NAT and ACL lists

grant · ‎12-23-2010

I have a cisco 1841 router. This connects our organisation to the internet via a satellite link. We are using NAT. I am trying to limit users on our lan to only access www, icmp, dns ports through the router thus preventing any excess traffic. Here is a copy of the config that is working. When I try to limit access to ports user can no longer access the internet.

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

clock timezone GMT 2

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

no ip dhcp use vrf connected

!

ip host datum 2001 10.1.1.1

ip name-server 217.15.112.170

ip name-server 217.15.112.171

ftp-server topdir ptjit

!

interface FastEthernet0/0

description LAN BACKBONE

ip address 172.17.0.11 255.255.255.0

ip flow ingress

ip nat inside

ip route-cache flow

duplex auto

speed auto

fair-queue

!

interface FastEthernet0/1

description WAN NETWORK

ip address x.x.x.90 255.255.255.252

ip nat outside

duplex auto

speed auto

fair-queue

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.89 name BSATT

!

ip flow-export source FastEthernet0/0

ip flow-export version 9

ip flow-export destination 172.17.8.99 2055

!

no ip http server

ip http authentication local

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat translation tcp-timeout 900

ip nat translation max-entries 1800

ip nat inside source list 102 interface FastEthernet0/1 overload

ip nat inside source static tcp 172.17.8.50 8080 interface FastEthernet0/1 8080

ip nat inside source static tcp 172.17.8.50 445 interface FastEthernet0/1 445

ip nat inside source static tcp 172.17.8.50 139 interface FastEthernet0/1 139

ip nat inside source static tcp 172.17.8.50 135 interface FastEthernet0/1 135

ip nat inside source static tcp 172.17.0.16 22 interface FastEthernet0/1 22

ip nat inside source static tcp 172.17.8.20 46520 interface FastEthernet0/1 46520

ip nat inside source static tcp 172.17.8.23 46523 interface FastEthernet0/1 46523

ip nat inside source static tcp 172.17.0.16 25 interface FastEthernet0/1 25

ip nat inside source static udp 172.17.0.16 25 interface FastEthernet0/1 25

ip nat inside source static tcp 172.17.8.50 6001 interface FastEthernet0/1 6001

ip nat inside source static tcp 172.17.8.50 6002 interface FastEthernet0/1 6002

ip nat inside source static tcp 172.17.8.50 6004 interface FastEthernet0/1 6004

ip nat inside source static tcp 172.17.8.50 443 interface FastEthernet0/1 443

ip nat inside source static tcp 172.17.8.50 593 interface FastEthernet0/1 593

ip nat inside source static tcp 172.17.8.50 80 interface FastEthernet0/1 80

!

access-list 102 permit ip 172.17.0.0 0.0.255.255 any

cdp timer 10

!

control-plane

!

line con 0

login local

line aux 0

no exec

transport input all

line vty 0 4

privilege level 15

login local

transport input telnet

line vty 5 15

login

!

ntp clock-period 17178356

ntp server 64.147.116.229

end

cadet alain · ‎12-23-2010

Hi,

ip nat inside source static tcp 172.17.8.50 8080 interface FastEthernet0/1 8080

This is static PAT or port forwarding and it permits users on the internet to access a service on a LAN machine.

What is the subnet of your users is 172.17.0.0/24 ? because this is what you are NAT overloading for and in your static PAT I see 172.17.8.50

I don't see in your config any ACL restricting your users from accessing the internet.

You can do this with Zone-based firewall if you've got 12.4(6)T or higher.

Regards.

Alain.

Don't forget to rate helpful posts.

grant · ‎12-23-2010

Hi Alain

My Lan is 172.17.0.0 /16 . 172.17.0.0 /24 is used for back bone. 8.50 is my mail server. I am running software release 12.4

access-list 101 permit udp 172.17.0.0 0.0.255.255 any eq 53

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 53

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 20

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 21

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 23

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 25

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 80

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 143

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 443

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 465

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 587

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 993

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 995

access-list 101 permit icmp any 172.17.0.0 0.0.255.255

access-list 102 permit tcp any 172.17.0.0 0.0.255.255 established

interface FastEthernet0/1

ip access-group 101 out

ip access-group 102 in

Thanks Grant

cadet alain · ‎12-23-2010

Hi,

interface FastEthernet0/1

ip access-group 101 out

It can't work this way because packets leaving this interface are natted and so the only match is the implicit deny at the end of ACL.

One remark also:

access-list 102 permit tcp any 172.17.0.0 0.0.255.255 established

this is really not secure and not stateful.

Regards.

Alain.

Don't forget to rate helpful posts.

grant · ‎12-23-2010

Hi Alain

Is there a way to apply the ACL on either of the interfaces or should I be looking at an alternative way of controling which ports are open.

The access-list 102 permit tcp any 172.17.0.0 0.0.255.255 established was just to try and get it working I wanted to only allow those specific ports coming in. I read a number of articles to get to where I have but have been struggling for some time with this.

Let me know your thoughts

thanks

jgraafmans · ‎12-23-2010

NAT is done before matching the access-list. You can place access-list 101 incoming on f0/0 or change the source addresses of the access-list to the IP address of the f0/1 interface. In both cases you also have to change the destination of access-list 102 to the IP address of the f0/1 interface

grant · ‎12-23-2010

I will give this a go and post my updated ACL.

thanks for the suggestions.

grant · ‎12-23-2010

I have put the following config in. This is now controlling outgoing access to the ports. If I try and put anything to control incoming connections internet goes offline. With this configuration I cannot access my mail servers web address from the LAN and no incoming or outgoing mail goes through. Any suggestions.

access-list 101 permit udp 172.17.0.0 0.0.255.255 any eq 53

access-list 101 permit udp 172.17.0.0 0.0.255.255 any eq 123

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 53

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 20

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 21

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 22

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 23

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 25

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 80

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 143

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 443

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 465

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 587

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 993

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 995

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 8080

access-list 101 permit icmp 172.17.0.0 0.0.255.255 any

access-list 101 permit ip any host 65.88.254.131

interface fastethernet0/0

ip access-group 101 in

grant · ‎12-24-2010

After some testing I have found I cannot access my mail server 172.17.8.50 on port 443 from the internet with the ACL activated.
I also cannot access port 25 or port 80.There is obviously something that I am missing here just not sure what yet. Any ideas.

Thanks g

jgraafmans · ‎12-24-2010

Do you still have access-list 102 applied inbound on interface f0/1?

What if you remove this access-list from the interface so you can be sure packets incoming on interface f0/1 are always permitted?

You could also place log after the access-list so you can log which access-list rules are being matched.

grant · ‎12-24-2010

I have left access-list 102 in place as that is part of the nat. If I remove 102 no traffic passes. If I add 103 not traffic passes.

With 101 and 102 applied I can access internet from any machine but cannot access any of the services through nat port 25 or 443 or 80. from the internet or from the lan. I tried adding access-list with the external ip's on fa0/1 and still could not. I can add the log at the end but have been unable to see where I can view this log. Thanks for the suggestions.

Merry Christmas

g

jgraafmans · ‎12-24-2010

I just realized that your access-list has the established keyword which is indicating that a session must have been initiated from the inside before (returning) traffic is permitted which is not the case if someone from the internet is initiating a connection to for example the mail server.

It is better to use different access-lists for NAT and access control

With my question I meant: Do you still have ip access-group 102 in configured under interface f0/1 but from your previous post I presume you do.

For testing it is best to remove this command totally because without this command all traffic on that interface is permitted by default.

By default logging is send to the console. You can send this to your telnet session with the term mon command.

Merry Christmas!

grant · ‎12-24-2010

I have the following access-lists

access-list 101 permit udp 172.17.0.0 0.0.255.255 any eq domain

access-list 101 permit udp 172.17.0.0 0.0.255.255 any eq ntp

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq domain

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq ftp-data

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq ftp

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 22

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq telnet

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq smtp

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq www

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 143

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 443

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 465

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 587

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 993

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 995

access-list 101 permit tcp 172.17.0.0 0.0.255.255 any eq 8080

access-list 101 permit icmp 172.17.0.0 0.0.255.255 any

access-list 101 permit ip any host 65.88.254.131

access-list 101 permit ip any host 172.17.0.16

access-list 102 permit ip 172.17.0.0 0.0.255.255 any

access-list 103 permit udp host 77.246.60.90 any eq domain

access-list 103 permit udp host 77.246.60.90 any eq ntp

access-list 103 permit tcp host 77.246.60.90 any eq domain

access-list 103 permit tcp host 77.246.60.90 any eq ftp-data

access-list 103 permit tcp host 77.246.60.90 any eq ftp

access-list 103 permit tcp host 77.246.60.90 any eq 22

access-list 103 permit tcp host 77.246.60.90 any eq telnet

access-list 103 permit tcp host 77.246.60.90 any eq smtp

access-list 103 permit tcp host 77.246.60.90 any eq www

access-list 103 permit tcp host 77.246.60.90 any eq 143

access-list 103 permit tcp host 77.246.60.90 any eq 443

access-list 103 permit tcp host 77.246.60.90 any eq 465

access-list 103 permit tcp host 77.246.60.90 any eq 587

access-list 103 permit tcp host 77.246.60.90 any eq 993

access-list 103 permit tcp host 77.246.60.90 any eq 995

access-list 103 permit tcp host 77.246.60.90 any eq 8080

access-list 103 permit icmp host 77.246.60.90 any

access-list 103 permit ip host 65.88.254.131 any

Access-list 101 I am applying to fa0/0 as the in

int fa0/0

ip access-group 101 in

access-list 102 is only there for NAT

ip nat inside source list 102 interface FastEthernet0/1 overload

If I apply access-list 103 to any of the interface on the in or out the internet goes down.

If I put the previous command access-list 103 permit ip any any established it does not work. Without access-list 103 I can broswe internet but cannot connect to my mail server on port 25 or 443.

thanks for your help so far

Nikita Singh · ‎12-25-2010

I assume that you are applying access-list 103 on fa0/1.I would suggest that you make the following change in the access-list and then apply:

access-list 103 permit udp host 77.246.60.90 any eq domain

access-list 103 permit udp host 77.246.60.90 any eq ntp

access-list 103 permit tcp host 77.246.60.90 any eq domain

access-list 103 permit tcp host 77.246.60.90 any eq ftp-data

access-list 103 permit tcp host 77.246.60.90 any eq ftp

access-list 103 permit tcp host 77.246.60.90 any eq 22

access-list 103 permit tcp host 77.246.60.90 any eq telnet

access-list 103 permit tcp host 77.246.60.90 any eq smtp

access-list 103 permit tcp host 77.246.60.90 any eq www

access-list 103 permit tcp host 77.246.60.90 any eq 143

access-list 103 permit tcp host 77.246.60.90 any eq 443

access-list 103 permit tcp host 77.246.60.90 any eq 465

access-list 103 permit tcp host 77.246.60.90 any eq 587

access-list 103 permit tcp host 77.246.60.90 any eq 993

access-list 103 permit tcp host 77.246.60.90 any eq 995

access-list 103 permit tcp host 77.246.60.90 any eq 8080

access-list 103 permit icmp host 77.246.60.90 any

access-list 103 permit ip host 65.88.254.131 any

int fa0/1

ip access-group 103 in

jgraafmans · ‎12-25-2010

I presume 77.246.60.90 is your interface IP address. Than this access-list is incorrect. You are permitting packets incoming on the outside interface with as source address your own IP address. you should switch source and destination. For example access-list 103 permit udp any host 77.246.60.90 eq domain

But there is another problem. On f0/0 you only allow packets with as source your internal network and destination any but only some specified ports.

If someone access your mailserver they can have any source port and therefore the returning traffic from your mailserver can have any destination port which will be blocked.

You can solve this by adding access-list 101 permit tcp any any established

For testing you could add this command and don't place access-list 103 on the interface.

But I think if your router support this it is an better idea to use the zone-based firewall because it is statefull.