Solved

Cisco ip nat inside access list

Posted on 2013-01-18
9
854 Views
Last Modified: 2013-02-03
Hello,

I need to set a access list on a ip nat  voip rule.

i have this nat rules that works fine:

ip nat inside source static tcp 192.168.11.254 80 57.23.88.xxx 80 extendable
ip nat inside source static udp 192.168.11.250 5060 57.23.88.xxx 5060 extendable

Now i need to allow only a access list to pass over ip nat on port 5060 (voip), the port 80 its public só no access list required.

new rule to voip:

The access list:
access-list 100 permit udp 79.41.34.xxx 0.0.0.63 eq 5060 any

the pool:
ip nat pool VOIP 192.168.11.250 192.168.11.250 netmask 255.255.255.0 type rotary
ip nat inside source list 100 pool VOIP

But this config don't work, all traffic was rejected, so what am doing wrong ?
0
Comment
Question by:_OpenSys_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38795615
Are you just trying to limit which public ip can come in on port 5060? Or are you trying to make a public appear like a private ip on your inside network?

If its the first case, define the nat rule without any acl's. configure an acl on the outside interface limiting the traffic on that port.

If its the second case, I think you might be using that nat command in the wrong direction. The way you have it, it means that any ip in the 79.41.34.x with source port 5060 can go anywhere from the INSIDE to the outside and get it's source nat'd to 192.168.11.250.

The following show an outside nat
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38799293
as many PCs sen with a random source port the access list will never match unless traffic is sent on port 5060 (kind of what rauenpc said).  Also since your nat pool only has one address you would need to add the overload statement at the end of the NAT entry to allow more than 1 private IP to use the NATed IP at the same time.  try changing the access list and NAT statement:

access-list 100 permit udp 79.41.34.xxx 0.0.0.63 any eq 5060

ip nat inside source list 100 pool VOIP overload
0
 
LVL 2

Author Comment

by:_OpenSys_
ID: 38800621
No success my friends...

This is the perspective:

This portforward rule works for outside to inside, but is completed open for all internet:
ip nat inside source static udp 192.168.11.250 5060 57.23.88.xxx 5060 extendable

Now i need to limit it, and only 79.41.34.xxx 0.0.0.63 can pass over this nat rule.
Please post some cisco IOS rules.
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 20

Expert Comment

by:rauenpc
ID: 38801055
I would just add an ACL rule to the outside interface limiting traffic on port 5060 to the source subnet snmp-server 79.41.34.xxx 0.0.0.63.

ip access-list extended OUTSIDE-IN
permit udp 79.41.34.xxx 0.0.0.63 eq 5060 57.23.88.xxx eq 5060
deny udp any eq 5060 57.23.88.xxx eq 5060


The above would permit the 79.41.34.xxx 0.0.0.63 subnet, and deny any other from attempting to come in via port 5060. You more than likely already have an outside acl, to the two lines would need to be added to the existing acl. Once in place, it won't matter that the NAT statement is wide open as the ACL still limits the traffic. You could then also enable logging on the deny rule if you'd like to see who gets denied.
0
 
LVL 6

Expert Comment

by:airwrck
ID: 38809000
do you have the interface on the outside (the one with the ip address 79.41.34.xxx) configured with "ip nat outside" ?

I'm assuming it's a different router than the one you are using for the other NAT, or on a different interface.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38815811
Remove the type rotary from the ip nat pool command.
0
 
LVL 2

Author Comment

by:_OpenSys_
ID: 38833096
No success until now, so i tried this simple method like this:

ip nat inside source list 100 interface FastEthernet4.3 overload
access-list 100 permit 79.41.34.xxx 0.0.0.63

All nat inside traffic must pass to access-list 100 right ?

So why when i put: "ip nat inside source static udp 192.168.11.250 5060 57.23.88.xxx 5060 extendable" and anyone can enter, making a bypass the access-list 100 . why?

I also try this rule above, but this port continues open for anyone and not only for acl 100:
ip nat inside source static udp 192.168.11.250 5060 interface FastEthernet4.3 5060

Ideas ?
0
 
LVL 2

Accepted Solution

by:
_OpenSys_ earned 0 total points
ID: 38833272
After lots of research and reading i found the way.

In public network interface:
ip access-group "name of access-list" in


the rule ip nat inside source list 100 interface FastEthernet4.3 overload only classify the output (private addresses) do will never works.

Thank you guys but i found my solution :)
0
 
LVL 2

Author Closing Comment

by:_OpenSys_
ID: 38848323
The ip nat inside get's the public IP translated, so it fail. The solution is getting the IP on the head with ip access-group  on public interface.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question