• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 745
  • Last Modified:

Cisco Access List with NAT

I have a Cisco 71 with IOS version 12.2   I'm running NAT, and the way they do that access list with it throws me off.  If I want to block an IP from using a server on my LAN, should I deny them on access list 102 (the NAT one) OR make a new access list on Ethernet1???  Here is the relevant part of my config:

interface Ethernet0
 ip address 10.0.0.100 255.255.255.0
 ip nat inside
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface Ethernet1
 mac-address 0001.0273.e831
 ip address dhcp client-id Ethernet1 hostname myrouter
 ip nat outside
 keepalive 32767
 no cdp enable
!
interface Virtual-Template1
 no ip address
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.0.0.1 25 interface Ethernet1 25
ip nat inside source static tcp 10.0.0.100 23 interface Ethernet1 23
ip classless
ip http server
!
!
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
no cdp run


0
BOTA-X
Asked:
BOTA-X
  • 3
  • 3
1 Solution
 
pedrowCommented:
When you say 'block an ip from using a server on my LAN' I suppose you mean someone not on your internal LAN? i.e. some random script kiddie?

Here's the scoop on access lists:
They just say what to permit or deny. When they're used in NAT configurations, they just define when or when not to NAT. With ipsec tunnels, they're used to define what source-destination combinations to encrypt. So, think of them as a general tool that's used to define conditions of other router functions, not just 'security'. Does that help?

That being said, if you want to create a reasonably effective  firewall, you'd need to create a separate access-list and apply it inbound on your ethernet1 interface.

Here's a real basic inbbound filter that should serve passable if you're not hosting public services:

access-list 101 remark * let sessions initiated from inside back in *
access-list 101 permit tcp any any established
access-list 101 remark * ICMP replies permitted back *
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 deny   ip any any log

int ethernet1
access-group 101 in

This should get you started :)
0
 
BOTA-XAuthor Commented:
Yah that seems to work..thanks.  I do have some public servers, but I'll add them one at a time.  Now if I wanted to add them BEFORE that ACL, such as

access-list 101 permit tcp any host 10.0.0.100 eq 23

would open up telnet right?  So how would I insert that above the others??  Would I have to delete them first with a "no access-list 101"?
0
 
BOTA-XAuthor Commented:
Yah that seems to work..thanks.  I do have some public servers, but I'll add them one at a time.  Now if I wanted to add them BEFORE that ACL, such as

access-list 101 permit tcp any host 10.0.0.100 eq 23

would open up telnet right?  So how would I insert that above the others??  Would I have to delete them first with a "no access-list 101"?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
pedrowCommented:
yup.

I usually keep a separate text file called something like acl.101 which would be the access-list, preceded by:

no access-list 101
and ending with the word:
end

I'll keep it on a tftp server and use 'conf net' when I wanna apply a newer version of my filter.  It makes revision control easier of your firewall(important if you've got multiple folks working on your routers) and avoids all the cut/paste problems.

Also, the conf net method avoids having to remove the acl from the outside interface if you're doing this remotely. conf net copies the configuration snippett to your router before it gets applied, so you don't get hosed.

btw, you'll have to try out that telnet translation first. I seem to remember someone having problems in that the outside ip address that you're using for the translation *is* the router and so before it gets to the NAT translation part of the process, the telnet daemon of the router responds. If you have more than just the single routable outside address, you might use one of those addresses. Or just use ssh instead of telnet :)

Hope this helps.
0
 
BOTA-XAuthor Commented:
Thankx for everything.  Yah that telnet connection works...it lets me connect to the router from the outside.  I suppose I should use a different outside port, though...
0
 
pedrowCommented:
Glad it worked out :)

Why not just telnet to the external interface? Just curious-

unfortunately the 71 doesn't support ssh, but if you're going to be managing this router remotely with any regularity, you might wanna consider setting up a host on your internal network that you can ssh to, and then telnet to the router from the secure host. I tend to shy from telnet across the public internet(clear text passwords). Just my $0.02 :)
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now