Solved: ACLs for NAT

Kris McCormick · ‎08-14-2012

Hello,

I have a Cisco 2901 and need to expose an internal resource to the outside. I've set up the following:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 1.1.1.1 4000 2.2.2.2 4000 extendable

ip nat inside source static tcp 1,1,1,1 44000 2.2.2.2 44000 extendable

ip nat inside source static tcp 1.1.1.1 443 2.2.2.2 443

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80

ip nat inside source static 1.1.1.1 2.2.2.2

ip route 0.0.0.0 0.0.0.0 2.2.2.1

1.1.1.1 is the internal resoure IP

2.2.2.2 is the WAN IP assigned to the resource via NAT

2.2.2.1 is the gateway as defined by the ISP

Browsing and whatnot works fine so I know my basic NAT is correct but I suspect I need some ACLs to allow access from the outsdie becasue it isn't working now. Can someone point me in the right direction regarding the ACLs?

Thanks

Benjamin Kools · ‎08-14-2012

Looks like you have a zone-based firewall configured (

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml).

You should see the following command somewhere:

zone-pair security xxxxx source out-zone destination in-zone (guessing on this name)

service-policy type inspect zzzzzz

then find the policy map entitled zzzzzz

policy-map type inspect zzzzzzz

class yyyyyy

Here you may have a class defined that is permitting some traffic in, look for the ACL referenced by that class. If you only have a class-default that is set to drop, you need to create a class map. Example below:

ip access-list extended NAT

permit tcp any 2.2.2.2 4000

permit tcp any 2.2.2.2 44000

permit tcp any 2.2.2.2 443

permit tcp any 2.2.2.2 80

!you also have a blanket NAT entry in there, if you intend to open all ports you need the following

permit ip any 2.2.2.2

!

class-map type inspect NAT

match access-group name NAT

!

policy-map type inspect zzzzzzzz

class type inspect NAT

pass

!

View solution in original post

cadet alain · ‎08-15-2012

Hi,

if the WAN IP 2.2.2.2 is reachable from ISP out to G0/0 then you must have :

zone-pair security out-in source out destination in

service-policy type inspect out-in

policy-map out-in type inspect

class type inspect out-in

inspect

class-map type inspect out-in

match access-group name out-in

ip access-list extended out-in

permit tcp any host 1.1.1.1 eq http

permit tcp any host 1.1.1.1 eq 443

permit tcp any host 1.1.1.1 eq 4000

permit tcp any host 1.1.1.1 eq 44000

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Benjamin Kools · ‎08-14-2012

Kris -

Can you add the config of your Gig0/0 interface and any ACLs applied to it?

Sent from Cisco Technical Support iPad App

Kris McCormick · ‎08-14-2012

Yes sir. Here is Gig0/0

interface GigabitEthernet0/0

description TelePacific Internet$FW_OUTSIDE$

ip address x.x.x.26 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

load-interval 30

duplex auto

speed auto

no cdp enable

no mop enabled

service-policy output WAN-EDGE

It looks like there are no ACLs applied to it but I don't have remote access to the router right now (only a copy of the config in notepad) so I can't say for certain.

Benjamin Kools · ‎08-14-2012

Looks like you have a zone-based firewall configured (

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml).

You should see the following command somewhere:

zone-pair security xxxxx source out-zone destination in-zone (guessing on this name)

service-policy type inspect zzzzzz

then find the policy map entitled zzzzzz

policy-map type inspect zzzzzzz

class yyyyyy

Here you may have a class defined that is permitting some traffic in, look for the ACL referenced by that class. If you only have a class-default that is set to drop, you need to create a class map. Example below:

ip access-list extended NAT

permit tcp any 2.2.2.2 4000

permit tcp any 2.2.2.2 44000

permit tcp any 2.2.2.2 443

permit tcp any 2.2.2.2 80

!you also have a blanket NAT entry in there, if you intend to open all ports you need the following

permit ip any 2.2.2.2

!

class-map type inspect NAT

match access-group name NAT

!

policy-map type inspect zzzzzzzz

class type inspect NAT

pass

!

Kris McCormick · ‎08-14-2012

Thanks Benjamin. Here is what I found. The following config is already in the router, Ihave not made any changes yet.

zone security dmvpn-zone

zone security in-zone

zone security out-zone

zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-gre source out-zone destination dmvpn-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-gre-out source dmvpn-zone destination out-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

the policy map for sdm-permit-ip looks like this:

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

pass

class class-default

drop log

the access list for SDM_IP looks like this

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

the permit ip any any makes me think it should work without modification but it's not working. I don't have experience with zone-based firewalls so I could be way off.

cadet alain · ‎08-15-2012

Hi,

if the WAN IP 2.2.2.2 is reachable from ISP out to G0/0 then you must have :

zone-pair security out-in source out destination in

service-policy type inspect out-in

policy-map out-in type inspect

class type inspect out-in

inspect

class-map type inspect out-in

match access-group name out-in

ip access-list extended out-in

permit tcp any host 1.1.1.1 eq http

permit tcp any host 1.1.1.1 eq 443

permit tcp any host 1.1.1.1 eq 4000

permit tcp any host 1.1.1.1 eq 44000

Regards.

Alain

Don't forget to rate helpful posts.

Kris McCormick · ‎08-15-2012

Thanks Alain,

To confirm, the creation of zone-pair security out-in source out destination in would not conflict with any of the existing config, correct?

Benjamin Kools · ‎08-15-2012

Correct, the default policy is to drop traffic tho it is not listed. If you want the extra comfort you can modify the config with the following:

policy-map out-in type inspect

class type inspect out-in

inspect

class class-default

drop

Kris McCormick · ‎08-15-2012

Thanks to both of you for the help. I had to make a few changes for it to work. Here is what did it:

ip access-list extended out-in

permit tcp any host x.x.x.x eq 80

permit tcp any host x.x.x.x eq 443

permit tcp any host x.x.x.x eq 4000

permit tcp any host x.x.x.x eq 44000

class-map type inspect match-any out-in

match access-group name out-in

policy-map type inspect out-in

class type inspect out-in

inspect

zone-pair security out-in source out-zone destination in-zone

service-policy type inspect out-in