Solved: Setup an inbound ACL when NAT is used?

crazyman143 · ‎07-28-2015

Hi All,

I have a cisco 1841 setup with my cable modem. Modem plugged into fa0/0. I have a 'Firewall' ACL applied inbound on the fa0/0 interface, and stateful inspection turned on. I want external traffic destined for port 80 to be allowed through the ACL and forwarded to host 10.1.1.2. My config doesn't seem to be working, I assume because I am misunderstanding NAT? I thought that NAT would be performed, then the ACL applied and the traffic allowed to reach the host. What should I do differently?

Thank you.

interface FastEthernet0/0
ip address dhcp
ip access-group Firewall in
ip inspect Firewall-SPI out
ip nat outside
ip virtual-reassembly in
duplex auto
!
ip nat inside source list NATRULE interface FastEthernet0/0 overload
!
ip nat inside source static tcp 10.1.1.2 80 interface FastEthernet0/0 80
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended Firewall
permit tcp any host 10.1.1.2 eq 80
deny ip any any
!
ip access-list extended NATRULE
permit ip 10.1.0.0 0.0.255.255 any
permit ip 192.168.254.0 0.0.0.255 any
deny ip any any

Hitesh Vinzoda · ‎07-29-2015

If you dont a static IP on fa0/0 which i assume to due DHCP configured under the interface

just modify the ACL to permit any any eq 80

HTH

HItesh

View solution in original post

Karsten Iwen · ‎07-28-2015

You ACL "Firewall" needs to use the public IP that you have on Fa0/0:

ip access-list extended Firewall
 permit tcp any host YOUR-PUBLIC-IP eq 80

Hitesh Vinzoda · ‎07-29-2015

If you dont a static IP on fa0/0 which i assume to due DHCP configured under the interface

just modify the ACL to permit any any eq 80

HTH

HItesh

crazyman143 · ‎07-29-2015

Thanks folks for the suggestions.

Unforunately as Hitesh said, I cannot use a static IP for the translations because fa0/0 (outside interface) receives it's IP from the modem via DHCP. Even if i change the "Firewall" ACL to permit ip any any, the translations still do not seem to work. I have seen this sort of command on the web:

ip nat inside source static tcp 10.1.1.2 80 interface FastEthernet0/0 80

And it worked for folks but isn't working for me. This all was working previously when I DID have a static IP set on fa0/0.

Any other thoughts ? thanks

Hitesh Vinzoda · ‎07-29-2015

What version of IOS is there on the Cisco router?

Thanks

Hitesh

crazyman143 · ‎07-30-2015

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(3)T3, RELEASE SOFTWARE (fc1)

I'm now using this on the "firewall" ACL:

ip access-list extended Firewall
permit tcp any any eq www
permit tcp any any eq 5000

And these nat rules:

ip nat inside source list NATRULE interface FastEthernet0/0 overload
ip nat inside source static tcp 10.1.1.2 80 interface FastEthernet0/0 80
ip nat inside source static udp 10.1.1.45 5000 interface FastEthernet0/0 5000
ip route 0.0.0.0 0.0.0.0 dhcp

still no external access on ports 80/5000. I did a show access list and I see it is allowing traffic:

Extended IP access list Firewall
10 permit tcp any any eq www (51 matches)
70 permit tcp any any eq 5000 (90 matches)

what can I do? thanks for all the help!

Hitesh Vinzoda · ‎07-30-2015

Dude,

Thats a promising result now you should try from external network by testing http on the public IP and check show ip nat translation to see if there any any translations happening or not.

Also if your web server is IIS ie. windows you would like to check the windows firewall and if linux then iptables.

HTH

Hitesh

crazyman143 · ‎07-31-2015

I'm not sure what has changed, but still running the exact config as above is now working for me. port 80 is a windows server and 5000 is a synology nas. Now I can see both. I must have been overlooking something though I don't know what. at least it's working.

My latest trouble is getting my windows vpn server going. I may start a new thread on that as it's a different problem ( though still related to forwarded ports I believe, ugh.)

thanks all!

paul driver · ‎07-30-2015

Hello

Try this:

interface fa0/0
description WAN
ip address DHCP
ip access-group Firewall in
ip nat outside

ip access-list extended Firewall
permit tcp any host (public ip) eq 80
deny ip any any

Int x/x
description LAN
ip access-group 101 in
ip nat inside
ip inspect Firewall-SP in

access-list 101 permit tcp 10.1.0.0 0.255.255.255 any
access-list 101 permit udp 10.0.0.0 0.255.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 101 permit tcp 192.168.245.0 0.0.0.255 any
access-list 101 permit udp 192.168.245.0 0.0.0.255 any
access-list 101 permit icmp 192.168.245.0 0.0.0.255 any
access-list 101 deny ip any any log

ip inspect name Firewall-SP tcp
ip inspect name Firewall-SP udp
ip inspect name Firewall-SP icmp

access-list 1 permit 10.1.0.0 0.255.255.255
access-list 1 permit 192.168.245.0 0.0.0.255

ip nat inside source list 1 interface fa0/0 overload

ip route 0.0.0.0 0.0.0.0 dhcp

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul