cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1577
Views
0
Helpful
11
Replies
Highlighted
Enthusiast

Static NAT with ACL

Hi folks,

 

I need to get some help. I have one public subnet and one of the static IP i am using to nat inside.

 

Since i dont have FW so i want to restrict some ports on same IP but i dont know the best approach.

 

Network: 77.123.45.16/248

Gateway: 77.123.45.17

 

interface GigabitEthernet0/0
 ip address 77.123.45.18 255.255.255.248

 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto

!

ip route 0.0.0.0 0.0.0.0 77.123.45.17

!

ip nat inside source static 10.100.208.74  77.123.45.19 extendable

!

I want to restrict outside to inside traffic on some ports like 25/443 etc. Please any suggestion

Everyone's tags (3)
11 REPLIES 11
VIP Mentor

Re: Static NAT with ACL

Hello,

 

not sure what you mean:

 

ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable

ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 443 extendable

 

would restrict outside access to just these two ports...is that what you are after ?

Enthusiast

Re: Static NAT with ACL

we want to nat inside with all ports but after that when traffic comes to local interface then implement ACL.

 

Like for example, in one scenario i have nat as below

ip nat inside source static 10.100.208.74 77.123.45.19 extendable

then at FW level only allowing specific public IP to host 10.100.208.74 on specific ports only.

 

Can above tasks be done in router to accept first all nat then implement ACL rule? Thanks

 

 

VIP Mentor

Re: Static NAT with ACL

Hello,

 

apply the access list below outbound to your outside NAT interface:

 

access-list 101 permit tcp host 10.100.208.74 any eq 25
access-list 101 permit tcp host 10.100.208.74 any eq 443

 

interface GigabitEthernet0/0

ip nat outside

ip access-group 101 out

Enthusiast

Re: Static NAT with ACL

would it be applied "in" or "out". I have already one ACL on WAN interface and direction is "in" to deny some protcols.

Main target is to allow only port 25/443 on 10.100.208.74 which is natted 77.123.45.19

When i give command as you suggested like

ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable

ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 443 extendable

then mail doesnt come.

and then i remove above commands and give below command then it works.

ip nat inside source static 10.100.208.74  77.123.45.19 extendable

 

VIP Mentor

Re: Static NAT with ACL

 
VIP Mentor

Re: Static NAT with ACL

Hello 

 

Apply the access list outbound. I think Exchange uses port 110, try and add a static translation for that as well. What does the inbound access list you already have look like ?

VIP Mentor

Re: Static NAT with ACL

What do you have as mail server, e.g. Exchange ?

Enthusiast

Re: Static NAT with ACL

yes, exchange server.

VIP Mentor

Re: Static NAT with ACL

Hello,

 

to my best knowledge Exchange Server uses the TCP port below:

 

80/110/143/443/587/993/995

 

Add those to your NAT and access list:

 

ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable
ip nat inside source static tcp 10.100.208.74 110 77.123.45.19 110 extendable
ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 143 extendable
ip nat inside source static tcp 10.100.208.74 143 77.123.45.19 443 extendable
ip nat inside source static tcp 10.100.208.74 587 77.123.45.19 587 extendable
ip nat inside source static tcp 10.100.208.74 993 77.123.45.19 993 extendable
ip nat inside source static tcp 10.100.208.74 995 77.123.45.19 995 extendable

 

access-list 101 permit tcp host 10.100.208.74 any eq 25
access-list 101 permit tcp host 10.100.208.74 any eq 110
access-list 101 permit tcp host 10.100.208.74 any eq 143
access-list 101 permit tcp host 10.100.208.74 any eq 443
access-list 101 permit tcp host 10.100.208.74 any eq 587
access-list 101 permit tcp host 10.100.208.74 any eq 993
access-list 101 permit tcp host 10.100.208.74 any eq 995

Enthusiast

Re: Static NAT with ACL

Thanks Georg for your efforts.

Can you please clear my doubts.

 

1) ip nat inside source static 10.100.208.74 25 77.123.45.19 extendable

Does above command do natting from outside to inside and then inside to outside?

 

2) If any traffic comes from outside to inside on this exchange server, what will be comes first?

AS per my understanding, first ACL then routing and then NAT

 

3) You are suggesting us apply ACL on WAN interface with out direction? As per my understanding, it will restrcit traffic coming from LAN interface to WAN interface?

 

4) Are we missing inbound ACL on WAN interface to restrict unwanted attacks?

 

I really appreciate.

VIP Mentor

Re: Static NAT with ACL

Hello,

 

have you tested the config, does it work ? What you want is to restrict access from the outside to the Exchange server to just the ports specified, this is what this config should achieve.

 

ACL applied to the outside comes after NAT. You can use an inbound access list, but then chances are that access from any of your internal LAN clients will be affected...

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here