Cisco Access List with NAT
I have a Cisco 71 with IOS version 12.2 I'm running NAT, and the way they do that access list with it throws me off. If I want to block an IP from using a server on my LAN, should I deny them on access list 102 (the NAT one) OR make a new access list on Ethernet1??? Here is the relevant part of my config:
interface Ethernet0
ip address 10.0.0.100 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
mac-address 0001.0273.e831
ip address dhcp client-id Ethernet1 hostname myrouter
ip nat outside
keepalive 32767
no cdp enable
!
interface Virtual-Template1
no ip address
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.0.0.1 25 interface Ethernet1 25
ip nat inside source static tcp 10.0.0.100 23 interface Ethernet1 23
ip classless
ip http server
!
!
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
interface Ethernet0
ip address 10.0.0.100 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
mac-address 0001.0273.e831
ip address dhcp client-id Ethernet1 hostname myrouter
ip nat outside
keepalive 32767
no cdp enable
!
interface Virtual-Template1
no ip address
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.0.0.1 25 interface Ethernet1 25
ip nat inside source static tcp 10.0.0.100 23 interface Ethernet1 23
ip classless
ip http server
!
!
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yah that seems to work..thanks. I do have some public servers, but I'll add them one at a time. Now if I wanted to add them BEFORE that ACL, such as
access-list 101 permit tcp any host 10.0.0.100 eq 23
would open up telnet right? So how would I insert that above the others?? Would I have to delete them first with a "no access-list 101"?
access-list 101 permit tcp any host 10.0.0.100 eq 23
would open up telnet right? So how would I insert that above the others?? Would I have to delete them first with a "no access-list 101"?
yup.
I usually keep a separate text file called something like acl.101 which would be the access-list, preceded by:
no access-list 101
and ending with the word:
end
I'll keep it on a tftp server and use 'conf net' when I wanna apply a newer version of my filter. It makes revision control easier of your firewall(important if you've got multiple folks working on your routers) and avoids all the cut/paste problems.
Also, the conf net method avoids having to remove the acl from the outside interface if you're doing this remotely. conf net copies the configuration snippett to your router before it gets applied, so you don't get hosed.
btw, you'll have to try out that telnet translation first. I seem to remember someone having problems in that the outside ip address that you're using for the translation *is* the router and so before it gets to the NAT translation part of the process, the telnet daemon of the router responds. If you have more than just the single routable outside address, you might use one of those addresses. Or just use ssh instead of telnet :)
Hope this helps.
I usually keep a separate text file called something like acl.101 which would be the access-list, preceded by:
no access-list 101
and ending with the word:
end
I'll keep it on a tftp server and use 'conf net' when I wanna apply a newer version of my filter. It makes revision control easier of your firewall(important if you've got multiple folks working on your routers) and avoids all the cut/paste problems.
Also, the conf net method avoids having to remove the acl from the outside interface if you're doing this remotely. conf net copies the configuration snippett to your router before it gets applied, so you don't get hosed.
btw, you'll have to try out that telnet translation first. I seem to remember someone having problems in that the outside ip address that you're using for the translation *is* the router and so before it gets to the NAT translation part of the process, the telnet daemon of the router responds. If you have more than just the single routable outside address, you might use one of those addresses. Or just use ssh instead of telnet :)
Hope this helps.
ASKER
Thankx for everything. Yah that telnet connection works...it lets me connect to the router from the outside. I suppose I should use a different outside port, though...
Glad it worked out :)
Why not just telnet to the external interface? Just curious-
unfortunately the 71 doesn't support ssh, but if you're going to be managing this router remotely with any regularity, you might wanna consider setting up a host on your internal network that you can ssh to, and then telnet to the router from the secure host. I tend to shy from telnet across the public internet(clear text passwords). Just my $0.02 :)
Why not just telnet to the external interface? Just curious-
unfortunately the 71 doesn't support ssh, but if you're going to be managing this router remotely with any regularity, you might wanna consider setting up a host on your internal network that you can ssh to, and then telnet to the router from the secure host. I tend to shy from telnet across the public internet(clear text passwords). Just my $0.02 :)
ASKER
access-list 101 permit tcp any host 10.0.0.100 eq 23
would open up telnet right? So how would I insert that above the others?? Would I have to delete them first with a "no access-list 101"?