09-23-2002 08:19 AM - edited 03-09-2019 12:25 AM
Right now we're configured to use both Overloaded NAT (PAT Pool) and a few extendable static mappings. My question is concerning the Static Mapping where we have mail servers which can send any various ports which are not statically mapped. What's the best way to force the mail server to use the static mapping instead of defaulting to the PAT pool when it sends on the available application ports. I don't want to expose any other ports from teh outside in other than 25 and 110 but, by mapping the IP alone, it opens everything. Should I configure access lists at this point? Is there a way to set this up to act like a pix mapping with conduits to specified ports?
Thanks for your input -
09-23-2002 09:59 AM
Use static map with access-list to filter access. Access-lists are processed before NAT (http://www.cisco.com/warp/public/556/5.html).
eg. ip nat inside source static 10.10.10.1 x.x.x.x (public IP)
access-list 101 permit tcp any host x.x.x.x eq 25
access-list 101 permit tcp any host x.x.x.x eq 110
access-list 101 deny ip any any log
int s0
ip nat outside
ip access-group 101 in
Hope that helps
Steve
09-23-2002 11:30 AM
Steve, thanks for getting back to me. I'm sure this would work if we had a simple configuration on the 2621. We're using a few ACLs with route-maps for IPSec and load balancing which are cancelled out by the ACL above. I was wondering if you had any suggestions about where I could place the ACL on this config to allow IPSec and balancing to continue as well as protect these certain (mail server) IPs. I think this should be sufficient (there are more mappings, a PAT pool, and IPsec info. I've already tried adding it to both the beginning and end of the ACL list and all traffic halts. Let me know if you can help.
ip nat inside source static 10.0.x.x 65.219.x.x
ip prefix-list 1 seq 5 permit 65.219.x.0/24
ip prefix-list 1 seq 10 deny 0.0.0.0/0 le 32
!
ip prefix-list 2 seq 5 permit 65.219.x.0/25
ip prefix-list 2 seq 10 deny 0.0.0.0/0 le 32
!
ip prefix-list 3 seq 5 permit 65.219.x..x/25
ip prefix-list 3 seq 10 deny 0.0.0.0/0 le 32
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 101 permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.50.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 103 permit ip 10.0.10.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 120 permit ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 120 permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 10.0.10.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 130 deny ip 10.0.10.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 130 deny ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 130 deny ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 130 permit ip 10.0.10.0 0.0.0.255 any
access-list 130 permit ip 10.0.50.0 0.0.0.255 any
route-map to-wcomw0h31720 permit 10
match ip address prefix-list 1
set metric 10
!
route-map to-wcomw0h31720 permit 20
match ip address prefix-list 2
set community no-export
!
route-map to-wcomw0h31720 deny 30
!
route-map to-wcomw0h31724 permit 10
match ip address prefix-list 1
set metric 10
!
route-map to-wcomw0h31724 permit 20
match ip address prefix-list 3
set community no-export
!
route-map to-wcomw0h31724 deny 30
!
route-map NONAT permit 10
match ip address 130
!
route-map NONAT1 permit 10
match ip address 130
!
route-map ipsec permit 10
match ip address 120
set ip next-hop 1.2.1.2
09-24-2002 04:26 AM
Okay, you have the static NAT and the access-list to prevent the mail servers from being NATed/IPSECed to the public. So, I would try to place the acl to restrict access to the mail servers outbound on the LAN facing interface. As per: http://www.cisco.com/warp/public/556/5.html , outbound acl is processed after NAT and IPSec.
eg. access-list 101 permit tcp any host 10.0.x.x eq 25
access-list 101 permit tcp any host 10.0.x.x eq 110
access-list 101 permit ip 10.0.30.0 0.0.0.255 host 10.0.x.x (optional if you want your vpn peer's to access your mail servers fully)
access-list 101 deny ip any host 10.0.x.x log
access-list 101 permit ip any any
int e0/0
ip access-group 101 out
Hope it helps
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide