topic PAT on 2851 router in Network Security

PAT on 2851 router

bsudol79p — Mon, 11 Mar 2019 10:57:40 GMT

Hello, I have PAT configured on a 2851 router, I have to create an access list that restricts the "outside world". I allowed HTTP to come into my network, but since this interface has PAT configured it is using dynamic ports for conversations and the ACL is blocking incoming HTTP traffic, I tried using the established command but that still does not work. Can anyone help me out with this? Any help would be greatly appreciated. Thanks

Re: PAT on 2851 router

rigoberto.cintron — Tue, 14 Aug 2007 14:37:10 GMT

Can you post your config?

Re: PAT on 2851 router

4mdvoters — Tue, 14 Aug 2007 14:58:23 GMT

are you using http incoming for all the systems or for only 1 particular server

Re: PAT on 2851 router

bsudol79p — Tue, 14 Aug 2007 15:00:13 GMT

this is the interface to the INternet That has PAT

interface Serial0/0/0.165 point-to-point

bandwidth 1536

ip address x.x.x.x x.x.x.x

ip access-group 104 in

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 165 IETF

this is the access list that is on the S 0/0/0.165 inbound

access-list 104 permit tcp any any eq www

access-list 104 permit tcp any any eq 443

access-list 104 permit tcp any gt 1023 any established

access-list 104 deny tcp any any eq telnet

Re: PAT on 2851 router

bsudol79p — Tue, 14 Aug 2007 15:03:10 GMT

the T1 is used for browsing and nothing else

I want to allow all http from anywhere, PAT uses the dynamic ports so I don't know how to configure the ACL to allow the HTTP conversations. Thanks

Re: PAT on 2851 router

rigoberto.cintron — Tue, 14 Aug 2007 16:09:02 GMT

Ok, you don't block ports with PAT. Can you post your NAT/PAT config?

In the mean time try this ACL config

interface Serial0/0/0.165 point-to-point

ip access-group 104 out

access-list 104 permit tcp "Your Network" any eq www

access-list 104 permit tcp "Your Network" any eq 443

access-list 104 permit tcp "Your Network" gt 1023 any established

access-list 104 deny ip any any

Re: PAT on 2851 router

bsudol79p — Tue, 14 Aug 2007 17:46:14 GMT

Here is the PAT statement

ip nat inside source list 103 interface Serial0/0/0.165 overload

and this is the access list to identify network for the PAT

access-list 103 permit ip 172.23.0.0 0.0.255.255 any

The HTTP traffic is blocked when I apply the access list 104 which is the access-list to block the outside world. Once I remore the access list traffic goes through, that is why I am pointing the problem to the access-list. Thanks again

Re: PAT on 2851 router

rigoberto.cintron — Tue, 14 Aug 2007 18:13:34 GMT

NAT is good. Since you are using NAT the outside world won't have access to the inside network. That's how NAT works. If you want restrict what the clients in your inside can access in the Outside you can use acl applied to the serial interface outbound or to the fastethernet inbound. You can use acl's to restrict traffic from the outside towards the inside with something like these:

interface Serial0/0/0.165 point-to-point

bandwidth 1536

ip address x.x.x.x x.x.x.x

ip access-group 107 in

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 165 IETF

access-list 107 deny tcp any any eq 42 log

access-list 107 deny tcp any any eq 95 log

access-list 107 deny tcp any any eq 5730 log

access-list 107 deny udp any any eq 5800 log

access-list 107 deny tcp any any eq 5900 log

access-list 107 deny tcp any any eq 6101 log

access-list 107 deny tcp any any range 6661 6669 log

access-list 107 deny tcp any any range 6711 6712 log

access-list 107 deny tcp any any eq 6776 log

access-list 107 deny tcp any any eq 7000 log

access-list 107 deny tcp any any range 12345 12346 log

access-list 107 deny tcp any any eq 16660 log

access-list 107 deny udp any any eq 27444 log

access-list 107 deny tcp any any eq 27665 log

access-list 107 deny tcp any any eq 31027

access-list 107 deny udp any any eq 31335 log

access-list 107 deny tcp any any range 31337 31338 log

access-list 107 deny tcp any any range 32700 32900 log

access-list 107 deny tcp any any eq 33270 log

access-list 107 deny tcp any any eq 39168 log

access-list 107 deny tcp any any eq 47017 log

access-list 107 deny tcp any any eq 65000 log

access-list 107 deny tcp any any eq 65301 log

access-list 107 deny ip 0.0.0.0 0.255.255.255 any log

access-list 107 deny ip host 255.255.255.255 any log

access-list 107 deny ip 127.0.0.0 0.255.255.255 any log

access-list 107 deny ip 10.0.0.0 0.255.255.255 any log

access-list 107 deny ip 172.16.0.0 0.15.255.255 any log

access-list 107 deny ip 192.168.0.0 0.0.255.255 any log

access-list 107 deny ip 169.254.0.0 0.0.255.255 any log

access-list 107 deny ip 192.0.2.0 0.0.0.255 any log

access-list 107 deny ip 224.0.0.0 15.255.255.255 any log

access-list 107 deny ip 240.0.0.0 7.255.255.255 any log

access-list 107 deny ip 248.0.0.0 7.255.255.255 any log

access-list 107 deny ip X.X.X.X X.X.X.X any log

access-list 107 permit icmp any any echo-reply

access-list 107 permit icmp any any source-quench

access-list 107 permit icmp any any unreachable

access-list 107 permit icmp any any time-exceeded

access-list 107 permit ip any x.x.x.x x.x.x.x <------Your Public Address

access-list 107 deny ip any any log

I use these on premise routers for anti-spoofing deny port that are require by a the security policy. But since you are using the outside don't have access to the inside unless you to do a static nat or port forwarding.

Re: PAT on 2851 router

bsudol79p — Tue, 14 Aug 2007 18:30:02 GMT

Thanks a lot!!!! So you are saying that since this is a NAT interface I do not have to apply an access-list to block the Outside World to my internal network since the NAT will block it anyway. And I should just

use the acl 107 you provided for spoofing right? Thanks for all the help!!!

Re: PAT on 2851 router

rigoberto.cintron — Tue, 14 Aug 2007 18:35:21 GMT

Pretty much, you can change the ACL anyway you want.

Re: PAT on 2851 router

srue — Tue, 14 Aug 2007 18:39:45 GMT

There's nothing wrong with blocking incoming traffic from spoofed addresses, even if NAT is in use. However, I would argue that you don't need to enable logging on all those ACE's.

Re: PAT on 2851 router

rigoberto.cintron — Tue, 14 Aug 2007 18:45:23 GMT

If you want to know more about NAT check these links:

http://www.cisco.com/en/US/products/ps6640/products_ios_protocol_group_home.html

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

Re: PAT on 2851 router

bsudol79p — Tue, 14 Aug 2007 18:57:25 GMT

thanks for all of your help. I learned a lot for you.

Re: PAT on 2851 router

rigoberto.cintron — Tue, 14 Aug 2007 18:59:10 GMT

I know, it's just a required evil in my job.