09-15-2018 11:53 PM
Hi folks,
I need to get some help. I have one public subnet and one of the static IP i am using to nat inside.
Since i dont have FW so i want to restrict some ports on same IP but i dont know the best approach.
Network: 77.123.45.16/248
Gateway: 77.123.45.17
interface GigabitEthernet0/0
ip address 77.123.45.18 255.255.255.248
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 77.123.45.17
!
ip nat inside source static 10.100.208.74 77.123.45.19 extendable
!
I want to restrict outside to inside traffic on some ports like 25/443 etc. Please any suggestion
09-16-2018 12:22 AM
Hello,
not sure what you mean:
ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable
ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 443 extendable
would restrict outside access to just these two ports...is that what you are after ?
09-16-2018 12:37 AM
we want to nat inside with all ports but after that when traffic comes to local interface then implement ACL.
Like for example, in one scenario i have nat as below
ip nat inside source static 10.100.208.74 77.123.45.19 extendable
then at FW level only allowing specific public IP to host 10.100.208.74 on specific ports only.
Can above tasks be done in router to accept first all nat then implement ACL rule? Thanks
09-16-2018 01:13 AM
Hello,
apply the access list below outbound to your outside NAT interface:
access-list 101 permit tcp host 10.100.208.74 any eq 25
access-list 101 permit tcp host 10.100.208.74 any eq 443
interface GigabitEthernet0/0
ip nat outside
ip access-group 101 out
09-16-2018 01:35 AM
would it be applied "in" or "out". I have already one ACL on WAN interface and direction is "in" to deny some protcols.
Main target is to allow only port 25/443 on 10.100.208.74 which is natted 77.123.45.19
When i give command as you suggested like
ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable
ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 443 extendable
then mail doesnt come.
and then i remove above commands and give below command then it works.
ip nat inside source static 10.100.208.74 77.123.45.19 extendable
09-16-2018 01:54 AM
09-16-2018 01:57 AM
Hello
Apply the access list outbound. I think Exchange uses port 110, try and add a static translation for that as well. What does the inbound access list you already have look like ?
09-16-2018 03:52 AM
What do you have as mail server, e.g. Exchange ?
09-16-2018 04:13 AM
yes, exchange server.
09-16-2018 04:23 AM
Hello,
to my best knowledge Exchange Server uses the TCP port below:
80/110/143/443/587/993/995
Add those to your NAT and access list:
ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable
ip nat inside source static tcp 10.100.208.74 110 77.123.45.19 110 extendable
ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 143 extendable
ip nat inside source static tcp 10.100.208.74 143 77.123.45.19 443 extendable
ip nat inside source static tcp 10.100.208.74 587 77.123.45.19 587 extendable
ip nat inside source static tcp 10.100.208.74 993 77.123.45.19 993 extendable
ip nat inside source static tcp 10.100.208.74 995 77.123.45.19 995 extendable
access-list 101 permit tcp host 10.100.208.74 any eq 25
access-list 101 permit tcp host 10.100.208.74 any eq 110
access-list 101 permit tcp host 10.100.208.74 any eq 143
access-list 101 permit tcp host 10.100.208.74 any eq 443
access-list 101 permit tcp host 10.100.208.74 any eq 587
access-list 101 permit tcp host 10.100.208.74 any eq 993
access-list 101 permit tcp host 10.100.208.74 any eq 995
09-16-2018 05:13 AM
Thanks Georg for your efforts.
Can you please clear my doubts.
1) ip nat inside source static 10.100.208.74 25 77.123.45.19 extendable
Does above command do natting from outside to inside and then inside to outside?
2) If any traffic comes from outside to inside on this exchange server, what will be comes first?
AS per my understanding, first ACL then routing and then NAT
3) You are suggesting us apply ACL on WAN interface with out direction? As per my understanding, it will restrcit traffic coming from LAN interface to WAN interface?
4) Are we missing inbound ACL on WAN interface to restrict unwanted attacks?
I really appreciate.
09-16-2018 10:38 AM
Hello,
have you tested the config, does it work ? What you want is to restrict access from the outside to the Exchange server to just the ports specified, this is what this config should achieve.
ACL applied to the outside comes after NAT. You can use an inbound access list, but then chances are that access from any of your internal LAN clients will be affected...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide