?
Solved

Cisco Access List with NAT

Posted on 2003-03-11
6
Medium Priority
?
730 Views
Last Modified: 2011-09-20
I have a Cisco 71 with IOS version 12.2   I'm running NAT, and the way they do that access list with it throws me off.  If I want to block an IP from using a server on my LAN, should I deny them on access list 102 (the NAT one) OR make a new access list on Ethernet1???  Here is the relevant part of my config:

interface Ethernet0
 ip address 10.0.0.100 255.255.255.0
 ip nat inside
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface Ethernet1
 mac-address 0001.0273.e831
 ip address dhcp client-id Ethernet1 hostname myrouter
 ip nat outside
 keepalive 32767
 no cdp enable
!
interface Virtual-Template1
 no ip address
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.0.0.1 25 interface Ethernet1 25
ip nat inside source static tcp 10.0.0.100 23 interface Ethernet1 23
ip classless
ip http server
!
!
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
no cdp run


0
Comment
Question by:BOTA-X
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 7

Accepted Solution

by:
pedrow earned 200 total points
ID: 8117532
When you say 'block an ip from using a server on my LAN' I suppose you mean someone not on your internal LAN? i.e. some random script kiddie?

Here's the scoop on access lists:
They just say what to permit or deny. When they're used in NAT configurations, they just define when or when not to NAT. With ipsec tunnels, they're used to define what source-destination combinations to encrypt. So, think of them as a general tool that's used to define conditions of other router functions, not just 'security'. Does that help?

That being said, if you want to create a reasonably effective  firewall, you'd need to create a separate access-list and apply it inbound on your ethernet1 interface.

Here's a real basic inbbound filter that should serve passable if you're not hosting public services:

access-list 101 remark * let sessions initiated from inside back in *
access-list 101 permit tcp any any established
access-list 101 remark * ICMP replies permitted back *
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 deny   ip any any log

int ethernet1
access-group 101 in

This should get you started :)
0
 
LVL 8

Author Comment

by:BOTA-X
ID: 8117758
Yah that seems to work..thanks.  I do have some public servers, but I'll add them one at a time.  Now if I wanted to add them BEFORE that ACL, such as

access-list 101 permit tcp any host 10.0.0.100 eq 23

would open up telnet right?  So how would I insert that above the others??  Would I have to delete them first with a "no access-list 101"?
0
 
LVL 8

Author Comment

by:BOTA-X
ID: 8117765
Yah that seems to work..thanks.  I do have some public servers, but I'll add them one at a time.  Now if I wanted to add them BEFORE that ACL, such as

access-list 101 permit tcp any host 10.0.0.100 eq 23

would open up telnet right?  So how would I insert that above the others??  Would I have to delete them first with a "no access-list 101"?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:pedrow
ID: 8120361
yup.

I usually keep a separate text file called something like acl.101 which would be the access-list, preceded by:

no access-list 101
and ending with the word:
end

I'll keep it on a tftp server and use 'conf net' when I wanna apply a newer version of my filter.  It makes revision control easier of your firewall(important if you've got multiple folks working on your routers) and avoids all the cut/paste problems.

Also, the conf net method avoids having to remove the acl from the outside interface if you're doing this remotely. conf net copies the configuration snippett to your router before it gets applied, so you don't get hosed.

btw, you'll have to try out that telnet translation first. I seem to remember someone having problems in that the outside ip address that you're using for the translation *is* the router and so before it gets to the NAT translation part of the process, the telnet daemon of the router responds. If you have more than just the single routable outside address, you might use one of those addresses. Or just use ssh instead of telnet :)

Hope this helps.
0
 
LVL 8

Author Comment

by:BOTA-X
ID: 8120610
Thankx for everything.  Yah that telnet connection works...it lets me connect to the router from the outside.  I suppose I should use a different outside port, though...
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8121419
Glad it worked out :)

Why not just telnet to the external interface? Just curious-

unfortunately the 71 doesn't support ssh, but if you're going to be managing this router remotely with any regularity, you might wanna consider setting up a host on your internal network that you can ssh to, and then telnet to the router from the secure host. I tend to shy from telnet across the public internet(clear text passwords). Just my $0.02 :)
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question