access list for servers

carl_townshend · ‎02-22-2006

If I am hosting a ftp and web server to the web, I have natted across the server with both ports to my external address, Can anyone tell me how I would set an access list to allow only say 88.100.33.10 from the outside world to access these services ?

thanks a million

ekiriakos · ‎02-22-2006

Hi,

Say if you wanted to configure in input acl to the WAN interface, the router will check the acl before performing NAT. Therefore you extended ACL should match the source address you have specified and destination the external address with the relevant ports. Something like

ip access-list ext EXTERNAL

permit tcp host 88.100.33.10 host eq

Don't forget to allow return traffic originated from inside or any other type of traffic which needs to enter your network. Reflexive ACLs are very good for this.

FYI, if you were to do the ACL on the inside interface as an output acl, in this case NAT will be done before the acl is checked by the router. In which case the acl needs to match your host internal ip address.

Rgds

E.

jarathbu · ‎02-22-2006

Hello,

It would depend on how you NAT'd the FTP/HTTP servers. If you did a static NAT - e.g.

server 10.1.1.1:80 --> 63.1.2.3:80

server 10.1.1.2:21 --> 63.1.2.3:21

then applying an ACL on the WAN as an ingress interface would look something similar to

access-list 101 permit tcp any host 63.1.2.3 eq www

access-list 101 permit tcp any host 63.1.2.3 eq ftp

NOTE: There is a implicit deny any at the end of the ACL. If you added only those 2 lines in the ACL all other traffic would be denied.

You can use this in conjunction with CBAC for more granular control.

If you're using a dynamic NAT where the ports on the outside can change - you will not be able to nail down the ACL specifically.

Hope this helps.

Regards,

James

ekiriakos · ‎02-22-2006

if you use the extendable keyword this is how it is done using the external interface public ip address.

int e0

ip address 192.168.1.1 255.255.255.0

ip nat inside

int s0

ip address

ip nat outside

ip nat inside source static tcp 192.168.1.100 80 80 extendable

ip nat inside source static tcp 192.168.1.100 25 25 extendable

where 192.168.1.100 is your internal server.

You can also overload on s0 for other hosts for dynamic NAT.

Users from the outside can now access your internal host on port 80 and 25, assuming your acl allows them in. Traffic initiated from the outside will have destination ports either 80 or 25.

Traffic from your servers to the outside will maintain the source port as this is a static nat translation. In this scenario the return traffic will have a source port either 80 or 25 therefore you can design your acls as you wish as long as you get the direction correctly.

HTH

E.

carl_townshend · ‎02-23-2006

what if I had 2 web servers, how would traffic coming in know where to go ?

ekiriakos · ‎02-23-2006

I don't think you can do this. If the session is initiated from the outside the router will not know which web server to forward the traffic to. I think this is the point where you will need another public address.