Solved: For allow 123.123.123.123 to

Ryan Young · ‎09-01-2014

Hello again,

I have some questions on how to have multiple NATs or PATs. I have a list of IP addresses that I want to allow incoming to receive emails through SMTP (Emails go to our SPAM service, then we only allow incoming emails from that service). But I also want to allow us to send out SMTP to everyone we are trying to email (We don't use the SPAM outgoing service). I think I am over thinking things with ACL's and such. I read about CBAC and am wondering if this is something I want to implement or not. I have a Cisco 3925 router security and voice. I have it setup and working, but will be bringing a server there, our email server (exchange). right now I have this same server setup and working using an ASA system. No problem, except the commands are a bit different from ASDM 6.4 on 8.3 vs IOS 15(2)M6.... so I am freaking just a tad. Now We have 7 IP addresses that we can use, the one that is assigned to the router, and 6 others. (the 8th is the ISP router). With the help of this community, I was able to enact QoS on the same router I am trying to do this with. I guess I'm not sure where to start. I have the first dynamic NAT all set up. How will the static NAT affect the dynamic NAT I already have setup? What changes do I need to make to Gi0/0 for ACL incoming and outgoing?

Assumptions:
Inside IP set: 172.20.0.0/24
Outside IP set: 192.168.161.240/29
ISP Router: 192.168.161.241
Gi0/0: 192.168.161.242
Incoming trusted email server: 123.123.123.123/32
Inside Email server: 172.20.0.30 255.255.255.0

Current setup:
interface GigabitEthernet0/0
description *** outside ***
ip address 192.168.161.242 255.255.255.248
ip nat outside
duplex auto
speed auto
service-policy output VOICE **community helped me with this part, thanks everyone!!**
!
interface GigabitEthernet0/1
no ipaddress
no shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
description ***DATA***
encapsulation dot1Q 10
ip address 172.20.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip nat inside source list OUTSIDE interface GigabithEthernet0/0 overload
ip access-list extended OUTSIDE
permit ip 172.20.0.0 0.0.0.255 any
permit ip ***other vlans ETC***
!

How would I change the above to allow outgoing SMTP only from the email server (172.20.0.30) and allow 123.123.123.123 incoming SMTP? We need to allow SMTP if exchange initiated an outgoing SMTP to another email server in the world. We also need to allow https to the exchange server for everyone, and http for everyone (even though it fails). I'm probably over thinking this.

LukaszTJB · ‎09-02-2014

Ok, if I get this straight you have to configure a Port Forwarding first:

ip nat inside source static tcp 172.20.0.30 25 192.168.161.242 25

Verify the Settings with show ip nat translation. There should be an entry now which looks like

Pro Inside global Inside local Outside local Outside global

tcp 192.168.161.242:25 172.20.0.30:25 --- ----

Due to the fact you only want to receive mails from a specific IP address (the spam service) you need to configure an ACL for the the gig0/0 Interface and apply it at incoming direction.

At global config mode:

ip access-list extanded ALLOW_WAN_ACL

permit tcp host 123.123.123.123 any eq 25

exit

interface gig0/0

ip access-group ALLOW_WAN_ACL in

At this Point you might consider to use CBAC, otherwise all backward Traffic for connections which was initiated from the inside will be blocked until you allow it explicit in the ALLOW_WAN_ACL. Cbac is a statefull firewall which adds the entry dynamics to your ACL on the WAN Interface. A Basic configuration is straight forward:

At global config mode type

ip inspect name FW_OUT tcp

ip inspect name FW_OUT udp

Interface gig0/0

ip inspect FW_OUT out

You can use "ip inspect name FW_OUT ?" at the global config mode to see which other protocols for inspection are supported. With the configuration above only basic Layer 4 Inspection is performed. Verify with "show ip inspect session <detail>" and "show ip inspect statistic"

Hope this helps

Kind Regards.

View solution in original post

LukaszTJB · ‎09-02-2014

You welcome,

if the FTP Server is at the inside of your network and the connection is initiated from outside you have to permit it on the ACL and you have to configure the port forwarding. you may use the range command for the acl:

permit tcp host 123.123.123.123 any range 50000 60000

At least you have to open the tcp port 21 on the WAN ACL

If you use passive FTP this may be tricky with the port forwarding. On active FTP you are fine because the NAT Entries are create from the inside and thanks to cbac you don't have to open up the ACL static.

The incoming acl on the wan interface is process before nat so you have to use the puplic ip address in the acl or leave it just to "any"

View solution in original post

Walter Astori · ‎09-02-2014

Can you add the following command :

ip nat outside static source 123.123.123.123 172.20.0.30

I don't understand for the outgoing traffic from 172.20.0.30 because this address is in the ACL OUTSIDE (permit ip 172.20.0.0 0.0.0.255 any)

For allow SMTP to another email server in the world you need to add another "ip nat outside static" for the other IP external ip address

Ryan Young · ‎09-02-2014

Sorry, but in my example, my "outside" IP addresses were 192.168.161.240/29. The example of an email server that is allowed to send me emails vs the rest of the world is 123.123.123.123. Wouldn't that be in an acl somehow? I also need to statically map my email server inside IP to the "outside" IP, if I am correct, the following?

ip nat outside static source 192.168.161.243 172.20.30

then how do I allow only 123.123.123.123 to send me SMTP emails and no one else, or allow only 172.20.0.30 to send SMTP and no one else?

Walter Astori · ‎09-02-2014

For map the email server inside IP to outside IP :

ip nat inside static source 172.20.0.30 192.168.161.243

The IP address 123.123.123.123 is a public or private IP ?

Ryan Young · ‎09-02-2014

the 123.123.123.123 would be an example of one of the public email servers that is allowed to send us emails. (there are 14 total)

Walter Astori · ‎09-02-2014

For allow 123.123.123.123 to send SMTP email to inside host :

ip nat outside static source 123.123.123.123 <inside_IP_host>

Ryan Young · ‎09-02-2014

I can't nat someone else's IP address can I? This would be someone else's email server sending email to our IP 192.168.161.243.

In my example above, I was trying to use IP addresses that wouldn't actually be our public IP address, so in place of our real public IP i gave the 192.168.161.240/29.

LukaszTJB · ‎09-02-2014

Ok, if I get this straight you have to configure a Port Forwarding first:

ip nat inside source static tcp 172.20.0.30 25 192.168.161.242 25

Verify the Settings with show ip nat translation. There should be an entry now which looks like

Pro Inside global Inside local Outside local Outside global

tcp 192.168.161.242:25 172.20.0.30:25 --- ----

Due to the fact you only want to receive mails from a specific IP address (the spam service) you need to configure an ACL for the the gig0/0 Interface and apply it at incoming direction.

At global config mode:

ip access-list extanded ALLOW_WAN_ACL

permit tcp host 123.123.123.123 any eq 25

exit

interface gig0/0

ip access-group ALLOW_WAN_ACL in

At this Point you might consider to use CBAC, otherwise all backward Traffic for connections which was initiated from the inside will be blocked until you allow it explicit in the ALLOW_WAN_ACL. Cbac is a statefull firewall which adds the entry dynamics to your ACL on the WAN Interface. A Basic configuration is straight forward:

At global config mode type

ip inspect name FW_OUT tcp

ip inspect name FW_OUT udp

Interface gig0/0

ip inspect FW_OUT out

You can use "ip inspect name FW_OUT ?" at the global config mode to see which other protocols for inspection are supported. With the configuration above only basic Layer 4 Inspection is performed. Verify with "show ip inspect session <detail>" and "show ip inspect statistic"

Hope this helps

Kind Regards.

Ryan Young · ‎09-02-2014

Thank you very much!! This helps drastically.

To get a better understanding, for the acl, if I have a tls FTP server that uses ports 50000-60000 do I have to set each port from 50000-60000 (10,000 entries) or can I do a range in the acl?

Also, for the acl, instead of permit tcp host 123.123.123.123 any eq 25, can I choose the external IP or internal IP? So it can only send to that IP and no one else? (lock it down even more?) such as would I use the internal or extrnal for that one statement?

permit tcp host 123.123.123.123 192.168.161.243 eq 25 OR

permit tcp host 123.123.123.123 172.20.0.30 eq 25 be correct?

and would:

permit tcp any 172.20.0.35 eq 50000-60000 work?

Ryan Young · ‎09-02-2014

NEVERMIND....there is ip inspect name FW_OUT ftps and ftp so i'll add those and not have to deal with the stupid huge long acl. :) just do the acl for incoming mail servers. THANKS!!!!

Also instead of using eq you can use range and put the start and stop in such as:

permit tcp any any range 50000 60000

but with the inspect name FW-OUT ftps and/or ftp then that would fix it. I just need to open up all https to the mailserver for getting mail and all is good.

LukaszTJB · ‎09-02-2014

You welcome,

if the FTP Server is at the inside of your network and the connection is initiated from outside you have to permit it on the ACL and you have to configure the port forwarding. you may use the range command for the acl:

permit tcp host 123.123.123.123 any range 50000 60000

At least you have to open the tcp port 21 on the WAN ACL

If you use passive FTP this may be tricky with the port forwarding. On active FTP you are fine because the NAT Entries are create from the inside and thanks to cbac you don't have to open up the ACL static.

The incoming acl on the wan interface is process before nat so you have to use the puplic ip address in the acl or leave it just to "any"

Ryan Young · ‎09-02-2014

This is exactly what I needed!

THANK YOU.

Static/Dynamic - NAT/PAT multiple outside IPs to multiple Inside IPs