Solved: Hi Bhallman,Could you please

bhallman · ‎06-25-2014

I have a Cisco 4451-X that I am trying to use a static NAT entry so the internet will see a server on the inside as one IP, but not have an "any" access to the resources on that server. Here are the relevant sections of the config:

interface GigabitEthernet0/0/1.993
encapsulation dot1Q 993
ip address 1.1.1.1 255.255.255.248
ip access-group 100 in
ip nat outside

ip nat pool ISP1 2.2.2.2 2.2.2.2 netmask 255.255.255.248

ip nat pool ISP2 1.1.1.1 1.1.1.1 netmask 255.255.255.248
ip nat inside source list 1 pool ISP1 overload
ip nat inside source list 3 pool ISP2 overload
ip nat inside source static 10.10.150.2 1.1.1.2

access-list 1 permit 10.10.48.0 0.0.15.255
access-list 1 permit 172.31.0.0 0.0.15.255
access-list 3 permit 10.10.150.0 0.0.0.15

access-list 100 permit tcp any host 1.1.1.2 eq 9987
access-list 100 permit tcp any host 1.1.1.2 eq www
access-list 100 permit tcp any host 1.1.1.2 eq 30210
access-list 100 permit udp any host 1.1.1.2 eq 30210
access-list 100 permit udp any host 1.1.1.2 eq 9987
access-list 100 deny ip any host 1.1.1.2
access-list 100 permit ip any any

Outside connections are working as expected, but I cannot browse the internet. Any ideas what I might be doing wrong?

syed kazim abbas · ‎06-27-2014

Hi,

As I mentioned above change the acl, check carefully your dns not working

access-list 100 permit udp any eq domain host 1.1.1.2

any = you should mention a dns server ip, as 8.8.8.8

Assumed, you are trying to browsing on 10.10.150.2 machine. others are already permitted. if not working then post whole config of router.

HTH

"please don't forget to select correct answer and rate also"

View solution in original post

nkarthikeyan · ‎06-25-2014

Hi Bhallman,

Could you please explain what is your requirement to have such ACL? You ACL is sourcing as outside and then the destination is inside (1.1.1.x segment). If you need only web access, 9987,30210,9987 sourced from 1.1.1.2 the you to have the ACL vice-versa....

access-list 100 permit tcp host 1.1.1.2 any eq https

access-list 100 permit tcp host 1.1.1.2 any www

like this....

Also you have denu ip statement for host 1.1.1.2 which also denies the DNS traffic which will not allow name resolution.....

If not... if your case is different from the above you are applying it on the outside interface where you are trying to apply the inbound.....

then instead of deny ip statement you can

access-list 100 permit tcp any host 1.1.1.2 established (which will allow only the traffic that is established from inside).... you need to have udp specified since udp cannot have established option.

Please correct me if my understanding is wrong on your scenario.

Regards

Karthik

bhallman · ‎06-26-2014

Thank you all for replying. The reason for the one-to-one NAT is due to the fact that outbound traffic must appear from that specific IP address. With a one-to-one NAT all traffic is permitted to the inside host. To curb this, I was trying to create an ACL that would limit inbound traffic to the inside host. My assumption is that since NAT randomizes the outbound traffic, the replies from the internet are denied since they return on ports that are not specifically permitted.

Kazim, I have added the established permit statement, and it did not change the result. inbound traffic to the inside host is still permitted, but if I try to browse a webpage, it will not work. Also, the ip inspect command would not work. Is there a specific context I need to be in for it to work?

My ACL now looks like this:

access-list 100 permit tcp any host 1.1.1.2 eq 9987
access-list 100 permit tcp any host 1.1.1.2 eq www
access-list 100 permit tcp any host 1.1.1.2 eq 30210
access-list 100 permit udp any host 1.1.1.2 eq 30210
access-list 100 permit udp any host 1.1.1.2 eq 9987
access-list 100 permit udp any host 1.1.1.2 eq domain
access-list 100 permit tcp any host 1.1.1.2 established
access-list 100 deny ip any host 1.1.1.2
access-list 100 permit ip any any

Sajid, I removed the overlapping NAT statement as it is not currently needed. The results remained the same.

syed kazim abbas · ‎06-27-2014

Hi,

As I mentioned above change the acl, check carefully your dns not working

access-list 100 permit udp any eq domain host 1.1.1.2

any = you should mention a dns server ip, as 8.8.8.8

Assumed, you are trying to browsing on 10.10.150.2 machine. others are already permitted. if not working then post whole config of router.

HTH

"please don't forget to select correct answer and rate also"

bhallman · ‎06-28-2014

I am very greatful for your answer. Thank you all for your help and for what you do for the support community.

Sajid Ali · ‎06-25-2014

Hi,

You server IP 10.10.150.2 is overlapped between two NAT statement.

ip nat inside source list 3 pool ISP2 overload

access-list 3 permit 10.10.150.0 0.0.0.15

ip nat inside source static 10.10.150.2 1.1.1.2

may that is an issue, remove ACL 3 and test.

syed kazim abbas · ‎06-26-2014

Hi Bhall,

you need to modify the acl of 100, as below:

ip access-list ext 100
31 permit tcp any host 1.1.1.2 established
32 permit udp host 8.8.8.8 eq domain host 1.1.1.2

where 8.8.8.8 is public dns

I recommend use inspect:

ip inspect name INSPECT dns
ip inspect name INSPECT http
ip inspect name INSPECT https

Int fa 1/1
ip inspect INSPECT in
ip nat inside

Regards,

kazim

Unable to browse the internet after adding ACL to interface.