topic Sorry i´ve digited wrong The in Network Security

Static NAT problem with ZBF

Thiago Cella — Tue, 12 Mar 2019 04:22:55 GMT

Hi Friends,

In this scenario, the trafffic from INSIDE to OUTSIDE is working, but from OUTSIDE to INSIDE isnt working. For example, i created the NAT to 3389 , to external access to RDP, but no sucess.

Follow my config, TKS:

!
class-map type inspect match-any TRAFFIC
description TRAFFIC_MATCH
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any OUT-TO-IN
match access-group name OUT-TO-IN
!
!
policy-map type inspect OUT-TO-IN
class type inspect OUT-TO-IN
inspect
class class-default
drop
policy-map type inspect TRAFFIC_CLASS
class type inspect TRAFFIC
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security TRAF source INSIDE destination OUTSIDE
service-policy type inspect TRAFFIC_CLASS
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN
!
!
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.248
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security OUTSIDE
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.92.251 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
zone-member security INSIDE
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list inside_nat0_outbound interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.92.89 50 1.1.1.2 50 extendable
ip nat inside source static tcp 192.168.92.89 3389 1.1.1.2 3389 extendable
!
ip access-list extended OUT-TO-IN
permit tcp any host 192.168.92.11 eq 3389
permit tcp any host 192.168.92.89 eq 3389
permit tcp any host 1.1.1.2 eq 3389
permit tcp any host 192.168.92.89 eq 50
permit tcp any host 1.1.1.2 eq 50
ip access-list extended inside_nat0_outbound
deny ip 192.168.92.0 0.0.0.255 10.0.70.0 0.0.0.255
deny ip 192.168.93.0 0.0.0.255 10.0.70.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.255 10.0.70.0 0.0.0.255
deny ip 10.2.1.0 0.0.0.255 10.0.20.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 192.168.92.0 0.0.0.255
deny ip 192.168.92.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.92.0 0.0.0.255 any
permit ip 172.31.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
!
disable-eadi
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

The access-list is checked

Marvin Rhoads — Wed, 25 Jun 2014 14:51:32 GMT

The access-list is checked prior to un-NATting the address. Try with the outside address of your servers in "ip access-list extended OUT-TO-IN".

But the IP is there, look :

Thiago Cella — Wed, 25 Jun 2014 16:25:09 GMT

But the IP is there, look :

ip access-list extended OUT-TO-IN
permit tcp any host 192.168.92.11 eq 3389
permit tcp any host 192.168.92.89 eq 3389
permit tcp any host 1.1.1.2 eq 3389
permit tcp any host 192.168.92.89 eq 50
permit tcp any host 1.1.1.2 eq 50

I mean the 1.1.1.x public IP

Marvin Rhoads — Wed, 25 Jun 2014 16:25:10 GMT

I mean the 1.1.1.x public IP address that appears on your outside interface and associated zone.

Sorry i´ve digited wrong The

Thiago Cella — Wed, 25 Jun 2014 17:08:08 GMT

Sorry i´ve digited wrong

The ACL is the follow but dont working yet :

Friends, I removed the

Thiago Cella — Thu, 26 Jun 2014 11:34:01 GMT

Friends, I removed the command ip nat enable and works!!!

interface FastEthernet0/0

ip nat enable
!
interface FastEthernet0/1.1
ip nat enable

But i have another question, I created the DMZ ZONE, everthing works, but the DMZ network can ping the IP 192.168.92.251 ( Interface of the router-Inside Network). But following the config, the DMZ couldnt ping this address, is it correct?

zone security DMZ

interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.0.33 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security DMZ

class-map type inspect match-any DMZ-TO-ALL
match access-group name dmz_out

policy-map type inspect DMZ-TO-ALL

class type inspect DMZ-TO-ALL
inspect
class class-default
drop

zone-pair security DMZ-TO-ALL source DMZ destination OUTSIDE
service-policy type inspect DMZ-TO-ALL

ip access-list extended lab_out
deny ip 192.168.0.0 0.0.0.255 192.168.92.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any