Solved: Locking down PAT to a few External addresses

vetsnowit1 · ‎06-07-2012

Might sound silly..

I thought I would just apply an ACL to the NAT rule, but the bugger says no.

Trying to lock this :

ip nat inside source static tcp 192.168.3.10 3389 interface GigabitEthernet0/0 3389

Down to only permitted external addresses (for obvious reasons)

Been a long day, so might just be missing the obvious.

Jennifer Halim · ‎06-11-2012

If you don't care about egress traffic, then you don't need to apply any access-list and it would allow everything going outbound.

However, you can configure ACL that only permit 192.168.3.0/24 to go outbound and apply it on gig0/0 on the outbound/egress direction. Use any unique ACL number (174 is OK) as 175 has been used for NAT statement.

View solution in original post

Jennifer Halim · ‎06-09-2012

You should use access-list and apply it to the outside interface (gig0/0) and only allow specific access.

Remember to configure CBAC if you don't already have one and apply it on the outbound direction on gig0/0 to allow return traffic if traffic is initiated from the internal network.

vetsnowit1 · ‎06-10-2012

I am a bit nervous of the ZBFW and CBAC at the mo as both broke the L2L VPNs.

The router is only a branch office, and should only be letting in one or 2 services. I would rather stop the other services than break the live config.

Would this do the trick?

interface GigabitEthernet0/0
ip address 146.255.x.x 255.255.x.x
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ip access-group 199 in
crypto map l2l
!
interface GigabitEthernet0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

!
ip nat inside source list 175 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.3.10 1723 interface GigabitEthernet0/0 1723
ip nat inside source static tcp 192.168.3.10 3389 interface GigabitEthernet0/0 3389
ip route 0.0.0.0 0.0.0.0 146.255.x.x
!
ip access-list 199
permit tcp host 92.236.x.x eq 3339 host 192.168.3.10 eq 3389
permit tcp host 80.229.x.x eq 3339 host 192.168.3.10 eq 3389
permit tcp host 208.67.x.x eq 3339 host 192.168.3.10 eq 3389
permit tcp host 24.234.x.x eq 3339 host 192.168.3.10 eq 3389
permit tcp host 203.143.x.xeq 3339 host 192.168.3.10 eq 3389

permit tcp host 192.168.3.10 eq 3339 any eq 3389

permit ahp any any
permit esp any any
permit gre any any
permit tcp any any eq 443
permit tcp any any eq cmd
permit tcp any any eq 22
Remark PPTP IN
permit tcp any eq 1723 host 192.168.3.10 eq 1723 log
remark pptp out
permit tcp host 192.168.3.10 eq 1723 any eq 1723 log

REMARK IPSEC L2L Traffic
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

REMARK Stop IPSEC from USING NAT
access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 deny   ip 192.168.3.0 0.0.0.255 172.16.20.0 0.0.0.255

REMARK Allow outbound LAN traffic for all other traffic VIA NAT
access-list 175 permit ip 192.168.3.0 0.0.0.255 any
!

Jennifer Halim · ‎06-10-2012

Here is the correct syntax for ACL 199:

ip access-list 199

permit tcp host 92.236.x.x host 146.255.x.x eq 3389

permit tcp host 80.229.x.x host 146.255.x.x eq 3389

permit tcp host 208.67.x.x host 146.255.x.x eq 3389

permit tcp host 24.234.x.x host 146.255.x.x eq 3389

permit tcp host 203.143.x.x host 146.255.x.x eq 3389

permit udp any any eq 500

permit udp any any eq 4500

permit esp any any

permit ah any any

permit gre any any

permit tcp any host 146.255.x.x eq 1723

ip inspect name out-traffic tcp

ip inspect name out-traffic udp

ip inspect name out-traffic icmp

ip inspect name out-traffic ftp

interface GigabitEthernet0/0

ip inspect out-traffic out

vetsnowit1 · ‎06-11-2012

Ok I understand outbound inspection. Seems to work fine. But are you saying I should apply the ACL to the interface inbound

So I want filter on the ingress traffic and for now let all traffic on the egress

I want to allow port 1723, external management and rdp from those IPs. The problem with the CCP tool is for even the basic firewall it adds loads of extra, and adds a deny all traffic outbound at the end for egress..

So should be enough to allow egress

access-list 175 permit ip 192.168.3.0 0.0.0.255 any

I guess I would need an access list of 174 or less for that to work correctly?

Cheers again

Jennifer Halim · ‎06-11-2012

If you don't care about egress traffic, then you don't need to apply any access-list and it would allow everything going outbound.

However, you can configure ACL that only permit 192.168.3.0/24 to go outbound and apply it on gig0/0 on the outbound/egress direction. Use any unique ACL number (174 is OK) as 175 has been used for NAT statement.

vetsnowit1 · ‎06-12-2012

Thanks..

I think I will have a play with ZBFW, just not on a live system