12-11-2006 04:35 PM - edited 03-05-2019 01:17 PM
10.10.10.4 (255.255.55.248) is my workstation on Vlan1 (10.10.10.1) see attached.
My fw log indicates drop packet to 10.10.10.4. Does this show my 10 addr is visible externally? Is my internal addr. being NATed correctly?
If NAT config is wrong, how do I correct it?
Regards
12-11-2006 04:49 PM
Hello,
only NAT outside addresses are seen from outside.. NAT inside addresses are hidden from the external network.. But there are chances that there are some junk/vulnerable packets (some attacks etc), come into your network from the ISP. These packets are anyway blocked on your router, which makes your network secure.. so, here you have a private IP getting PATed to a public IP (dialer interface) and make browsing happen..
the traffic goes only from inside to outside.. traffic from outside to inside, is normally dropped, since you dont have any STATIC NAT configured which publishes your internal server/pc..
hope this helps.. all the best.. rate replies if found useful..
Raj
12-14-2006 06:20 AM
I think the reason why the log shows you the private address insteed of your WAN address, is something to do with NAT order of operations.
When the packet arrives the router first chexk any access-list, then NAT's the WAN ip to the 10.10.10.4, afterwards the router decieds to make the CBAC (Inspect), and this is where it finds out it wants to throw the packet away. I'm not sure why it throws it away, maybe because some timer is set to low, or the packet isn't what it appeared to be.
For further clarification check this link out, expically the column "Outside-to-Inside".
http://www.cisco.com/warp/public/556/5.html
Anyway I think this behavior is absoulutly normal.
12-16-2006 06:13 PM
Hi there
assuming that you have in your cbac only two interfaces inside and outside no DMZ!!!
i would like to suggest :
1-the vty access-list must be applied on VLAN inbound, to prevent any spoofing of your 10.10... network.
2-the access-list 2000 is good it will allow what must be allowed from outside to your network and at the same time it implement the RFC 2829, so it s placed in the right place dialer inbound.
3-the MARSFW inspection rule must be applied on vlan 1 inbound and removed from dialer0, this inspection rule will create the statefull database and dynamic entries those entries will be appended to your access-list 2000 the puporse of those dynamic entries is to allow the returned traffic for the session initiated from your internal network to the outside network.
4- the nat configuratiion is correct! must work!!.
5- but i dont see any inpspection for your HTTP traffic in the inspection RULE so it will be dropped automaticaly i think!!!, suggestion try to add to the inspection rule
(ip inspect MARSFW http)
also if your are using port 8080 for http instead of 80 use :
(ip port-map http port 8080) at the global config
try and let us know the result
HTH
please do rate if it does clarify
12-19-2006 06:26 PM
Hi
Thanks for feedback. A few points to your reply
3. Please check your information. I've talked to Cisco TAC, they inform me the FW inspect rule should be on Dialer 0 out. When traffic is initiated from inside CBAC creates session entry in the state table which is used in conjunction with ACL in.
5. See my config for HTTP application FW policy.
Regards
12-20-2006 06:11 PM
hi
thanx for the feedback , i ve appretiated it :).
for the point number 5 i quit agree i didnt see it!!!
for the point 3, as i mentionned in my last post you can configure the inspection rule on the interface closed to the source of your outbound traffic going to the internet but dont forget i ve mentionned in the INBOUND (in) direction is still correct!!
however what TAC said is correct too since is applied in the OUTBOUND (out) direction!!
the chalenge here is which one is the best???
in your case just one exit interface is perfect both options can work without heavy work.
but imagine you have 3 or 4 interface to the internet you dont know which one will be used for the outbound traffic going to the internet so if we choose the solution of the TAC here you need to apply your inspection rule in the outbound direction on the 3 or 4 interface ,you have to hard code it tree or four times , but if we chose the the other option you will apply you inspection only ONCE!!! it will work for all the exits interfaces!!!
HTH
please rate if it does clarify
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: