08-14-2007 07:31 AM - edited 03-11-2019 03:57 AM
Hello, I have PAT configured on a 2851 router, I have to create an access list that restricts the "outside world". I allowed HTTP to come into my network, but since this interface has PAT configured it is using dynamic ports for conversations and the ACL is blocking incoming HTTP traffic, I tried using the established command but that still does not work. Can anyone help me out with this? Any help would be greatly appreciated. Thanks
08-14-2007 07:37 AM
Can you post your config?
08-14-2007 07:58 AM
are you using http incoming for all the systems or for only 1 particular server
08-14-2007 08:03 AM
the T1 is used for browsing and nothing else
I want to allow all http from anywhere, PAT uses the dynamic ports so I don't know how to configure the ACL to allow the HTTP conversations. Thanks
08-14-2007 08:00 AM
this is the interface to the INternet That has PAT
interface Serial0/0/0.165 point-to-point
bandwidth 1536
ip address x.x.x.x x.x.x.x
ip access-group 104 in
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 165 IETF
!
this is the access list that is on the S 0/0/0.165 inbound
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq 443
access-list 104 permit tcp any gt 1023 any established
access-list 104 deny tcp any any eq telnet
08-14-2007 09:09 AM
Ok, you don't block ports with PAT. Can you post your NAT/PAT config?
In the mean time try this ACL config
interface Serial0/0/0.165 point-to-point
ip access-group 104 out
access-list 104 permit tcp "Your Network" any eq www
access-list 104 permit tcp "Your Network" any eq 443
access-list 104 permit tcp "Your Network" gt 1023 any established
access-list 104 deny ip any any
08-14-2007 10:46 AM
Here is the PAT statement
ip nat inside source list 103 interface Serial0/0/0.165 overload
and this is the access list to identify network for the PAT
access-list 103 permit ip 172.23.0.0 0.0.255.255 any
The HTTP traffic is blocked when I apply the access list 104 which is the access-list to block the outside world. Once I remore the access list traffic goes through, that is why I am pointing the problem to the access-list. Thanks again
08-14-2007 11:13 AM
NAT is good. Since you are using NAT the outside world won't have access to the inside network. That's how NAT works. If you want restrict what the clients in your inside can access in the Outside you can use acl applied to the serial interface outbound or to the fastethernet inbound. You can use acl's to restrict traffic from the outside towards the inside with something like these:
interface Serial0/0/0.165 point-to-point
bandwidth 1536
ip address x.x.x.x x.x.x.x
ip access-group 107 in
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 165 IETF
access-list 107 deny tcp any any eq 42 log
access-list 107 deny tcp any any eq 95 log
access-list 107 deny tcp any any eq 5730 log
access-list 107 deny udp any any eq 5800 log
access-list 107 deny tcp any any eq 5900 log
access-list 107 deny tcp any any eq 6101 log
access-list 107 deny tcp any any range 6661 6669 log
access-list 107 deny tcp any any range 6711 6712 log
access-list 107 deny tcp any any eq 6776 log
access-list 107 deny tcp any any eq 7000 log
access-list 107 deny tcp any any range 12345 12346 log
access-list 107 deny tcp any any eq 16660 log
access-list 107 deny udp any any eq 27444 log
access-list 107 deny tcp any any eq 27665 log
access-list 107 deny tcp any any eq 31027
access-list 107 deny udp any any eq 31335 log
access-list 107 deny tcp any any range 31337 31338 log
access-list 107 deny tcp any any range 32700 32900 log
access-list 107 deny tcp any any eq 33270 log
access-list 107 deny tcp any any eq 39168 log
access-list 107 deny tcp any any eq 47017 log
access-list 107 deny tcp any any eq 65000 log
access-list 107 deny tcp any any eq 65301 log
access-list 107 deny ip 0.0.0.0 0.255.255.255 any log
access-list 107 deny ip host 255.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.16.0.0 0.15.255.255 any log
access-list 107 deny ip 192.168.0.0 0.0.255.255 any log
access-list 107 deny ip 169.254.0.0 0.0.255.255 any log
access-list 107 deny ip 192.0.2.0 0.0.0.255 any log
access-list 107 deny ip 224.0.0.0 15.255.255.255 any log
access-list 107 deny ip 240.0.0.0 7.255.255.255 any log
access-list 107 deny ip 248.0.0.0 7.255.255.255 any log
access-list 107 deny ip X.X.X.X X.X.X.X any log
access-list 107 permit icmp any any echo-reply
access-list 107 permit icmp any any source-quench
access-list 107 permit icmp any any unreachable
access-list 107 permit icmp any any time-exceeded
access-list 107 permit ip any x.x.x.x x.x.x.x <------Your Public Address
access-list 107 deny ip any any log
I use these on premise routers for anti-spoofing deny port that are require by a the security policy. But since you are using the outside don't have access to the inside unless you to do a static nat or port forwarding.
08-14-2007 11:30 AM
Thanks a lot!!!! So you are saying that since this is a NAT interface I do not have to apply an access-list to block the Outside World to my internal network since the NAT will block it anyway. And I should just
use the acl 107 you provided for spoofing right? Thanks for all the help!!!
08-14-2007 11:35 AM
Pretty much, you can change the ACL anyway you want.
08-14-2007 11:39 AM
There's nothing wrong with blocking incoming traffic from spoofed addresses, even if NAT is in use. However, I would argue that you don't need to enable logging on all those ACE's.
08-14-2007 11:59 AM
I know, it's just a required evil in my job.
08-14-2007 11:45 AM
If you want to know more about NAT check these links:
http://www.cisco.com/en/US/products/ps6640/products_ios_protocol_group_home.html
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml
08-14-2007 11:57 AM
thanks for all of your help. I learned a lot for you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: