03-22-2024 10:15 AM
Hi everyone,
I'm getting familiarized with ACLs by working with them in Cisco Packet Tracer.
I have this setup;
R-Corp has static NAT ip's for everything inside Corporativo. With this setup, I've been able to implement some ACLs to, for example, let PC_INTERNET receive emails from PC_A, using SERVER_INTERNET and DNS to resolve the name for the email server.
What's confusing me, is that when trying to connect to INTRANET_SERVER from PC_INTERNET through http (even without using the DNS; trying to connect directly for testing purposes), it stops working ONLY if the NAT translation is happening. If I don't have NAT translation, the HTTP works, even with the same ACL's (taking the translation into account to change them).
The relevant ACL's being,
access-list 100 permit icmp host 10.0.0.10 host 200.0.0.100 echo
access-list 100 permit tcp host 10.0.0.10 host 200.0.0.100 eq smtp
access-list 100 permit udp host 10.0.0.30 host 200.0.0.101 gt 1023
access-list 100 permit tcp host 10.0.0.20 host 200.0.0.101 established
access-list 101 permit icmp host 200.0.0.100 host 240.200.200.11 echo-reply
access-list 101 permit tcp host 200.0.0.100 host 240.200.200.11 gt 1023
access-list 101 permit udp host 200.0.0.101 host 240.200.200.13 eq domain
access-list 101 permit icmp host 200.0.0.101 host 220.200.200.2 echo
access-list 101 permit tcp host 200.0.0.101 host 240.200.200.12 eq www
access-list 101 permit tcp host 200.0.0.101 host 10.0.0.20 eq www
(I added both 10.0.0.20 [no NAT] and 240.200.200.12 [with NAT] to test. With NAT disabled in the router, 10.0.0.20 works, without, 240.200.200.12 does not).
101 is implemented in fastEthernet 0/1, the one that's connecting to outside.
100 is implemented in fastEthernet 0/0, the one connecting to Corporativo.
I include the router config, and .pkt file. Any password needed should be cisco123.
Any help, or poiting towards the right resources to research is deeply appreciated.
03-22-2024 01:39 PM
not sure what your goal here but , in real world, this issue of reaching INTRANET_SERVER (in your own company) from outside PC_INTERNET is how things supposed to be working; At home, I (and Cissco) cannot reach your PC but you can reach this site. in other words, u must initiate traffic to me , not other way around; I having public IP address cannot access/ping any one on Private range unless u make special 1-to-1 NAT translation or put PC/server in special DMZ. Such NAT translation reserves and maps Public IP to private IP inside you company. At home, i.e. Linksys router, u must set up special port mapping to let outside access to your internal network or PC.
I haven't look at your PT file but does static NAT mapping solve your issue?
Regards, ML
**Please Rate All Helpful Responses **
03-22-2024 02:27 PM
So, what I'm trying to do, is connect from PC_INTERNET to INTRANET_SERVER through HTTP (it has HTTP enabled), limiting it so that ONLY that connection (not other PC's, just PC_INTERNET) is possible through ACLs. These ACLs are:
access-list 101 permit tcp host 200.0.0.101 host 10.0.0.20 eq www
and
access-list 100 permit tcp host 10.0.0.20 host 200.0.0.101 established
They work BUT only when the static NAT mapping is disabled. If I have NAT static mapping enabled (and change the ACLs, accordingly, to:
access-list 101 permit tcp host 200.0.0.101 host 240.200.200.12 eq www
and the other one staying the same, it does not work, and I have no idea why. Since it works without NAT, I think (am not sure) that the ACLs are working appropiately. That leads me to think the NAT is wrong. Problem is, another specific connection I've done is letting PC_INTERNET reach the DNS server for SMTP with SERVER_WEB. If the NAT isn't working, then that shouldn't work. But it does.
So, my biggest concern right now, is not even knowing what's wrong.
Appreciate the response.
access-list 100 permit tcp host 10.0.0.20 host 200.0.0.101 established
03-31-2024 07:50 PM
For anyone needing an answer, turns out it's just that for some reason, using a 240. IPv4 for the Intranet Server NAT translation messed everything up. Left everything the same alongside changing it to be 200 instead of 240 and everything worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide