Secure port forwarding

rafalkarpinski · ‎05-13-2015

My config file:

I have nat port forwarding on public ip 2.2.2.4 for private pc 192.168.0.2 on tcp ports 22 and 443

I want to secure this nat with some ACL to limit connections only from 194.24.180.0/23

I've tried with some ACL but it was wrong.

My idea was to create extended ACL like this

ip access-list extended acl_in
permit tcp 194.24.180.0 0.0.1.255 host 193.108.220.244 eq 443
permit tcp 194.24.180.0 0.0.1.255 host 193.108.220.244 eq 22

And put it on GE0

ip access-group acl_in in

But it doesn't work :-)

Maybe You could help me with that?

Thanks a lot!

vivek srivastava · ‎05-13-2015

I can see some differences in PC IP.

private pc 192.168.0.2

whereas in ACL

permit tcp 194.24.180.0 0.0.1.255 host 193.108.220.244 eq 443
permit tcp 194.24.180.0 0.0.1.255 host 193.108.220.244 eq 22

rafalkarpinski · ‎05-14-2015

Did You see my config?

Now I understand that in ACL I have to put private IP. But on which interface I have to put the ACL on?

Which direction, in our out?

Thanks a lot!

vivek srivastava · ‎05-14-2015

personly i can't see your config as its bloked in my domain - http://justpaste.it/l3jm

I made comment based on the description you have given.

Generally ACL will be put on exit interface but it also depend on the network topology. Here no diagram given so can't comment on that.

rafalkarpinski · ‎05-14-2015

Config file :-)

Of course external IP is 2.2.2.4, not 193.108.220.244

My mistake.

!
! Last configuration change at 11:57:40 UTC Fri Apr 17 2015 by rkarpinski
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname pztest-r1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local-case
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3662212268
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3662212268
revocation-check none
rsakeypair TP-self-signed-3662212268
!
!
crypto pki certificate chain TP-self-signed-3662212268
ip cef
!
!
!
!

!
ip dhcp excluded-address 192.168.0.1 192.168.0.20
!
ip dhcp pool test-lan
network 192.168.0.0 255.255.255.0
domain-name testnet.local
netbios-name-server 192.168.0.2
netbios-node-type p-node
default-router 192.168.0.1
dns-server 8.8.8.8
!
!
!
ip domain retry 3
ip domain name testnet.local
ip name-server 62.233.233.233
ip name-server 192.168.0.2
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FCZ171990KS
!
!
!
redundancy
!
!
!
!
!
ip tcp synwait-time 5
ip tcp path-mtu-discovery
ip ssh authentication-retries 2
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description Siec LAN 192.168.0.0/24
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0
ip address 2.2.2.2 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns view default
domain retry 3
ip nat pool wan1-ip3 2.2.2.3 2.2.2.3 netmask 255.255.255.240
ip nat inside source list nat-lan pool wan1-ip3 overload
ip nat inside source static tcp 192.168.0.2 22 2.2.2.4 22 extendable
ip nat inside source static tcp 192.168.0.2 443 2.2.2.4 443 extendable
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
ip access-list standard admin
permit 10.128.0.0 0.0.255.255
permit 194.24.180.0 0.0.1.255
permit 192.168.0.0 0.0.0.255
ip access-list standard nat-lan
permit 192.168.0.0 0.0.0.255
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.0.0 0.0.0.255
no cdp run
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
alias exec ct configure terminal
!
line con 0
exec-timeout 30 0
logging synchronous
transport preferred ssh
transport output telnet ssh
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class admin in
exec-timeout 30 0
privilege level 15
logging synchronous
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class admin in
exec-timeout 30 0
privilege level 15
logging synchronous
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
!
!
end

vivek srivastava · ‎05-14-2015

Try with:

ip access-list extended acl_in
permit tcp 194.24.180.0 0.0.1.255 host 192.168.0.2 eq 443
permit tcp 194.24.180.0 0.0.1.255 host 192.168.0.2 eq 22

And put it on GE0

ip access-group acl_in in

rafalkarpinski · ‎05-14-2015

When I did that I've disabled internet in this company :-)

Ok, maybe I have to figure it out alone :]