«

Hi,

My router has had constant hacking attempts so I have spent all night
trying to get all of my ports returning stealth when I run a port scan
but I haven't had much luck.

I have found a way to do it from the Internet but my port forwards no
longer work.

The configuration is as follows:

ip inspect name Internet tcp router-traffic
ip inspect name Internet udp router-traffic
ip inspect name Internet icmp router-traffic

access-list 102 permit ip any 192.168.0.0 0.0.0.255
access-list 102 deny ip any any

int dialer0
ip access-group 102 in
no ip unreachables
ip nat outside
ip inspect Internet out
ip inspect Internet in
ip virtual-reassembly

For some reason, as soon as I apply access-group 102 to the dialer0
interface, my port forwards cease to work but I am still able to open
web pages etc.

An example of a port forward would be the following:
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static udp 192.168.0.2 9002 interface Dialer0 9002
ip nat inside source static tcp 192.168.0.2 9002 interface Dialer0 9002

If anyone can assist me it would be great!

Thanks

Peter

In article <>,
Peter Danes <> wrote:

>access-list 102 permit ip any 192.168.0.0 0.0.0.255
>access-list 102 deny ip any any

>int dialer0
> ip access-group 102 in
> no ip unreachables
> ip nat outside
> ip inspect Internet out
> ip inspect Internet in
> ip virtual-reassembly

>For some reason, as soon as I apply access-group 102 to the dialer0
>interface, my port forwards cease to work but I am still able to open
>web pages etc.

dialer0 is your outside interface, so the "in" access-group will be processed
-before- NAT is applied. Thus it must have the public destinations.

[thort]

Also on a security note anyone who has a internet IP will always be scaned/attacked regardless.

Your inspect commands just tell the ios firewall to do automatic ACLs and to do content inspection, which elminitates some DOS and other attacks on the actual traffic allowed.

Essentially 'ip inspect Internet in' on your external interface allows incoming traffic from the internet. !!!!!!

You may find this article helpful:
http://articles.techrepublic.com.com...0-1057051.html

and very well explained for filtered(stealth)/closed results when doing a portscan:
http://ioshints.blogspot.com/2007/06...red-ports.html

Walter Roberson wrote:
> In article <>,
> Peter Danes <> wrote:
>
>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>> access-list 102 deny ip any any
>
>> int dialer0
>> ip access-group 102 in
>> no ip unreachables
>> ip nat outside
>> ip inspect Internet out
>> ip inspect Internet in
>> ip virtual-reassembly
>
>> For some reason, as soon as I apply access-group 102 to the dialer0
>> interface, my port forwards cease to work but I am still able to open
>> web pages etc.
>
> dialer0 is your outside interface, so the "in" access-group will be processed
> -before- NAT is applied. Thus it must have the public destinations.

Thanks for the reply Walter.

Can you or some one elaborate on what I need to do exactly?

Peter Danes wrote:
> Walter Roberson wrote:
>> In article <>,
>> Peter Danes <> wrote:
>>
>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>>> access-list 102 deny ip any any
>>
>>> int dialer0
>>> ip access-group 102 in
>>> no ip unreachables
>>> ip nat outside
>>> ip inspect Internet out
>>> ip inspect Internet in
>>> ip virtual-reassembly
>>
>>> For some reason, as soon as I apply access-group 102 to the dialer0
>>> interface, my port forwards cease to work but I am still able to open
>>> web pages etc.
>>
>> dialer0 is your outside interface, so the "in" access-group will be
>> processed
>> -before- NAT is applied. Thus it must have the public destinations.
>
> Thanks for the reply Walter.
>
> Can you or some one elaborate on what I need to do exactly?

Anyone...? =)

On 7 Oct, 15:17, Peter Danes <p_da...@gmail.com> wrote:
> Peter Danes wrote:
> > Walter Roberson wrote:
> >> In article <13fno66k6p8j...@corp.supernews.com>,
> >> Peter Danes <p_da...@gmail.com> wrote:
>
> >>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
> >>> access-list 102 deny ip any any
>
> >>> int dialer0
> >>> ip access-group 102 in
> >>> no ip unreachables
> >>> ip nat outside
> >>> ip inspect Internet out
> >>> ip inspect Internet in
> >>> ip virtual-reassembly
>
> >>> For some reason, as soon as I apply access-group 102 to the dialer0
> >>> interface, my port forwards cease to work but I am still able to open
> >>> web pages etc.
>
> >> dialer0 is your outside interface, so the "in" access-group will be
> >> processed
> >> -before- NAT is applied. Thus it must have the public destinations.
>
> > Thanks for the reply Walter.
>
> > Can you or some one elaborate on what I need to do exactly?
>
> Anyone...? =)- Hide quoted text -

You need to add to the ACL 102 permit statements
to allow your inbound traffic in.

You NEED to specify the address of dialer 0.
If you have a dynamic address then this will
be a limitation but unless you are getting hit
from your ISP you will be able to work around it.


Lets use a.b.c.d to represent your dialer 0
IP address.

This one does nothing useful to you
access-list 102 permit ip any 192.168.0.0 0.0.0.255


You do need:
access-list 102 permit udp any host a.b.c.d eq 9002
access-list 102 permit tcp any host a.b.c.d eq 9002
access-list 102 deny ip any any


If your IP address changes a lot you could do
something like

access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
access-list 102 deny ip any any


Choose the wildcard length to match your possible
IP address range.

wrote:
> On 7 Oct, 15:17, Peter Danes <p_da...@gmail.com> wrote:
>> Peter Danes wrote:
>>> Walter Roberson wrote:
>>>> In article <13fno66k6p8j...@corp.supernews.com>,
>>>> Peter Danes <p_da...@gmail.com> wrote:
>>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>>>>> access-list 102 deny ip any any
>>>>> int dialer0
>>>>> ip access-group 102 in
>>>>> no ip unreachables
>>>>> ip nat outside
>>>>> ip inspect Internet out
>>>>> ip inspect Internet in
>>>>> ip virtual-reassembly
>>>>> For some reason, as soon as I apply access-group 102 to the dialer0
>>>>> interface, my port forwards cease to work but I am still able to open
>>>>> web pages etc.
>>>> dialer0 is your outside interface, so the "in" access-group will be
>>>> processed
>>>> -before- NAT is applied. Thus it must have the public destinations.
>>> Thanks for the reply Walter.
>>> Can you or some one elaborate on what I need to do exactly?
>> Anyone...? =)- Hide quoted text -
>
> You need to add to the ACL 102 permit statements
> to allow your inbound traffic in.
>
> You NEED to specify the address of dialer 0.
> If you have a dynamic address then this will
> be a limitation but unless you are getting hit
> from your ISP you will be able to work around it.
>
>
> Lets use a.b.c.d to represent your dialer 0
> IP address.
>
> This one does nothing useful to you
> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>
>
> You do need:
> access-list 102 permit udp any host a.b.c.d eq 9002
> access-list 102 permit tcp any host a.b.c.d eq 9002
> access-list 102 deny ip any any
>
>
> If your IP address changes a lot you could do
> something like
>
> access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
> access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
> access-list 102 deny ip any any
>
>
> Choose the wildcard length to match your possible
> IP address range.
>

The above worked like a charm so give yourself a pat on the back for a
job well done.

Thanks so much!

Peter Danes wrote:
> wrote:
>> On 7 Oct, 15:17, Peter Danes <p_da...@gmail.com> wrote:
>>> Peter Danes wrote:
>>>> Walter Roberson wrote:
>>>>> In article <13fno66k6p8j...@corp.supernews.com>,
>>>>> Peter Danes <p_da...@gmail.com> wrote:
>>>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>>>>>> access-list 102 deny ip any any
>>>>>> int dialer0
>>>>>> ip access-group 102 in
>>>>>> no ip unreachables
>>>>>> ip nat outside
>>>>>> ip inspect Internet out
>>>>>> ip inspect Internet in
>>>>>> ip virtual-reassembly
>>>>>> For some reason, as soon as I apply access-group 102 to the dialer0
>>>>>> interface, my port forwards cease to work but I am still able to open
>>>>>> web pages etc.
>>>>> dialer0 is your outside interface, so the "in" access-group will be
>>>>> processed
>>>>> -before- NAT is applied. Thus it must have the public destinations.
>>>> Thanks for the reply Walter.
>>>> Can you or some one elaborate on what I need to do exactly?
>>> Anyone...? =)- Hide quoted text -
>>
>> You need to add to the ACL 102 permit statements
>> to allow your inbound traffic in.
>>
>> You NEED to specify the address of dialer 0.
>> If you have a dynamic address then this will
>> be a limitation but unless you are getting hit
>> from your ISP you will be able to work around it.
>>
>>
>> Lets use a.b.c.d to represent your dialer 0
>> IP address.
>>
>> This one does nothing useful to you
>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>>
>>
>> You do need:
>> access-list 102 permit udp any host a.b.c.d eq 9002
>> access-list 102 permit tcp any host a.b.c.d eq 9002
>> access-list 102 deny ip any any
>>
>>
>> If your IP address changes a lot you could do
>> something like
>>
>> access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
>> access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
>> access-list 102 deny ip any any
>>
>>
>> Choose the wildcard length to match your possible
>> IP address range.
>>
>
> The above worked like a charm so give yourself a pat on the back for a
> job well done.
>
> Thanks so much!

Doh! I spoke too soon.

My port forwards are still broken, the ports are stealth though.

Here is an example of the my port forward if it will help at all.

ip nat inside source static tcp 192.168.0.9 9009 interface Dialer0 9009
ip nat inside source static udp 192.168.0.9 9009 interface Dialer0 9009

Peter Danes wrote:
> Peter Danes wrote:
>> wrote:
>>> On 7 Oct, 15:17, Peter Danes <p_da...@gmail.com> wrote:
>>>> Peter Danes wrote:
>>>>> Walter Roberson wrote:
>>>>>> In article <13fno66k6p8j...@corp.supernews.com>,
>>>>>> Peter Danes <p_da...@gmail.com> wrote:
>>>>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>>>>>>> access-list 102 deny ip any any
>>>>>>> int dialer0
>>>>>>> ip access-group 102 in
>>>>>>> no ip unreachables
>>>>>>> ip nat outside
>>>>>>> ip inspect Internet out
>>>>>>> ip inspect Internet in
>>>>>>> ip virtual-reassembly
>>>>>>> For some reason, as soon as I apply access-group 102 to the dialer0
>>>>>>> interface, my port forwards cease to work but I am still able to
>>>>>>> open
>>>>>>> web pages etc.
>>>>>> dialer0 is your outside interface, so the "in" access-group will be
>>>>>> processed
>>>>>> -before- NAT is applied. Thus it must have the public destinations.
>>>>> Thanks for the reply Walter.
>>>>> Can you or some one elaborate on what I need to do exactly?
>>>> Anyone...? =)- Hide quoted text -
>>>
>>> You need to add to the ACL 102 permit statements
>>> to allow your inbound traffic in.
>>>
>>> You NEED to specify the address of dialer 0.
>>> If you have a dynamic address then this will
>>> be a limitation but unless you are getting hit
>>> from your ISP you will be able to work around it.
>>>
>>>
>>> Lets use a.b.c.d to represent your dialer 0
>>> IP address.
>>>
>>> This one does nothing useful to you
>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>>>
>>>
>>> You do need:
>>> access-list 102 permit udp any host a.b.c.d eq 9002
>>> access-list 102 permit tcp any host a.b.c.d eq 9002
>>> access-list 102 deny ip any any
>>>
>>>
>>> If your IP address changes a lot you could do
>>> something like
>>>
>>> access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
>>> access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
>>> access-list 102 deny ip any any
>>>
>>>
>>> Choose the wildcard length to match your possible
>>> IP address range.
>>>
>>
>> The above worked like a charm so give yourself a pat on the back for a
>> job well done.
>>
>> Thanks so much!
>
> Doh! I spoke too soon.
>
> My port forwards are still broken, the ports are stealth though.
>
> Here is an example of the my port forward if it will help at all.
>
> ip nat inside source static tcp 192.168.0.9 9009 interface Dialer0 9009
> ip nat inside source static udp 192.168.0.9 9009 interface Dialer0 9009

I have it figured out now so sorry about the last post.

For anyone interested, I had to create an ACL for every port forwarded. =)

On 8 Oct, 09:15, Peter Danes <p_da...@gmail.com> wrote:
> Peter Danes wrote:
> > Peter Danes wrote:
> >> Bo...@hotmail.co.uk wrote:
> >>> On 7 Oct, 15:17, Peter Danes <p_da...@gmail.com> wrote:
> >>>> Peter Danes wrote:
> >>>>> Walter Roberson wrote:
> >>>>>> In article <13fno66k6p8j...@corp.supernews.com>,
> >>>>>> Peter Danes <p_da...@gmail.com> wrote:
> >>>>>>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
> >>>>>>> access-list 102 deny ip any any
> >>>>>>> int dialer0
> >>>>>>> ip access-group 102 in
> >>>>>>> no ip unreachables
> >>>>>>> ip nat outside
> >>>>>>> ip inspect Internet out
> >>>>>>> ip inspect Internet in
> >>>>>>> ip virtual-reassembly
> >>>>>>> For some reason, as soon as I apply access-group 102 to the dialer0
> >>>>>>> interface, my port forwards cease to work but I am still able to
> >>>>>>> open
> >>>>>>> web pages etc.
> >>>>>> dialer0 is your outside interface, so the "in" access-group will be
> >>>>>> processed
> >>>>>> -before- NAT is applied. Thus it must have the public destinations.
> >>>>> Thanks for the reply Walter.
> >>>>> Can you or some one elaborate on what I need to do exactly?
> >>>> Anyone...? =)- Hide quoted text -
>
> >>> You need to add to the ACL 102 permit statements
> >>> to allow your inbound traffic in.
>
> >>> You NEED to specify the address of dialer 0.
> >>> If you have a dynamic address then this will
> >>> be a limitation but unless you are getting hit
> >>> from your ISP you will be able to work around it.
>
> >>> Lets use a.b.c.d to represent your dialer 0
> >>> IP address.
>
> >>> This one does nothing useful to you
> >>> access-list 102 permit ip any 192.168.0.0 0.0.0.255
>
> >>> You do need:
> >>> access-list 102 permit udp any host a.b.c.d eq 9002
> >>> access-list 102 permit tcp any host a.b.c.d eq 9002
> >>> access-list 102 deny ip any any
>
> >>> If your IP address changes a lot you could do
> >>> something like
>
> >>> access-list 102 permit udp any a.b.0.0 0.0.255.255 eq 9002
> >>> access-list 102 permit tcp any a.b.0.0 0.0.255.255 eq 9002
> >>> access-list 102 deny ip any any
>
> >>> Choose the wildcard length to match your possible
> >>> IP address range.
>
> >> The above worked like a charm so give yourself a pat on the back for a
> >> job well done.
>
> >> Thanks so much!
>
> > Doh! I spoke too soon.
>
> > My port forwards are still broken, the ports are stealth though.
>
> > Here is an example of the my port forward if it will help at all.
>
> > ip nat inside source static tcp 192.168.0.9 9009 interface Dialer0 9009
> > ip nat inside source static udp 192.168.0.9 9009 interface Dialer0 9009
>
> I have it figured out now so sorry about the last post.
>
> For anyone interested, I had to create an ACL for every port forwarded. =)- Hide quoted text -

That would be required.