Solved

Help with Cisco Router ACL, and NAT

Posted on 2003-11-17
7
4,298 Views
Last Modified: 2007-12-19
Hi,

        I would like some help, pointers on ACL, and NAT. I have two static public IP

addresses, and would like to use NAT between public and private address. Current Router is a 2514, will change over to a 2621XM in a couple of months.

I would like IP x.x.x.17 inbound to point to the web/DNS server 172.x.x.14.
I would like IP x.x.x.136 Outbound for all users inside on local network.
I believe I can assign both static IP's on E0, with "IP address x.x.x.136 255.255.255.0

secondary"  command for second IP on Interface.

Currently second IP x.x.x.136 is going out VIA Linksys router, until I get the 2514 working

correctly.

Thanks in advance for your time and help with this.

Ziggy

DSL   2 Public IP                          Private Net                            
ISP------ x.x.x.17and136 --- E0 [Router] E1 --- 172.x.x.254 ---
Cat 2950T  SW --- 172.x.x.14
                            Web/DNS Server  

If I have to much information posted below, sorry. I have come across many posts asking for

more details, config information, so here it is.

Gizmo = Cisco 2514 Router

gizmo#show ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JK8OS-L), Version 12.2(1), RELEASE SOFTWARE (fc2)


ROM: System Bootstrap, Version 11.0(10c)XB2,

BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c)XB2,

gizmo uptime is 4 hours, 33 minutes
System returned to ROM by power-on
System image file is "flash:c2500-jk8os-l.122-1.bin"

cisco 2500 (68030) processor (revision L) with 14336K/2048K bytes of memory.
16384K bytes of processor board System flash (Read ONLY)


gizmo#show run
Building configuration...

Current configuration : 2362 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname gizmo
!
logging rate-limit console 10 except errors
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxx
!

ip subnet-zero
no ip finger
no ip domain-lookup
ip host this 172.x.x.14 < --- Web and DNS Server
ip host that 172.x.x.13
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
 description connected to cat 0/15 VLan x
 ip address x.x.x.17 255.255.255.0
 ip access-group 102 in
 ip nat outside
!
interface Ethernet1
 description connected to cat 0/18 VLan y
 ip address 172.x.x.254 255.255.255.0
 ip nat inside
 shutdown
!
ip kerberos source-interface any
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
!
access-list 1 permit 172.x.x.0 0.0.0.255
access-list 102 permit tcp any any established
 <-- Should the following be the Public IP, or the Private IP of the web/DNS server?
access-list 102 permit udp any host x.x.x.17 eq domain
access-list 102 permit tcp any host x.x.x.17 eq domain
access-list 102 permit tcp any host x.x.x.17 eq www
access-list 102 permit tcp any host x.x.x.17 eq 443
access-list 102 permit icmp any host x.x.x.17 echo
access-list 102 deny   ip any any log
!
!
line con 0
 exec-timeout 0 0
 login local
 transport input lat pad v120 mop telnet rlogin udptn nasi
 transport output lat pad v120 mop telnet rlogin udptn nasi
line aux 0
 login local
 transport input all
line vty 0 4
 password 7 xxxxxxxxxxxx
 login local
!
end

gizmo#
0
Comment
Question by:orbix
  • 4
  • 3
7 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 9768953
ok, here we go:

=================
! define NAT pool
ip nat pool nat-pool x.x.x.136 x.x.x.136 prefix 24

! setup the outbound translation
! use overload to do PAT
ip nat inside source list 5 pool nat-pool overload

! specify the ACL that will permit outbound traffic
access-list 7 permit ip 172.x.x.x 0.0.255.255

! setup the inbound NAT
ip nat inside source static tcp x.x.x.17 80 172.x.x.14 80
ip nat inside source static tcp x.x.x.17 53 172.x.x.14 53
ip nat inside source static udp x.x.x.17 53 172.x.x.14 53
=================

Your access-list should use the PUBLIC IP of the server as that will be the IP address that the traffic is addressed to. The ACL is checked before the NAT happens. ref:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

You shouldn't need to add the second IP address to the interface using the "secondary" command. If you have designated the IP address as NAT, the router will automagically ARP for it. ref:
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/prodlit/iosnt_qp.htm   (scroll right down to the bottom, second last question)

A good page to start at for NAT support is:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:NAT&s=Implementation_and_Configuration

did I get everythign ?
0
 

Author Comment

by:orbix
ID: 9776143
Hi td_miles,

Thanks for your comments, input. I had worked with this, and it did nto work at first. I had to change to web servers default gateway from the linksys router to the Cisco router, then all started workign fine. I missed adding in
{
! define NAT pool
ip nat pool nat-pool x.x.x.136 x.x.x.136 prefix 24

! setup the outbound translation
! use overload to do PAT
ip nat inside source list 5 pool nat-pool overload
}

What does the above commands do for me, comparded to the show run I have lsited below, current config. I do not have any host on this setup to go out VIA the Cisco Router, will test that tomorrow. Thanks for your help, and if I missed anything in the config let me know.

Thanks

!
hostname gizmo
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
!
!
interface Ethernet0
 description connected to cat 0/15
 ip address 66.x.x.17 255.255.255.0
 ip access-group 102 in
 ip nat outside
!
interface Ethernet1
 description connected to cat 0/18
 ip address 172.x.x.254 255.255.255.0
 ip nat inside
!
!
ip kerberos source-interface any
ip nat inside source list 2 interface Ethernet0 overload
ip nat inside source static 172.x.x.12 66.x.x.17
ip nat inside source static tcp 172.x.x.12 80 66.x.x.17 80 extendable
ip nat inside source static tcp 172.x.x.12 53 66.x.x.17 53 extendable
ip nat inside source static udp 172.x.x.12 53 66.x.x.17 53 extendable
ip classless
no ip http server
!
access-list 2 permit 172.31.0.0 0.0.255.255
access-list 102 permit tcp any any established
access-list 102 permit udp any host 66.x.x.17 eq domain
access-list 102 permit tcp any host 66.x.x.17 eq domain
access-list 102 permit tcp any host 66.x.x.17 eq www
access-list 102 permit tcp any host 66.x.x.17 eq 443
access-list 102 permit icmp any host 66.x.x.17 echo
access-list 102 deny   ip any any log
!
!
gizmo#
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9776373
To explain those commands:

ip nat pool nat-pool x.x.x.136 x.x.x.136 prefix 24
^sets up a pool of IP addresses to be used for NAT. In your original specification, you wrote:
>> would like IP x.x.x.136 Outbound for all users inside on local network.
so this is why I have configured the NAT pool so that this specific IP address is used.

ip nat inside source list 5 pool nat-pool overload
^This command sets up the NAT. It says to allow anything that matches ACL 5 to be inside translated into the defined NAT pool. The "overload" keyword says to use NAPT as we only have a single IP address, it would be used up immediately without PAT.


The command in your config:
ip nat inside source list 2 interface Ethernet0 overload

does a similar thing, but uses the IP address of the ethernet0 interface for the PAT, rather than a specified IP address.

==========
suggestions:

ip nat inside source static 172.x.x.12 66.x.x.17
ip nat inside source static tcp 172.x.x.12 80 66.x.x.17 80 extendable
ip nat inside source static tcp 172.x.x.12 53 66.x.x.17 53 extendable
ip nat inside source static udp 172.x.x.12 53 66.x.x.17 53 extendable

with the first line, you have NAT'ed all of the ports for 172.x.x.12 to 66.x.x.17. This makes the next three statements redundant. Choose which one you want, not both. For my money, I would remove the one-to-one NAT and use the specific ports.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:orbix
ID: 9784446
Hi,

I have implemented your suggestions, and it partially works. Web server default gateway points to the Cisco Router’s interface. It’s probably something simple that I am just missing.

PC 172.x.x.13/24 > 172.x.x.1/24 Linksys Router 66.x.66.136 > ISP > 66.x.66.17 Cisco Router 172.x.x.254 > 172.x.x.12 Web server Works fine, I can get to the web server. From the web server I cannot go to the outside world.
From friends place
PC 10.x.x.x > 10.x.x.1/24 Linksys router  66.x.76.86 > ISP > 66.x.66.17 Cisco Router, and seems to stop there, page not viewable. I can see his IP show up in the translation table.


gizmo#show ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 66.x.66.17:80     172.x.x.12:80    66.x.76.86:1252   66.x.76.86:1252
udp 66.x.66.17:53    172.x.x.12:53    ---                ---
tcp 66.x.66.17:53     172.x.x.12:53    ---                ---
tcp 66.x.66.17:80     172.x.x.12:80    ---                ---
tcp 66.x.66.17:80     172.x.x.12:80    66.x.66.136:1262  66.x.66.136:1262
tcp 66.x.66.17:80     172.x.x.12:80    66.x.66.136:1265  66.x.66.136:1265
gizmo#

gizmo#show run
Building configuration...
hostname gizmo
!
interface Ethernet0
 description connected to cat 0/15
 ip address 66.x.66.17 255.255.255.0
 ip access-group 102 in
 ip nat outside
!
interface Ethernet1
 description connected to cat 0/18
 ip address 172.x.x.254 255.255.255.0
 ip nat inside
!
ip kerberos source-interface any
ip nat pool nat-pool 66.x.66.17 66.x.66.17 prefix-length 24
ip nat inside source list 2 pool nat-pool overload
ip nat inside source static udp 172.x.x.12 53 66.x.66.17 53 extendable
ip nat inside source static tcp 172.x.x.12 80 66.x.66.17 80 extendable
ip nat inside source static tcp 172.x.x.12 53 66.x.66.17 53 extendable
ip classless
no ip http server
!
access-list 2 permit 172.x.x.0 0.0.0.255
access-list 102 permit tcp any any established
access-list 102 permit udp any host 66.x.66.17 eq domain
access-list 102 permit tcp any host 66.x.66.17 eq domain
access-list 102 permit tcp any host 66.x.66.17 eq www
access-list 102 permit tcp any host 66.x.66.17 eq 443
access-list 102 permit icmp any host 66.x.66.17 echo
access-list 102 deny   ip any any log
!
!
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9785187
I may not have been clear in what I was trying to explain, you only use the "ip nat pool" when you are wanting to use a different IP address for the outbound NAT translation, than the "outside" interface.

As it appears you are wanting to use the ethernet0 interface for all NAT (inbound & outbound), remove the line for the nat pool and change:

ip nat inside source list 2 pool nat-pool overload

back to

ip nat inside source list 2 interface Ethernet0 overload


for testing purposes ONLY, I would suggest changing access list 102 to simply "permit ip any any", to make sure that your problem isn't with ACL's. Once you know it is working, then start implementing security.
0
 

Author Comment

by:orbix
ID: 9792319
Hi,
I think part of the confusion was on my part. I do want to have two IP's on E0, but currently using one on the Linksys router as gateway for everyone until I get the Cisco router working fine. Thanks for being patient and helping with this. I have change the ACL from 102 to 103 on E0 Inbound, making it permit IP ANY ANY.   I am also getting a debug message about port not being allocated, or at least that is how I read it.From every thing I have read, and also talking with co-workers, this should be working.

Thanks

gizmo#show ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 66.x.66.17:53     172.x.13.12:53    ---                ---
udp 66.x.66.17:53     172.x.13.12:53    ---                ---
tcp 66.x.66.17:80     172.x.13.12:80    ---                ---
gizmo#
1d23h: %SEC-6-IPACCESSLOGP: list 103 denied udp 211.168.166.61(1025) -> 66.x.66.17(137), 1 packet
1d23h: NAT - SYSTEM PORT for 66.x.66.17: allocated port 0, refcount 3, localport -1, localaddr 0.0.0.0, flags 1, syscount 3
gizmo#

!
interface Ethernet0
 description connected to cat 0/15
 ip address 66.x.66.17 255.255.255.0
 ip access-group 103 in
 ip nat outside
!
interface Ethernet1
 description connected to cat 0/18
 ip address 172.x.13.254 255.255.255.0
 ip nat inside
!
!
ip kerberos source-interface any
ip nat inside source list 2 interface Ethernet0 overload
ip nat inside source static udp 172.x.13.12 53 66.x.66.17 53 extendable
ip nat inside source static tcp 172.x.13.12 80 66.x.66.17 80 extendable
ip nat inside source static tcp 172.x.13.12 53 66.x.66.17 53 extendable
ip classless
no ip http server
!
access-list 2 permit 172.x.13.0 0.0.0.255
access-list 102 permit tcp any any established
access-list 102 permit udp any host 66.x.66.17 eq domain
access-list 102 permit tcp any host 66.x.66.17 eq domain
access-list 102 permit tcp any host 66.x.66.17 eq www
access-list 102 permit tcp any host 66.x.66.17 eq 443
access-list 102 permit icmp any host 66.x.66.17 echo
access-list 102 deny   ip any any log
access-list 103 permit tcp any any established
access-list 103 permit udp any any eq domain
access-list 103 permit tcp any any eq domain
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit icmp any any echo
access-list 103 deny   ip any any log
!
!
0
 

Author Comment

by:orbix
ID: 9793877
Hi,

Well I believe I have it sloved. After watching some debug output, and using show ip nat trans it looked like a port issue. The original ACL the problem.
access-list 102 permit tcp any host 66.x.66.17 eq domain
changed to
access-list 104 permit tcp any eq domain host 66.x.66.17
and it worked. Filter on source port 80, not destination port 80.
Now when using "show ip nat trans" the table is full.

access-list 104 permit tcp any any established
access-list 104 permit udp any eq domain host 66.x.66.17
access-list 104 permit tcp any eq domain host 66.x.66.17
access-list 104 permit tcp any eq www host 66.x.66.17
access-list 104 permit tcp any eq 443 host 66.x.66.17
access-list 104 permit icmp any host 66.x.66.17 echo
access-list 104 deny   ip any any log

Thanks for your help with this.

Orbix

0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now