05-05-2018 04:00 AM - edited 02-21-2020 07:42 AM
Hello
I want to create an access control list on a router that does the following:
1) access control list to deny all inbound traffic with network addresses matching internal-registered IP address
2) Deny all ICMP echo request traffic
3) Deny all inbound Microsoft Active Directory
4) Deny all inbound Microsoft SQL Server Ports
5) Deny all Microsoft Domain Local Broadcast
6) Allow traffic to SMTP server
7) Allow traffic to internal IMAP Server
I have to also remove this
ip nat inside source list 100 interface Serial1/0 overload from my start-up configuration
My Router0 configuration is as under:
Router#show run
Router#show running-config 
Building configuration...
Current configuration : 1344 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 ip address 10.1.11.10 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 standby 1 ip 10.1.11.12
 standby 1 priority 110
 standby 1 preempt
!
interface Serial1/0
 ip address 203.1.1.2 255.255.255.0
 ip nat outside
!
interface Serial1/1
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/2
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/3
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/4
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/5
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/6
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/7
 no ip address
 clock rate 2000000
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.1.1.1 
ip route 10.1.20.0 255.255.255.0 10.1.11.1 
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end
Solved! Go to Solution.
05-05-2018 10:29 AM
05-05-2018 04:39 AM
Hi,
Example ACL below. Please note all traffic that isn't explicitly permitted (such as smtp/imap) would match the last rule deny any - which is your requirements 2,3,4 and 5. The last rule deny any is actually required, as there is a default implied deny, it's here for your reference.
ip access-list extended WAN_ACL
 description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any
 description PERMIT SMTP
 permit tcp any host 203.x.x.x eq 25
 description PERMIT IMAP and IMAPS
 permit tcp any host 203.x.x.x eq 143
 permit tcp any host 203.x.x.x eq 993
 description DENY ALL REMAINING TRAFFIC
 deny ip any any
 
interface serial 1/0
 ip access-group WAN_ACL in
 
You would need static NAT entries for the SMTP/IMAP server, modify the ACL above with the correct IP address.
To disable the NAT override rule, do this:
no ip nat inside source list 100 interface Serial1/0 overload
HTH
05-05-2018 04:49 AM
05-05-2018 05:06 AM
05-05-2018 05:14 AM
05-05-2018 05:35 AM
05-05-2018 06:12 AM
Hi,
Do you have any static NAT entries for the SMTP/IMAP server(s)? If not what is the private IP address of these server(s)? Are you planning on using 203.1.1.2 as the public ip address for this servers or do you have another IP address to dedicate for this use?
Which ACL do you want to use? The original with the deny ip any any at the end or ?
05-05-2018 06:22 AM
05-05-2018 07:07 AM
Hi,
This ACL below should meet your requirements. Traffic from source of Loopback, mutlicast and private addresses are explicitly denied. Inbound SMTP and IMAP is permitted, any other traffic (which includes ICMP as per your requirement) is blocked.
You mention allowing DNS, SMTP and FTP should be allowed through the firewall, I assume you mean OUTBOUND? This ACL below is applied on the Serial interface INBOUND, so no OUTBOUND traffic will be denied, in fact all OUTBOUND traffic will be allowed.
ip access-list extended WAN_ACL
 description DENY SPECIAL USE ADDRESSES
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip 192.0.2.0 0.0.0.255 any
 deny ip 224.0.0.0 31.255.255.255 any
 description DENY RFC 1918
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.0.15.255 any
 description PERMIT SMTP
 permit tcp any host 203.1.1.2 eq 25
 description PERMIT IMAP and IMAPS
 permit tcp any host 203.1.1.2 eq 143
 permit tcp any host 203.1.1.2 eq 993
 description DENY ALL REMAINING TRAFFIC
 deny ip any any
 
interface serial 1/0
 ip access-group WAN_ACL in
Define static NAT entries for the Mail Server on the SMTP and IMAP ports. No other static NAT mappings need to be applied as you are only allowing inbound SMTP/IMAP.
 
ip nat inside source static tcp 10.1.11.20 25 interface Serial 1/0 25
ip nat inside source static tcp 10.1.11.20 143 interface Serial 1/0 143
ip nat inside source static tcp 10.1.11.20 993 interface Serial 1/0 993
You probably want to leave the original NAT overload command in place, that is the NAT for all servers/pcs on the network, allowing them internet access.
HTH
05-05-2018 07:54 AM
05-05-2018 07:59 AM
05-05-2018 08:41 AM
05-05-2018 08:46 AM
I don't have packet tracer, I assume the command (possible the serial interface) is not accepted.
Try this:
ip nat inside source static tcp 10.1.11.20 25 203.1.1.2 25
ip nat inside source static tcp 10.1.11.20 143 203.1.1.2 143
ip nat inside source static tcp 10.1.11.20 993 203.1.1.2 993
05-05-2018 08:52 AM
05-05-2018 08:59 AM
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide