • #3
      Re: Cisco 1921 Router Config

      Hi topper,

      thank you for replying. I received an email informing me of a response from uk_network but for the life of me I cannot see it in the thread. Anyway uk_network suggested I add an ACL access-list 102 permit tcp any any established which I did and I can now get internet access and also SMTP access but I cannot get the system clock to update.

      I guess that this is because WWW and SMTP are both TCP traffic and NTP is UDP, I suppose I will have to add an ACL that allows UDP traffic from the NTP server IP address.

      Comment


      • #4
        Re: Cisco 1921 Router Config

        I personally would not put an established permit on the outside interface.

        I would create a separate acl purely for outbound traffic which you can control easily and then add NTP on.

        interface GigabitEthernet0/0
        ip access-group 101 in

        access-list 101 permit tcp any any eq 80
        access-list 101 permit tcp any any eq 443
        access-list 101 permit tcp any any eq 25
        access-list 101 permit udp any any eq 123
        * Shamelessly mentioning "Don't forget to add reputation!"

        Comment


        • #5
          Re: Cisco 1921 Router Config

          Sorry, my bad, I had second thoughts and deleted it.
          The ACL statement I first suggested was:
          access-list 102 permit tcp 192.168.2.0 0.0.0.255 any eq established

          For NTP try:
          access-list 102 permit udp any any eq ntp
          Please remember to award reputation points if you have received good advice.
          I do tend to think 'outside the box' so others may not always share the same views.

          MCITP -W7,
          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

          Comment


          • #6
            Re: Cisco 1921 Router Config

            Hi uk_network,

            your suggestion of an access-list for established connections worked and I will also try your suggestion of the NTP access-list but I won't get access to the router for a few days to try it out.

            Thank you very much for your help

            Comment


            • #7
              Re: Cisco 1921 Router Config

              Hi topper,

              is there a particular reason you would not have a established permit on an outside interface?

              As far as the access-list for the inside interface (Gi0/0) I am confused why I would need an access-list here. I am not by any means an expert here but from my limited knowledge adding a rule here would not help when the traffic is being blocked at the outside interface or am I missing the point here?

              Thank you very much for taking the time to reply.

              Comment

              Working...
              X