Solved: How to selectively prevent LDAP traffic on an inbound WAN that is PAT'd using an ACL?

Justin DeVaughn · ‎08-09-2011

Hi,

I am attempting to permit inbound LDAP and SMTP traffic from two particular IP subnets while denying it from all other sources. The destination is simply the local area network subnet. This seems like a very simple solution using this ACL and attaching it to the inbound WAN interface:

Access-List 150

permit tcp (IP #1) 192.168.0.0 0.0.0.255 eq 389

permit tcp (IP #2) 192.168.0.0 0.0.0.255 eq 389

permit udp (IP #1) 192.168.0.0 0.0.0.255 eq 389

permit udp (IP #2) 192.168.0.0 0.0.0.255 eq 389

permit tcp (Ip #1) 192.168.0.0 0.0.0.255 eq 25

permit tcp (Ip #2) 192.168.0.0 0.0.0.255 eq 25

deny ip any any eq 389

deny ip any any eq 25

permit ip any any

The router is an 880 series with CCP for management (though I do not use it). The server that requires connectivity to these outside IP addresses is statically pat from the wan interface ip address of 10.0.0.1 port 389 to it's inside 192.168.0.230 port 389

After using that ACL it prevented the server in question from connecting to the IP's I wanted to allow. I've researched the Order of Operations of NAT a little bit and I'm wondering if should change the destination IP addresses of the ACL rules to the Inside Global address that everything is being translated through?

Like this:

Access-List 150

permit tcp (IP #1) 10.0.0.1 0.255.255.255 eq 389

permit tcp (IP #2) 10.0.0.1 0.255.255.255 eq 389

permit udp (IP #1) 10.0.0.1 0.255.255.255 eq 389

permit udp (IP #2) 10.0.0.1 0.255.255.255 eq 389

permit tcp (Ip #1) 10.0.0.1 0.255.255.255 eq 25

permit tcp (Ip #2) 10.0.0.1 0.255.255.255 eq 25

deny ip any any eq 389

deny ip any any eq 25

permit ip any any

This is simply my solution to preventing LDAP and SMTP traffic from most sources inbound into the LAN. I'm open to all other solutions but I'm still curious about using an ACL in this manner with Static PAT being performed because I won't be able to test it until tomorrow if this works.

Regards,

Justin

Jennifer Halim · ‎08-13-2011

Yes, you are right. The access-list 150 destination subnet should be the translated IP address, not the real ip address if you apply the access-list on the WAN interface.

Assuming that the traffic is inbound towards the WAN interface to the LAN subnet, and the translated IP from the WAN is 10.0.0.1, then access-list needs to be as stated from your second example.

Slight modification to the syntax for your reference as follows:

permit tcp (IP #1) host 10.0.0.1 eq 389

permit tcp (IP #2) host 10.0.0.1 eq 389

permit udp (IP #1) host 10.0.0.1 eq 389

permit udp (IP #2) host 10.0.0.1 eq 389

permit tcp (Ip #1) host 10.0.0.1 eq 25

permit tcp (Ip #2) host 10.0.0.1 eq 25

deny tcp any any eq 389

deny udp any any eq 389

deny tcp any any eq 25

permit ip any any

Hope this helps.

View solution in original post

Jennifer Halim · ‎08-13-2011

Yes, you are right. The access-list 150 destination subnet should be the translated IP address, not the real ip address if you apply the access-list on the WAN interface.

Assuming that the traffic is inbound towards the WAN interface to the LAN subnet, and the translated IP from the WAN is 10.0.0.1, then access-list needs to be as stated from your second example.

Slight modification to the syntax for your reference as follows:

permit tcp (IP #1) host 10.0.0.1 eq 389

permit tcp (IP #2) host 10.0.0.1 eq 389

permit udp (IP #1) host 10.0.0.1 eq 389

permit udp (IP #2) host 10.0.0.1 eq 389

permit tcp (Ip #1) host 10.0.0.1 eq 25

permit tcp (Ip #2) host 10.0.0.1 eq 25

deny tcp any any eq 389

deny udp any any eq 389

deny tcp any any eq 25

permit ip any any

Hope this helps.

Justin DeVaughn · ‎08-23-2011

Thank you much! Worked like a charm.