What device can I use? (overload outoing internet, port map some customers into servers, and build layer 2 tunnels to remote sites).

Just found out that Cisco ASA does not make layer 2 tunnels :-(  Does anyone have a recommendations for what device(s) to use?
**** What license do I need to configuring Layer 2 Tunneling Protocol (L2TP) over IPSec on a 2921? **** FOUND IT: DATA = MPLS, BFD, RSVP, L2VPN, L2TPv3, IP-SLA
.
1) NAT overload the ISP IP for outgoing Internet traffic
2) Port map outside customers into the local network to access servers (https, scp)
3) make layer 2 tunnels out to remote sites (using static ISP IP addresses)

I'd prefer to use only 2921 routers but I can use a FW<->RTR combination....
huffmanaSystem Admin and Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Benjamin Van DitmarsSr Network EngineerCommented:
Do you mean L3 tunnel interfaces ?
huffmanaSystem Admin and Network EngineerAuthor Commented:
L2TP over L3 tunnel.  It's like it runs Ethernet over the L3 tunnel so the remote site is in the same broadcast domain as the home office.  No routing is needed.  You have to be able to ping across the L3 tunnel before the L2 will work.

Oh yeah, the remote side can use a VoIP by just plugging it in :-)  The call-manager at the home office can see the ePhone's MAC address.

I'm going to have to use a router for the L2 tunnel, I just don't know if I can do all 3 on the same router?  1) NAT-overload 2) PAT 3) L2 tunnel
atlas_shudderedSr. Network EngineerCommented:
huffmana -

Looks like you may have solved your own question - still need input or no?
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

huffmanaSystem Admin and Network EngineerAuthor Commented:
I just don't know if I can do all 3 on the same router?  1) NAT-overload to Internet 2) PAT outside_to_inside 3) L2 tunnel.
I've got NAT-Overload/DHCP working
I've got L2 tunnels working
But I've never done Port mapping on a Cisco router
And I've never done all 3 together?????
atlas_shudderedSr. Network EngineerCommented:
PAT and NAT overload are the same thing.  If I understand what you are saying above, you are trying to port map (obfuscate) external connections to and interior device (e.g. you are trying to hide internal port behind external port map - port5555 -> 1433)?  Is that correct?
atlas_shudderedSr. Network EngineerCommented:
Sorry, port forwarding, not port map
atlas_shudderedSr. Network EngineerCommented:
If so, that capability is baked into most cisco routers (meaning, I can't think of one that isn't capable off hand).  Ex. conf follows

object network 1.1.1.1
 host 1.1.1.1

 nat (inside,outside) static interface service tcp 3389 8030

access-list outside_in extended permit tcp any host 1.1.1.1 eq 3389

Open in new window

huffmanaSystem Admin and Network EngineerAuthor Commented:
Cool thanks atlas_shuddered that looks like exactly what I'm trying to do.  :-)  

This is ASA nat.... I'd like to put it on the 2921....
huffmanaSystem Admin and Network EngineerAuthor Commented:
ip nat inside source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080

Did it.  I've an apache server on the inside.   So all I have to do is get the L2 tunnel working :-)
atlas_shudderedSr. Network EngineerCommented:
Cheers
huffmanaSystem Admin and Network EngineerAuthor Commented:
This is what I've got working.  I'm using an address on our office network (192.168.168.235) to simulate an outside ip address.

*** BUT  the ACL is stopping a PC on the inside from getting to the internet.  So my REMOTE_INSIDE_OUT_ACL is wrong.
*** How can I restrict access to the servers while allowing access to the internet?

ip nat inside source list OVERLOAD_ACL interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080

Extended IP access list REMOTE_INSIDE_OUT_ACL
    10 permit ip 192.168.168.0 0.0.0.255 host 192.168.175.66 (62 matches)
    20 permit tcp 192.168.168.0 0.0.0.255 host 192.168.175.66
    30 permit udp 192.168.168.0 0.0.0.255 host 192.168.175.66
    40 permit icmp 192.168.168.0 0.0.0.255 host 192.168.175.66
    50 permit ip 192.168.168.0 0.0.0.255 host 192.168.175.65
    60 permit tcp 192.168.168.0 0.0.0.255 host 192.168.175.65
    70 permit udp 192.168.168.0 0.0.0.255 host 192.168.175.65
    80 permit icmp 192.168.168.0 0.0.0.255 host 192.168.175.65
    90 permit ip 192.168.168.0 0.0.0.255 host 192.168.175.64 (13 matches)
    100 permit tcp 192.168.168.0 0.0.0.255 host 192.168.175.64
    110 permit udp 192.168.168.0 0.0.0.255 host 192.168.175.64
    120 permit icmp 192.168.168.0 0.0.0.255 host 192.168.175.64
    130 deny ip any host 192.168.175.64 (47 matches)
    140 deny tcp any host 192.168.175.64
    150 deny udp any host 192.168.175.64
    160 deny icmp any host 192.168.175.64
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.235 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.175.1 255.255.255.0
 ip access-group REMOTE_INSIDE_OUT_ACL out
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip access-list extended OVERLOAD_ACL
 permit ip 192.168.175.0 0.0.0.255 host 192.168.168.1
 permit ip 192.168.175.0 0.0.0.255 host 192.168.168.194
 permit ip 192.168.175.0 0.0.0.255 host 192.168.168.191
 permit ip 192.168.175.0 0.0.0.255 host 192.168.168.192
 permit ip 192.168.175.0 0.0.0.255 host 192.168.168.193
 permit ip 192.168.175.0 0.0.0.255 host 192.168.168.195
 permit udp 192.168.175.0 0.0.0.255 eq ntp host 192.168.168.200
 permit icmp 192.168.175.0 0.0.0.255 host 192.168.168.200 echo
 permit icmp 192.168.175.0 0.0.0.255 host 192.168.168.200 echo-reply
 deny   ip 192.168.175.0 0.0.0.255 192.168.168.0 0.0.0.255
 permit udp 192.168.175.0 0.0.0.255 host 192.168.168.1
 permit udp 192.168.175.0 0.0.0.255 host 192.168.168.200
 deny   udp 92.168.175.0 0.0.0.255 192.168.168.0 0.0.0.255
 permit ip 192.168.175.0 0.0.0.255 any
 deny   udp any any
 deny   ip host 0.0.0.0 any
 deny   ip any any
atlas_shudderedSr. Network EngineerCommented:
I think the problem that we are going to run into is the interaction between PAT outbound and the port mapping on the inbound.  Sorry I didn't catch that earlier.
huffmanaSystem Admin and Network EngineerAuthor Commented:
This did it.  I thought that RTR ACL were by default open.  Looks like the default is deny. Notice the matching on line 170 for generic Internet access.

Extended IP access list REMOTE_INSIDE_OUT_ACL
    10 permit ip 192.168.168.0 0.0.0.255 host 192.168.175.66 (35 matches)
    20 permit tcp 192.168.168.0 0.0.0.255 host 192.168.175.66
    30 permit udp 192.168.168.0 0.0.0.255 host 192.168.175.66
    40 permit icmp 192.168.168.0 0.0.0.255 host 192.168.175.66
    50 permit ip 192.168.168.0 0.0.0.255 host 192.168.175.65
    60 permit tcp 192.168.168.0 0.0.0.255 host 192.168.175.65
    70 permit udp 192.168.168.0 0.0.0.255 host 192.168.175.65
    80 permit icmp 192.168.168.0 0.0.0.255 host 192.168.175.65
    90 permit ip 192.168.168.0 0.0.0.255 host 192.168.175.64 (3 matches)
    100 permit tcp 192.168.168.0 0.0.0.255 host 192.168.175.64
    110 permit udp 192.168.168.0 0.0.0.255 host 192.168.175.64
    120 permit icmp 192.168.168.0 0.0.0.255 host 192.168.175.64
    130 deny ip any host 192.168.175.64 (14 matches)
    140 deny tcp any host 192.168.175.64
    150 deny udp any host 192.168.175.64
    160 deny icmp any host 192.168.175.64
    170 permit ip any any (115 matches)
    180 permit tcp any any
    190 permit udp any any
    200 permit icmp any any
huffmanaSystem Admin and Network EngineerAuthor Commented:
I think that that does it right?  The only thing incoming to the inside that is allowed are packets with a session/port pair established (internet traffic NAT overload OVERLOAD_ACL) and PAT mapping from coming in with a specific source addresses (REMOTE_INSIDE_OUT_ACL).  I'll have to change these to real-world networks and addresses but we should be protected.  Unless some spoofs a source address.....

Now I have to get the L2 tunnels configured.  I'm sure that I'll have to deal with overlapping networks....  But I can't start until another 2921 arrives.  $50 from ebay :-)

I'll wait to close this in case you have more comments.  Thanks for your help :-)  Your the best.
atlas_shudderedSr. Network EngineerCommented:
The permit ip any any statement is permitting all traffic regardless of port, host pair or state.  You can translate it as "allow everything, I don't care".
huffmanaSystem Admin and Network EngineerAuthor Commented:
So there is an ACL on the out side of the inside interface to capture connections that are initiated from the outside (REMOTE_INSIDE_OUT_ACL).  It lets access to inside servers to specific source networks.

Then there is an testing ACL on the overload NAT (OVERLOAD_ACL) that stops the inside network from accessing anything but printers and Internet on the host network.  This is only for testing.  Once the router is in place the outside ip address will be the external ISP address.  This NAT only lets inside session requests out not incoming requests.  RIGHT?  I may want to tighten up this acl to allow only internet traffic but I don't think that it is necessary.  Unless I want to protect against an insider trying to output data.  But wouldn't they just use http to output the data anyway?

What I would prefer to have done is to put an ACL into "ip nat inside source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080" but I couldn't get it to take an ACL?
huffmanaSystem Admin and Network EngineerAuthor Commented:
I think that this will lock-down.  Ended up putting the ACL on the in of the outside interface.  

ip nat inside source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080

interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.235 255.255.255.0
 ip access-group REMOTE_OUTSIDE_IN_ACL in
 ip nat outside
 ip virtual-reassembly in
!
ip access-list extended REMOTE_OUTSIDE_IN_ACL
 permit tcp host 192.168.168.140 host 192.168.168.235 eq 8080
 deny   tcp any host 192.168.168.235 eq 8080
 permit ip any any

And an ACL on the overload NAT:

ip nat inside source list OVERLOAD_ACL interface GigabitEthernet0/0 overload

interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.175.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in

ip access-list extended OVERLOAD_ACL
 permit ip 192.168.175.0 0.0.0.255 any
 permit udp 192.168.175.0 0.0.0.255 any
 permit tcp 192.168.175.0 0.0.0.255 any

I haven't made the L2 tunnels yet because I need another 2921...

 Workbench
atlas_shudderedSr. Network EngineerCommented:
Couple of things.  And you probably aren't going to like where this is going to lead you.  Hold on to your hat.

First, ACLs are directional.  This means that they are applicable (generally) either inbound or outbound on the interface they are applied to.  So, an ACL that is applied inbound on an interface has absolutely no effect on traffic that is outbound on that same interface.  It will only impact traffic that is inbound to that interface.

Second.  ACLs are sequential in their application of the access statements they contain (the individual lines or rules, e.g. permit ip any any).  What this means is that every packet (on a router anyway) will be processed through the ACL until a match to permit or deny is found.  Once that first match is found, the packet is processed against that statement with no processing against any subsequent statements.  This is important in that you can have a statement that says to permit an entire network followed by a statement that says to deny a particular host on that network and the packet will be permitted against the first statement with the second denial statement never coming into effect.

The reason why I point all of this out is this:

What I understand is that this ACL is applied to your exterior interface, inbound to that interface - Extended IP access list REMOTE_INSIDE_OUT_ACL.  If so, the statement at line 170:

170 permit ip any any (115 matches)

Will permit any traffic inbound to any destination.  As long as your router has a route to the host the packet is trying to get to, it will route it and send it out the appropriate interface, potentially onto your network.

Your equipment will receive and process whatever that packet is trying to request, then attempt to reply as applicable.

Your ACL - ip access-list extended OVERLOAD_ACL is applicable inbound to your LAN interface.  The line:

permit ip 192.168.175.0 0.0.0.255 any

in that ACL will allow any traffic originating from the 192.168.175.0 network (regardless of state) to be NAT'ed and sent back out.

In other words, you have a potential hole in your perimeter.  Granted, it would be a very weird attack but an attack vector nonetheless.
atlas_shudderedSr. Network EngineerCommented:
hoff - I'm really starting to think that it would be better if you were using a firewall to build at least the near side of this.
huffmanaSystem Admin and Network EngineerAuthor Commented:
Thanks Atlas_shuddered for looking at my ticket.

Goals
Done  1) Allow inside access to Internet
Done  2) Allow specific networks/hosts access to Apache server
To Do 3) Make L2 tunnels to remote sites
To Do 4) Fail-over to backup ISP connection

NAT Testing – Outside Initiated Access

I've tested REMOTE_OUTSIDE_IN_ACL and it only allows the one host (listed in the ACL) to access the inside network (i.e., the Apache server).  If  I remove the "permit ip any any" from the end of REMOTE_OUTSIDE_IN_ACL, inside access to the Internet (the overload NAT) stops.  I ran Wireshark on the outside interface and could only see traffic originating from an inside session getting out (see the Wireshark screen shot).  The matches on the “permit ip any any (40323 matches)” are from the inside accessing the Internet.    

Wireshark on mirrored outside interface
The only thing facing the Internet is the RTR's outside ip address.  There is no way to get to the inside network (192.168.175.0) from the routers outside ip address unless the source address is permitted in the REMOTE_OUTSIDE_IN_ACL.  A port scan of the router's outside interface will find the only ports in the ACL to be open - which are restricted to network/host.  I guess that the address could be spoofed.  But then there is authentication on the servers as a second line of defense.  What more would an ASA firewall do?

I opted for an ASA at first and even got overload NAT and outside Host-in access configured.  But an ASA does not do L2 tunnels.  I'd like to keep it simple with only one decide in the node.
atlas_shudderedSr. Network EngineerCommented:
If you have confirmed that connectivity doesn't exceed what you by design, then I'd say roll with it.  To that end, you need to make sure that the only connectivity from outside into the network is in fact only to your exposed servers.  If that is good to go, the next thing I would check into is going to be WAF/IPS/etc. in front of your exposed servers.

The ASA's are suggested as they will ultimately allow you to become more granular in your config and give you greater flexibility in deployment, tighter security control.  But if the routers are doing the trick and you're confident in the access testing you are performing, then they become something that you can evaluate at your convenience, etc.

Cheers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASA

From novice to tech pro — start learning today.