NAT and Access Lists

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi All.

I seem to be having a bit of a mental block when getting my head around the concept of allowing external (i.e. internet) traffic to a private internal IP.

What I can do already is allow any external IP access to a private internal. I have this working for an exchange server and it seems to be working fine. I have used the following for this:

ip nat inside source static tcp 192.168.3.250 25 <yyy.yyy.yyy.yyy> 25 extendable

This allows any external source to send mail to the public address yyy.yyy.yyy.yyy and for this to be NATed to the internal IP 192.168.3.250

What I have now been asked to do is to allow telnet traffic from a speciffic extrnal public IP to an internal private IP. For this there are are 3 IP addresses involved - (1)Private local address of the PC to be telneted to 192.168.3.149, (2) public address where the external will telnet to (lets say 123.123.123.123) and (3) the public address that is permitted to do the telneting (lets say 456.456.456.456).

My thinking so far is that I need another ip nat inside statement to do the natting :

ip nat inside source static tcp 192.168.3.149 23 123.123.123.123 23 extendable

I was then going to create an access list as follows:

access list 100 permit tcp 456.456.456.456 123.123.123.123 eq 23

and apply it to the wan interface:

interface dialer0
ip access-group 100 in

Am I heading in the right direction with this? My worry is that I remember reading that if an entry is found in the static NAT table then access lists are not used i.e. any external telnet traffic to 123.123.123.123 will be permitted to access because of my first ip nat entry?

I suspect I am missing something fundamental here so any pointers would be a great help.

Regrads,

K

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

That is how i would do it! basically NAT is only used for the port translation from public to private and then you control access via the 'firewall'!

Dont forget, it you use the one liner for access list 100 then there is the implicit deny that will be applied and will block everything but what you have put in ACL 100 inbound. what i would do would be setup some inspect rules on the outbound traffic and then you should be good to go!

If you are still stuck then post your config and we will take a look as to what commands you need to do!

Cheers
Jon

 

Hi Jon.

I guess I am still a bit stuck. I have added my running config below. I was hoping that adding the lines in my post above to this config might just about do but I would appreciate it if you could have a quick look.

Cheers

K


!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
no service dhcp
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret XXX
!
no aaa new-model
clock timezone gmt 0
clock summer-time bst recurring last Sun Mar 1:00 last Sun Oct 1:00
!
crypto pki trustpoint TP-self-signed-480817598
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-480817598
revocation-check none
rsakeypair TP-self-signed-480817598
!
!
crypto pki certificate chain TP-self-signed-480817598
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34383038 31373539 38301E17 0D303230 33303130 30353533
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3438 30383137
35393830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
DFB86A47 5E1DE4D0 5A3F4040 33A5CDA1 AF0F1AC6 B8E22263 F67B405C 0CEDD49F
A7BC2ECC DF71865C DE169926 24B0FA16 48943E2F 2618B291 B9E68EF2 B2B04CEB
4E8777A2 782E4CE2 744DAAC4 FB56F01D 1C7826EE 51F48038 66628A81 E9727083
70DC1BAB 92CAD650 73C178C2 1DBA5E3B C537D18B EBFC42FF 93D099FF 2F4E697D
02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D
11042130 1F821D41 54445F43 6973636F 5F383737 772E796F 7572646F 6D61696E
2E636F6D 301F0603 551D2304 18301680 14E73B8C 55DE52A1 B24B9D68 99028953
A05A2F80 04301D06 03551D0E 04160414 E73B8C55 DE52A1B2 4B9D6899 028953A0
5A2F8004 300D0609 2A864886 F70D0101 04050003 818100DC B8479381 7BD13BB3
1CA3529B FF592689 50E83F2C C9B82DF2 11C1F2D7 BF7EEA1E A2D3CD37 61C23F12
3FD89372 987DCBC3 B7A85D1C CF40F65F DA10888B 6CD091ED 0EFFCE3C 873A1E6B
B60729AE 8966D554 64F7FA99 F598164C CAA2AA4C 3D4D05AC 93CB4699 5D29F8AF
B3D0A4A0 A3C41F04 D54EC078 BAB0D6C2 48993B6E 5D5BAC
quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
!
!
!
!
username admin privilege 15 secret XXX
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface ATM0
description ADSL_WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
no snmp trap link-status
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description Main_VLAN
ip address 192.168.3.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description FW_Outside
ip address XXX 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password XXX
ppp pap sent-username XXX password XXX
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.255.255.0 192.168.3.253 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.3.249 25 XXX 25 extendable
ip nat inside source static tcp 192.168.3.250 443 XXX 443 extendable
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
control-plane
!
banner login Authorised access only!!! Disconect IMMEDIDIATELY if you are not authorised to access this system
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end

 

Run these 3 commands to clear the config up (personal preference)......

line con 0
no transport output telnet
line aux 0
no transport output telnet
line vty 0 4
no transport output all

These should allow telnet access from 456.456.456.456 to 123.123.123.123 which should then use PAT to forward it to 192.168.3.149, you need to apply this to the dialer interface inbound.......

ip nat inside source static tcp 192.168.3.149 21 123.123.123.123 21 extendable
access-list 101 permit tcp 456.456.456.456 0.0.0.0 eq 21 any eq 21
access-list 101 deny tcp any eq 21 any eq 21
access-list 101 permit tcp any any

this basically says:
Allow telnet from 456.456.456.456 (1st line)
Deny telnet from anywhere else (2nd Line)
Allow everything else (3rd line) - this means you have no firewall!

 

If you wanted a firewall enabled aswell then you could use the following commands which will give you a CBAC firewall which will allow established/inspected connections back in and the BLOCK_ALL ACL blocks everything coming in but allows you telnet!

ip inspect name DIALER_OUT cuseeme
ip inspect name DIALER_OUT ftp
ip inspect name DIALER_OUT h323
ip inspect name DIALER_OUT icmp
ip inspect name DIALER_OUT netshow
ip inspect name DIALER_OUT rcmd
ip inspect name DIALER_OUT realaudio
ip inspect name DIALER_OUT rtsp
ip inspect name DIALER_OUT esmtp
ip inspect name DIALER_OUT sqlnet
ip inspect name DIALER_OUT streamworks
ip inspect name DIALER_OUT tftp
ip inspect name DIALER_OUT tcp router-traffic
ip inspect name DIALER_OUT udp router-traffic timeout 300
ip inspect name DIALER_OUT vdolive
ip inspect name DIALER_OUT dns


interface Dialer 0
ip inspect DIALER_OUT out
ip access-group BLOCK_ALL in



ip access-list extended BLOCK_ALL
permit tcp host 456.456.456.456 eq 21 any eq 21
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any

 

A quick note about jonny7_2002's nat and access-list from above - access-list 101 should look like this:

access-list 101 permit tcp host 456.456.456.456 host 123.123.123.123 eq 23
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any

And the nat statement like this:

ip nat inside source static tcp 192.168.3.149 23 123.123.123.123 23 extendable

Also, if you are not going to use the IOS firewall as Jonny outlined, I would suggest blocking inbound ssh and http on the dialer interface, or at least restricting it to trusted ip's.

Spice_Weasel

 

Oops...... thankyou for pointing out my mistake! Apologies, this was my early morning config and i only woke up about 2 hours after! lol

Yeah but to be fair if i would use the firewall otherwise there is alot more to worry about than just SSH & HTTP

 

Thanks guys.

I have applied a selection of your recommendations and have a working solution in place albiet prob not best practice. I will defo need to get some reading done on access lists etc before long. I have only been in this job since monday and things have been pretty intense from the word go. I'm now starting to look an SBS migration to Win Server 2003 and Exchange 2007 but thats a whole different story (and most likely another thread).

Thanks again for your help, I really appreciate it.

K.

 

no problem buddy, this site has helped me out loads so its nice to give something back when i can!

Good luck in your new job! it will all go fine im sure..... theres nothing like being thrown in the deep end!! lol