cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
214
Views
0
Helpful
6
Replies
johnsmunoz
Beginner

Trouble with NAT and ACLs

I'm having a hard time getting NAT setup. I have my DIA coming in on G0/0/2.  The ISP is providing me two IP blocks, XX.XXX.56.144/29 and XX.YYY.67.0/27

 

All my devices are hung off G0/0/1 and the DMZ devices are off G0/0/1.400

 

I'm trying to use the ACL, DMZ-PERMIT to restrict what traffic hits the DMZ devices and prevent outside traffic from being able to reach my ASR via SSH, HTTPS etc.  

 

With this configuration that appears to be working BUT with 

"ip access-group DMZ-PERMIT in" 

in use, my NAT no longer works.  Devices in the 10.40.0.x range are not able to get out on the internet.  I can't even ping outside from the ASR.  If remove that ACL from the interface then NAT works again, but all my devices are fully exposed.

 

Any guidance on what I'm doing wrong?

 

interface GigabitEthernet0/0/1
ip address 10.40.0.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1.400
encapsulation dot1Q 400
ip address XX.YYY.67.1 255.255.255.224

!
interface GigabitEthernet0/0/2
description COGENT DIA
ip address XX.XXX.56.146 255.255.255.248
ip nat outside
ip access-group DMZ-PERMIT in
no negotiation auto
!
ip nat pool COGENT-POOL XX.XXX.56.147 XX.XXX.56.151 netmask 255.255.255.248
ip nat inside source list 100 pool COGENT-POOL overload
!
ip route 0.0.0.0 0.0.0.0 XX.XXX.56.145
!
ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
deny ip any host XX.XXX.56.146
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
!
access-list 100 permit ip 10.40.0.0 0.0.0.255 any

6 REPLIES 6
Georg Pauwen
VIP Expert

Hello,

 

did you try to add the line in bold ?

 

ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
deny ip any host XX.XXX.56.146
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
permit ip 10.40.0.0 0.0.0.255 any

Thanks Georg, 

I added that line but still can't seam to get outside.  

Hello,

 

looking at your access list again, I think the line in bold kills your returning NAT traffic:

 

ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
deny ip any host XX.XXX.56.146
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
permit ip 10.40.0.0 0.0.0.255 any

 

What if you change that to:

 

permit ip any XX.XXX.56.144 0.0.0.7

 

Thanks Georg,

With that command NAT is working now.   but... I'm back at the original problem of having the SSH, HTTPS, TELNET port exposed to the public on the ip of the outside interface, x.x.56.146

 

Is there a different way to designate which interface can reach those services?    I really just want them exposed to the inside and mgmt port.  

Hello,

 

I'll lab this in GNS3...will get back with you...

Hello,

 

here is what I have come up with:

 

First, you need static NAY entries for both the inside and the DMZ interface corresponding to the SSH/TELNET/HTTPS ports. You need to translate them to different outside ports, so when you access these ports from the outside, NAT knows what inside address they correspond to:

 

ip nat inside source static tcp 10.40.0.1 22 XX.XXX.56.146 9122
ip nat inside source static tcp XX.YYY.67.1 22 XX.XXX.56.146 9222
ip nat inside source static tcp 10.40.0.1 23 XX.XXX.56.146 9322
ip nat inside source static tcp XX.YYY.67.1 23 XX.XXX.56.146 9422
ip nat inside source static tcp 10.40.0.1 443 XX.XXX.56.146 9522
ip nat inside source static tcp XX.YYY.67.1 443 XX.XXX.56.146 9622

 

Then, your access list needs to look like this:

 

ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
permit tcp any host XX.XXX.56.146 eq 9122
permit tcp any host XX.XXX.56.146 eq 9222
permit tcp any host XX.XXX.56.146 eq 9322
permit tcp any host XX.XXX.56.146 eq 9422
permit tcp any host XX.XXX.56.146 eq 9522
permit tcp any host XX.XXX.56.146 eq 9622
deny ip any host XX.XXX.56.146
permit ip any XX.XXX.56.147 0.0.0.7
permit ip any XX.XXX.56.148 0.0.0.7
permit ip any XX.XXX.56.149 0.0.0.7
permit ip any XX.XXX.56.150 0.0.0.7
permit ip any XX.XXX.56.151 0.0.0.7
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
permit ip 10.40.0.0 0.0.0.255 any

 

On a side note, XX.XXX.56.151 is the broadcast address for the network, I don't think it is a usable address...

 

Give this a try...