03-26-2012 05:29 AM - edited 03-11-2019 03:46 PM
Hello,
Thank you for taking the time to read this.
I am trying to achieve the following scenario. I would like the below IP NAT rules to only be usable on an external basis from a handful of hosts then implcitly deny all other traffic Inbound.
The IP NAT rules are for portforwarding to an internal server, these rules all work fine I can access them from any host but as said I would like to lock this down to only a couple of hosts on the internet and then to deny the rest.
++++ INTERFACES ++++
interface GigabitEthernet0/0
description +++ CIRCUIT ID +++
ip address 79.x.x.x 255.255.255.252
ip nat outside
duplex auto
speed auto
interface GigabitEthernet0/1
description +++ LAN +++
ip address 192.168.1.254 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
++++ IP NAT RULES * ++++
ip nat inside source static tcp 192.168.1.15 8819 79.x.x.x 8819 extendable
ip nat inside source static udp 192.168.1.15 8819 79.x.x.x 8819 extendable
ip nat inside source static tcp 192.168.1.15 8845 79.x.x.x 8845 extendable
ip nat inside source static udp 192.168.1.15 8845 79.x.x.x 8845 extendable
ip nat inside source static tcp 192.168.1.15 8989 79.x.x.x 8989 extendable
ip nat inside source static udp 192.168.1.15 8989 79.x.x.x 8989 extendable
++++ ACCESS LIST ++++
access-list 101 remark Allowed IP NAT HOSTS
access-list 101 permit tcp host 195.x.x.x any log
access-list 101 permit udp host 195.x.x.x any log
access-list 101 permit tcp host 79.x.x.x any log
access-list 101 permit udp host 79.x.x.x any log
access-list 101 deny ip any host 255.255.255.255 log
Can anyone provide some advise on how I can achieve this?
Thank you all very much for taking the time to assist me with this.
- Ashley
Solved! Go to Solution.
03-26-2012 06:09 AM
Hi Ashley,
An ACL will do the trick.
Router(config)# object-group network obj-allowhosts
Router(config-network-group)# host 209.165.200.237
Router(config-network-group)# host 209.165.200.238
Router(config-network-group)# range 209.165.200.239 209.165.200.240
Router(config-network-group)# 209.165.200.241 255.255.255.224
Router(config)# object-group service obj-allowports
Router(config-service-group)# tcp 8819
Router(config-service-group)# udp 8819
Router(config-service-group)# tcp 8845
Router(config-service-group)# udp 8845
Router(config-service-group)# tcp 8989
Router(config-service-group)# udp 8989
Router(config)# ip access-list extended acl-allowinside
Router(config-ext-nacl)# permit object-group obj-allowports object-group obj-allowhosts host 79.x.x.x
Router(config-ext-nacl)# deny object-group obj-allowports any host 79.x.x.x
Router(config-ext-nacl)# permit any any
If you have CBAC setup on your router you can also change very last entry "permit any any" to deny any any.
if you have do not have a CBAC then you require permit "any any" at the end of the ACL.
at last do not forget to apply the ACL on the interface.
interface GigabitEthernet0/0
ip access-group acl-allowinside in
Hope that helps.
thanks
03-26-2012 05:52 AM
Hi,
I'm rusty reagards the NAT/ACL configurations on routers/L3 switches.
It seems in the configurations that you havent attached the access-list to the interface yet. I think you still need to add some statements/ACEs to the ACL you have there. As were dealing with a router, you will have to take into consideration the return traffic to your connections from the LAN.
The above ACL would to my understanding block all return traffic for normal web browsing etc.
I think the ACE that you needed to add to the top of the ACL was "access-list 101 permit tcp any any established" so it permits return traffic for already established TCP connections.
Also if the ACL is meant to be an access-list attached to the outside interface for traffic entering the interface I think you could specify the service ports in the permit statements instead of permitting the whole port range.
All this would be much easier though if you handled the firewall/NAT with an actual firewall appliance.
I will leave the more specific answer and suggestions to someone who has more expirience with routers as I probably have missed something.
- Jouni
03-26-2012 06:09 AM
Hi Ashley,
An ACL will do the trick.
Router(config)# object-group network obj-allowhosts
Router(config-network-group)# host 209.165.200.237
Router(config-network-group)# host 209.165.200.238
Router(config-network-group)# range 209.165.200.239 209.165.200.240
Router(config-network-group)# 209.165.200.241 255.255.255.224
Router(config)# object-group service obj-allowports
Router(config-service-group)# tcp 8819
Router(config-service-group)# udp 8819
Router(config-service-group)# tcp 8845
Router(config-service-group)# udp 8845
Router(config-service-group)# tcp 8989
Router(config-service-group)# udp 8989
Router(config)# ip access-list extended acl-allowinside
Router(config-ext-nacl)# permit object-group obj-allowports object-group obj-allowhosts host 79.x.x.x
Router(config-ext-nacl)# deny object-group obj-allowports any host 79.x.x.x
Router(config-ext-nacl)# permit any any
If you have CBAC setup on your router you can also change very last entry "permit any any" to deny any any.
if you have do not have a CBAC then you require permit "any any" at the end of the ACL.
at last do not forget to apply the ACL on the interface.
interface GigabitEthernet0/0
ip access-group acl-allowinside in
Hope that helps.
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: