06-07-2019 09:08 AM
I have a Cisco 4331 router. I use it to NAT to several rfc1918 LAN spaces behind the router, connecting IPsec tunnels to the appropriate destinations. I have various NAT statements like this:
ip nat inside source static udp 192.168.0.102 500 x.x.x.2 500 extendable
ip nat inside source static udp 192.168.0.102 4500 x.x.x.2 4500 extendable
That works perfectly well, blocking all ingress save the desired IPsec UDP ports. The public-facing IP address x.x.x.2 is on the same GE port as 192.168.0.1, and NAT routes only the ports I want and drops everything else.
But I also want to do this in the egress direction.
I have spent hours reading the available docs, but the answer to my challenge eludes me. I need a simple way to block egress from the LAN space. e.g., in the example above, I want to prohibit ALL TCP from exiting the 192.168.0.x address space, and ALL UDP except the two ports I have NAT'ed.
Can someone point me to the best solution?
Much appreciated.
I have placed iptables entries in the machines on the network to prevent this, but I want the router to block also.
Solved! Go to Solution.
06-07-2019 09:32 AM
Hello Nathan,
you can use an extended IP ACL applied outbound = egress on the ip nat outside interface.
The IP ACL must allow the flows you need including the IPSec connections and any other traffic you want to allow.
access-list 111 permit udp host x.x.x.x host y.y.y.y eq 500
access-list 111 permit udp host x.x.x.x host y.y.y.y eq 4500
access-list 111 permit icmp host x.x.x.x host y.y.y.y
! other permit lines as needed
access-list 111 deny tcp any any
access-list 111 deny udp any any
interface gi0/0
! interface with ip nat outside
ip access-group 111 out
As an alternative you can configure an inbound ACL on the internal (ip nat inside ) interface.
Hope to help
Giuseppe
06-07-2019 09:32 AM
Hello Nathan,
you can use an extended IP ACL applied outbound = egress on the ip nat outside interface.
The IP ACL must allow the flows you need including the IPSec connections and any other traffic you want to allow.
access-list 111 permit udp host x.x.x.x host y.y.y.y eq 500
access-list 111 permit udp host x.x.x.x host y.y.y.y eq 4500
access-list 111 permit icmp host x.x.x.x host y.y.y.y
! other permit lines as needed
access-list 111 deny tcp any any
access-list 111 deny udp any any
interface gi0/0
! interface with ip nat outside
ip access-group 111 out
As an alternative you can configure an inbound ACL on the internal (ip nat inside ) interface.
Hope to help
Giuseppe
06-07-2019 11:15 AM
That looks promising, I will experiment with it. Much thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide