cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8302
Views
0
Helpful
11
Replies

Static NAT with ACL

techguy
Level 4
Level 4

Hi folks,

 

I need to get some help. I have one public subnet and one of the static IP i am using to nat inside.

 

Since i dont have FW so i want to restrict some ports on same IP but i dont know the best approach.

 

Network: 77.123.45.16/248

Gateway: 77.123.45.17

 

interface GigabitEthernet0/0
 ip address 77.123.45.18 255.255.255.248

 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto

!

ip route 0.0.0.0 0.0.0.0 77.123.45.17

!

ip nat inside source static 10.100.208.74  77.123.45.19 extendable

!

I want to restrict outside to inside traffic on some ports like 25/443 etc. Please any suggestion

11 Replies 11

Hello,

 

not sure what you mean:

 

ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable

ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 443 extendable

 

would restrict outside access to just these two ports...is that what you are after ?

we want to nat inside with all ports but after that when traffic comes to local interface then implement ACL.

 

Like for example, in one scenario i have nat as below

ip nat inside source static 10.100.208.74 77.123.45.19 extendable

then at FW level only allowing specific public IP to host 10.100.208.74 on specific ports only.

 

Can above tasks be done in router to accept first all nat then implement ACL rule? Thanks

 

 

Hello,

 

apply the access list below outbound to your outside NAT interface:

 

access-list 101 permit tcp host 10.100.208.74 any eq 25
access-list 101 permit tcp host 10.100.208.74 any eq 443

 

interface GigabitEthernet0/0

ip nat outside

ip access-group 101 out

would it be applied "in" or "out". I have already one ACL on WAN interface and direction is "in" to deny some protcols.

Main target is to allow only port 25/443 on 10.100.208.74 which is natted 77.123.45.19

When i give command as you suggested like

ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable

ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 443 extendable

then mail doesnt come.

and then i remove above commands and give below command then it works.

ip nat inside source static 10.100.208.74  77.123.45.19 extendable

 

 

Hello 

 

Apply the access list outbound. I think Exchange uses port 110, try and add a static translation for that as well. What does the inbound access list you already have look like ?

What do you have as mail server, e.g. Exchange ?

yes, exchange server.

Hello,

 

to my best knowledge Exchange Server uses the TCP port below:

 

80/110/143/443/587/993/995

 

Add those to your NAT and access list:

 

ip nat inside source static tcp 10.100.208.74 25 77.123.45.19 25 extendable
ip nat inside source static tcp 10.100.208.74 110 77.123.45.19 110 extendable
ip nat inside source static tcp 10.100.208.74 443 77.123.45.19 143 extendable
ip nat inside source static tcp 10.100.208.74 143 77.123.45.19 443 extendable
ip nat inside source static tcp 10.100.208.74 587 77.123.45.19 587 extendable
ip nat inside source static tcp 10.100.208.74 993 77.123.45.19 993 extendable
ip nat inside source static tcp 10.100.208.74 995 77.123.45.19 995 extendable

 

access-list 101 permit tcp host 10.100.208.74 any eq 25
access-list 101 permit tcp host 10.100.208.74 any eq 110
access-list 101 permit tcp host 10.100.208.74 any eq 143
access-list 101 permit tcp host 10.100.208.74 any eq 443
access-list 101 permit tcp host 10.100.208.74 any eq 587
access-list 101 permit tcp host 10.100.208.74 any eq 993
access-list 101 permit tcp host 10.100.208.74 any eq 995

Thanks Georg for your efforts.

Can you please clear my doubts.

 

1) ip nat inside source static 10.100.208.74 25 77.123.45.19 extendable

Does above command do natting from outside to inside and then inside to outside?

 

2) If any traffic comes from outside to inside on this exchange server, what will be comes first?

AS per my understanding, first ACL then routing and then NAT

 

3) You are suggesting us apply ACL on WAN interface with out direction? As per my understanding, it will restrcit traffic coming from LAN interface to WAN interface?

 

4) Are we missing inbound ACL on WAN interface to restrict unwanted attacks?

 

I really appreciate.

Hello,

 

have you tested the config, does it work ? What you want is to restrict access from the outside to the Exchange server to just the ports specified, this is what this config should achieve.

 

ACL applied to the outside comes after NAT. You can use an inbound access list, but then chances are that access from any of your internal LAN clients will be affected...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco