I've got an 1841 router acting as the firewall for a LAN. It also does NAT and acts as the dialer for a PPPoE DSL line to the internet.
All is working fine, except now I need to allow a Tivo device to connect to certain ports on the Tivo servers on the internet. I want only the Tivo to be able to do this. The problem is that NAT is happening before my outbound ACL is checked, so even though I've got rules to allow the Tivo's LAN address out on all ports, it never works. I've verified this using a syslog server, and can see my external DSL IP trying to connect to the Tivo servers and being denied.
I've done things like this at work by NATting the appropriate internal host to its own external static IP address, which allows me to write rules allowing only that external address to do stuff. But I don't have multiple external addresses to work with here.
I tried applying my outbound ACL to the LAN interface of the router in the "in" direction (and removing the same ACL from the Dialer interface in the "out" direction), but that broke other things like the router's own ability to ping out to the LAN or to see a TFTP server on the LAN. I could maybe fix all of that with rule changes and inspect statements on traffic going out toward the LAN (not sure of this, think so), but I'm wondering:
Is there a better way to let just the Tivo makes outgoing connections to certain ports?
Config pasted below:
!
! Last configuration change at 17:15:10 CDT Sun Jul 15 2012
! NVRAM config last updated at 16:27:14 CDT Sun Jul 15 2012 by someguy
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname fw
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
memory-size iomem 25
clock timezone CST -5
clock summer-time CDT recurring
ip cef
!
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC icmp router-traffic
ip inspect name CBAC https
ip inspect name CBAC imap
ip inspect name CBAC dns
ip inspect name CBAC isakmp
ip inspect name CBAC ntp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address A.B.C.1 A.B.C.49
ip dhcp excluded-address A.B.C.100 A.B.C.254
!
ip dhcp pool LANDefault
network A.B.C.0 255.255.255.0
default-router A.B.C.1
dns-server 8.8.4.4 209.244.0.4
!
ip dhcp pool static-Desk
host A.B.C.50 255.255.255.0
client-identifier 0100.2522.1dd1.bc
!
!
ip domain name somedomain.com
!
!
!
username someguy privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username someotherguy privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address A.B.C.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group inbound-filter in
ip access-group outbound-filter out
ip inspect CBAC out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap callin
ppp pap sent-username
someguy@someisp.net password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
!
ip access-list extended inbound-filter
deny ip any any
ip access-list extended outbound-filter
remark
remark COMMON SERVICES
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit udp any any eq tftp
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 143
permit udp any any eq ntp
permit icmp any any
remark
remark MSN MESSENGER
permit tcp any any eq 1863
permit tcp any any range 6891 6900
permit udp any any range 6891 6900
permit tcp any any eq 5190
remark
remark YAHOO MESSENGER
permit tcp any any eq 5050
remark
remark STEAM
permit udp any any eq 1200
permit tcp any any range 27000 27040
permit udp any any range 27000 27040
remark
remark STEAM CHAT
permit tcp any any eq 3478
permit udp any any eq 3478
permit tcp any any range 4379 4380
permit udp any any range 4379 4380
remark
remark BLIZZARD
permit tcp any any eq 6112
permit tcp any any eq 3724
permit udp any any eq 3724
remark
remark STARCRAFT 2
permit tcp any any range 1119 1120
permit udp any any range 1119 1120
remark
remark VPN
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
remark
remark TIVO
permit tcp host A.B.C.114 any
permit udp host A.B.C.114 any
deny ip any any log
!
logging trap debugging
logging A.B.C.50
access-list 10 permit A.B.C.0 0.0.0.255
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
login
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
login local
transport input ssh
line vty 5 15
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
login local
transport input ssh
!
scheduler allocate 20000 1000
end
Register
Search 
Login
