cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
587
Views
0
Helpful
2
Replies

egress blocking NAT help

I have a Cisco 4331 router. I use it to NAT to several rfc1918 LAN spaces behind the router, connecting IPsec tunnels to the appropriate destinations. I have various NAT statements like this:

ip nat inside source static udp 192.168.0.102 500 x.x.x.2 500 extendable

ip nat inside source static udp 192.168.0.102 4500 x.x.x.2 4500 extendable

 

That works perfectly well, blocking all ingress save the desired IPsec UDP ports. The public-facing IP address x.x.x.2 is on the same GE port as 192.168.0.1, and NAT routes only the ports I want and drops everything else.

But I also want to do this in the egress direction.

I have spent hours reading the available docs, but the answer to my challenge eludes me. I need a simple way to block egress from the LAN space. e.g., in the example above, I want to prohibit ALL TCP from exiting the 192.168.0.x address space, and ALL UDP except the two ports I have NAT'ed.

Can someone point me to the best solution?

Much appreciated.

 

I have placed iptables entries in the machines on the network to prevent this, but I want the router to block also.

 

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Nathan,

you can use an extended IP ACL applied outbound = egress on the ip nat outside interface.

 

The IP ACL must allow the flows you need including the IPSec connections and any other traffic you want to allow.

 

access-list 111 permit udp host x.x.x.x host y.y.y.y eq 500

access-list 111 permit udp host x.x.x.x host y.y.y.y eq 4500

access-list 111 permit icmp host x.x.x.x host y.y.y.y

! other permit lines as needed

access-list 111 deny tcp any any

access-list 111 deny udp any any

 

interface gi0/0

! interface with ip nat outside

ip access-group 111 out

 

As an alternative you can configure an inbound ACL on the internal (ip nat inside ) interface.

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Nathan,

you can use an extended IP ACL applied outbound = egress on the ip nat outside interface.

 

The IP ACL must allow the flows you need including the IPSec connections and any other traffic you want to allow.

 

access-list 111 permit udp host x.x.x.x host y.y.y.y eq 500

access-list 111 permit udp host x.x.x.x host y.y.y.y eq 4500

access-list 111 permit icmp host x.x.x.x host y.y.y.y

! other permit lines as needed

access-list 111 deny tcp any any

access-list 111 deny udp any any

 

interface gi0/0

! interface with ip nat outside

ip access-group 111 out

 

As an alternative you can configure an inbound ACL on the internal (ip nat inside ) interface.

 

Hope to help

Giuseppe

 

That looks promising, I will experiment with it.  Much thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco