1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

NAT and Access Lists

Discussion in 'Routing & Switching' started by k.r.o.g., Mar 21, 2011.

  1. k.r.o.g.

    k.r.o.g. Bit Poster

    17
    0
    16
    Hi All.

    I seem to be having a bit of a mental block when getting my head around the concept of allowing external (i.e. internet) traffic to a private internal IP.

    What I can do already is allow any external IP access to a private internal. I have this working for an exchange server and it seems to be working fine. I have used the following for this:

    ip nat inside source static tcp 192.168.3.250 25 <yyy.yyy.yyy.yyy> 25 extendable

    This allows any external source to send mail to the public address yyy.yyy.yyy.yyy and for this to be NATed to the internal IP 192.168.3.250

    What I have now been asked to do is to allow telnet traffic from a speciffic extrnal public IP to an internal private IP. For this there are are 3 IP addresses involved - (1)Private local address of the PC to be telneted to 192.168.3.149, (2) public address where the external will telnet to (lets say 123.123.123.123) and (3) the public address that is permitted to do the telneting (lets say 456.456.456.456).

    My thinking so far is that I need another ip nat inside statement to do the natting :

    ip nat inside source static tcp 192.168.3.149 23 123.123.123.123 23 extendable

    I was then going to create an access list as follows:

    access list 100 permit tcp 456.456.456.456 123.123.123.123 eq 23

    and apply it to the wan interface:

    interface dialer0
    ip access-group 100 in

    Am I heading in the right direction with this? My worry is that I remember reading that if an entry is found in the static NAT table then access lists are not used i.e. any external telnet traffic to 123.123.123.123 will be permitted to access because of my first ip nat entry?

    I suspect I am missing something fundamental here :oops: so any pointers would be a great help.

    Regrads,

    K
     
    Certifications: Bsc Hons-Comp Networking. MCP-270,291
    WIP: MCSA-284,290
  2. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    That is how i would do it! basically NAT is only used for the port translation from public to private and then you control access via the 'firewall'!

    Dont forget, it you use the one liner for access list 100 then there is the implicit deny that will be applied and will block everything but what you have put in ACL 100 inbound. what i would do would be setup some inspect rules on the outbound traffic and then you should be good to go!

    If you are still stuck then post your config and we will take a look as to what commands you need to do!

    Cheers
    Jon
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  3. k.r.o.g.

    k.r.o.g. Bit Poster

    17
    0
    16
    Hi Jon.

    I guess I am still a bit stuck. I have added my running config below. I was hoping that adding the lines in my post above to this config might just about do but I would appreciate it if you could have a quick look.

    Cheers

    K


    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    service sequence-numbers
    no service dhcp
    !
    hostname XXX
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 51200 warnings
    enable secret XXX
    !
    no aaa new-model
    clock timezone gmt 0
    clock summer-time bst recurring last Sun Mar 1:00 last Sun Oct 1:00
    !
    crypto pki trustpoint TP-self-signed-480817598
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-480817598
    revocation-check none
    rsakeypair TP-self-signed-480817598
    !
    !
    crypto pki certificate chain TP-self-signed-480817598
    certificate self-signed 01
    30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34383038 31373539 38301E17 0D303230 33303130 30353533
    335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3438 30383137
    35393830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    DFB86A47 5E1DE4D0 5A3F4040 33A5CDA1 AF0F1AC6 B8E22263 F67B405C 0CEDD49F
    A7BC2ECC DF71865C DE169926 24B0FA16 48943E2F 2618B291 B9E68EF2 B2B04CEB
    4E8777A2 782E4CE2 744DAAC4 FB56F01D 1C7826EE 51F48038 66628A81 E9727083
    70DC1BAB 92CAD650 73C178C2 1DBA5E3B C537D18B EBFC42FF 93D099FF 2F4E697D
    02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D
    11042130 1F821D41 54445F43 6973636F 5F383737 772E796F 7572646F 6D61696E
    2E636F6D 301F0603 551D2304 18301680 14E73B8C 55DE52A1 B24B9D68 99028953
    A05A2F80 04301D06 03551D0E 04160414 E73B8C55 DE52A1B2 4B9D6899 028953A0
    5A2F8004 300D0609 2A864886 F70D0101 04050003 818100DC B8479381 7BD13BB3
    1CA3529B FF592689 50E83F2C C9B82DF2 11C1F2D7 BF7EEA1E A2D3CD37 61C23F12
    3FD89372 987DCBC3 B7A85D1C CF40F65F DA10888B 6CD091ED 0EFFCE3C 873A1E6B
    B60729AE 8966D554 64F7FA99 F598164C CAA2AA4C 3D4D05AC 93CB4699 5D29F8AF
    B3D0A4A0 A3C41F04 D54EC078 BAB0D6C2 48993B6E 5D5BAC
    quit
    dot11 syslog
    no ip source-route
    ip dhcp excluded-address 10.10.10.1
    !
    ip dhcp pool ccp-pool
    import all
    network 10.10.10.0 255.255.255.248
    default-router 10.10.10.1
    lease 0 2
    !
    !
    ip cef
    no ip bootp server
    no ip domain lookup
    ip domain name yourdomain.com
    !
    !
    !
    !
    username admin privilege 15 secret XXX
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 10
    !
    !
    !
    interface ATM0
    description ADSL_WAN
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    no snmp trap link-status
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Dot11Radio0
    no ip address
    shutdown
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    !
    interface Vlan1
    description Main_VLAN
    ip address 192.168.3.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    no ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Dialer0
    description FW_Outside
    ip address XXX 255.255.255.248
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname XXX
    ppp chap password XXX
    ppp pap sent-username XXX password XXX
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 10.0.0.0 255.255.255.0 192.168.3.253 permanent
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat inside source list 100 interface Dialer0 overload
    ip nat inside source static tcp 192.168.3.249 25 XXX 25 extendable
    ip nat inside source static tcp 192.168.3.250 443 XXX 443 extendable
    !
    access-list 100 permit ip 192.168.3.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run

    !
    !
    !
    !
    control-plane
    !
    banner login Authorised access only!!! Disconect IMMEDIDIATELY if you are not authorised to access this system
    !
    line con 0
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    end
     
    Certifications: Bsc Hons-Comp Networking. MCP-270,291
    WIP: MCSA-284,290
  4. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Run these 3 commands to clear the config up (personal preference)......

    line con 0
    no transport output telnet
    line aux 0
    no transport output telnet
    line vty 0 4
    no transport output all

    These should allow telnet access from 456.456.456.456 to 123.123.123.123 which should then use PAT to forward it to 192.168.3.149, you need to apply this to the dialer interface inbound.......

    ip nat inside source static tcp 192.168.3.149 21 123.123.123.123 21 extendable
    access-list 101 permit tcp 456.456.456.456 0.0.0.0 eq 21 any eq 21
    access-list 101 deny tcp any eq 21 any eq 21
    access-list 101 permit tcp any any

    this basically says:
    Allow telnet from 456.456.456.456 (1st line)
    Deny telnet from anywhere else (2nd Line)
    Allow everything else (3rd line) - this means you have no firewall! :-)
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  5. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    If you wanted a firewall enabled aswell then you could use the following commands which will give you a CBAC firewall which will allow established/inspected connections back in and the BLOCK_ALL ACL blocks everything coming in but allows you telnet!

    ip inspect name DIALER_OUT cuseeme
    ip inspect name DIALER_OUT ftp
    ip inspect name DIALER_OUT h323
    ip inspect name DIALER_OUT icmp
    ip inspect name DIALER_OUT netshow
    ip inspect name DIALER_OUT rcmd
    ip inspect name DIALER_OUT realaudio
    ip inspect name DIALER_OUT rtsp
    ip inspect name DIALER_OUT esmtp
    ip inspect name DIALER_OUT sqlnet
    ip inspect name DIALER_OUT streamworks
    ip inspect name DIALER_OUT tftp
    ip inspect name DIALER_OUT tcp router-traffic
    ip inspect name DIALER_OUT udp router-traffic timeout 300
    ip inspect name DIALER_OUT vdolive
    ip inspect name DIALER_OUT dns


    interface Dialer 0
    ip inspect DIALER_OUT out
    ip access-group BLOCK_ALL in



    ip access-list extended BLOCK_ALL
    permit tcp host 456.456.456.456 eq 21 any eq 21
    permit icmp any any echo-reply
    permit icmp any any time-exceeded
    permit icmp any any unreachable
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    A quick note about jonny7_2002's nat and access-list from above - access-list 101 should look like this:

    access-list 101 permit tcp host 456.456.456.456 host 123.123.123.123 eq 23
    access-list 101 deny tcp any any eq 23
    access-list 101 permit ip any any

    And the nat statement like this:

    ip nat inside source static tcp 192.168.3.149 23 123.123.123.123 23 extendable

    Also, if you are not going to use the IOS firewall as Jonny outlined, I would suggest blocking inbound ssh and http on the dialer interface, or at least restricting it to trusted ip's.

    Spice_Weasel
     
    Last edited: Mar 23, 2011
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Oops...... thankyou for pointing out my mistake! :biggrin Apologies, this was my early morning config and i only woke up about 2 hours after! lol

    Yeah but to be fair if i would use the firewall otherwise there is alot more to worry about than just SSH & HTTP :D
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  8. k.r.o.g.

    k.r.o.g. Bit Poster

    17
    0
    16
    Thanks guys.

    I have applied a selection of your recommendations and have a working solution in place albiet prob not best practice. I will defo need to get some reading done on access lists etc before long. I have only been in this job since monday and things have been pretty intense from the word go. I'm now starting to look an SBS migration to Win Server 2003 and Exchange 2007 but thats a whole different story (and most likely another thread).

    Thanks again for your help, I really appreciate it.

    K.
     
    Certifications: Bsc Hons-Comp Networking. MCP-270,291
    WIP: MCSA-284,290
  9. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    no problem buddy, this site has helped me out loads so its nice to give something back when i can!

    Good luck in your new job! it will all go fine im sure..... theres nothing like being thrown in the deep end!! lol
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)

Share This Page

Loading...