06-13-2009 04:40 AM - edited 03-04-2019 05:06 AM
Hi,
Internet Browsing for LAN users is via Microsoft ISA Server.
This Server is natted with Public IP on Router.
Router IP : 192.168.1.100
ISA Server : 192.168.1.101
LAN Users : 172.20.16.0/24
I want all traffic from Router to inside network should reach only ISA Server
I want to block SSH/Telnet from outside
I want to block relaying of Mails on this IP
Can Someone reveiw the configuration and advice if it looks ok in terms of security and fullfil my requirement
********Configuration ******************
****************************************
ip subnet-zero
ip domain lookup source-interface FastEthernet0/0
ip name-server 4.4.4.4
interface FastEthernet0/0
description Connected to ISP
ip address 10.10.10.66 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to LAN-Switch
ip address 192.168.1.100 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.65
ip route 172.20.16.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
ip nat pool Internet_Range 10.10.10.68 10.10.10.70 netmask 255.255.255.224
ip nat inside source list 50 pool NAT_Range
!
access-list 50 permit 192.168.1.101
access-list 50 deny any
Solved! Go to Solution.
06-13-2009 05:21 AM
Hello Ronald,
the configuration looks like correct.
Notes:
lan users are not allowed to access internet but this is wanted I suppose
with your NAT config it should be the ISA server to try to connect to outside world:
new attempts to connect to it from outside world can be not allowed.
To fix this you may look at a simpler configuration that uses ip nat source inside static 192.168.1.101 public-address
to filter ssh/telnet from outside:
if you mean to the router you need
line vty 0 4
access-class 25 in
access-list 25 permit 192.168.1.0 0.0.0.255
if you mean ssh/telnet access to the server you may need a port specific static nat otherwise you are opening all the ip with NAT statements (with the one I've suggested).
the command is similar but specifies the protocol and the ports too for local socket and global socket.
see port static nat here
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011696
Hope to help
Giuseppe
06-13-2009 05:21 AM
Hello Ronald,
the configuration looks like correct.
Notes:
lan users are not allowed to access internet but this is wanted I suppose
with your NAT config it should be the ISA server to try to connect to outside world:
new attempts to connect to it from outside world can be not allowed.
To fix this you may look at a simpler configuration that uses ip nat source inside static 192.168.1.101 public-address
to filter ssh/telnet from outside:
if you mean to the router you need
line vty 0 4
access-class 25 in
access-list 25 permit 192.168.1.0 0.0.0.255
if you mean ssh/telnet access to the server you may need a port specific static nat otherwise you are opening all the ip with NAT statements (with the one I've suggested).
the command is similar but specifies the protocol and the ports too for local socket and global socket.
see port static nat here
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011696
Hope to help
Giuseppe
06-13-2009 10:53 PM
thanks Giuseppe.
I have changed to static NAT and it works.
06-13-2009 05:26 AM
Seems fine.
You do not need ip virtual-reassembly on any interface.
You mean ip route 172.20.16.0 255.255.255.0 192.168.1.101
Use access-class under vty config to prevent access from outside.
Router doesn't know anything about mail relay, configure your server for that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide