IPsec + Access Lists + Nat same interface

Unanswered Question
Mar 16th, 2009
User Badges:

I have on one interface of my router-firewall set up VPN connection, and I have input access list like the following for my IPsec - VPN connection:


access-list 111 permit tcp host 172.19.49.110 host 172.27.80.100 eq 3700

access-list 111 permit tcp host 172.19.49.110 host 10.15.40.112 eq www

access-list 111 permit tcp host 172.19.49.110 host 10.15.40.112 eq 443

access-list 111 permit ip host 172.19.49.110 host 10.15.40.144


I am going to include nat like :


ip nat inside source static tcp 192.168.100.9 25 82.200.68.164


on the same interface, and I am going to include on the same interace input access list with port 22 and address 87.89.23.12 from where I could access inside server.


So, I have VPN on my interface and nat through which I can approach to the server located inside by using ssh.


I have read an article about nat order, and still I could not design my input access list after Ipsec. Do I have to include the list of ipsec? How because it is located before the nat outside to inside (global to local Translation)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
adamclarkuk_2 Mon, 03/16/2009 - 08:06
User Badges:
  • Silver, 250 points or more

Hi


If I am reading your request correctly, you are trying to access an address (82.200.68.164), through an IPSec VPN.


So for outside access in, your access-list will need to permit the source address (87.89.23.12 I believe), to the inside global 82.200.68.164 on tcp port 22 on your crypto ACL.


So which ever ACL your are using within your crypto-map statement, add


permit tcp host 87.89.23.12 host 82.200.68.164 eq 22


Here is the NAT Order of operation when using IPSec


If IPSec then check input access list

decryption - for CET (Cisco Encryption Technology) or IPSec

check input access list

check input rate limits

input accounting

policy routing

routing

redirect to web cache

NAT inside to outside (local to global translation)

crypto (check map and mark for encryption)

check output access list

inspect (Context-based Access Control (CBAC))

TCP intercept

encryption

Queueing


hoffenheim Tue, 03/17/2009 - 01:24
User Badges:

No exactly. I have 3 VPN connections with 3 clients (site-to-site). That is working. Now for the new client who wants to access the server located on the inside network (private addresses) I have to include nat statement:


ip nat inside static 192.168.100.9 82.200.68.164


Ok, now I want to limit access to a particular network (I do not want that everyone use ssh to access my server 192.168.100.9:


let say: 87.89.23.12 255.255.255.0.


I do not have any access input list from the outside, and the question is whether I have to include or not in my access list the following command :


access-list xxx deny ip any any.


I do not know whether that might have impact on my VPN communication, because It comes after IPsec with input access list (that access list is not the same with the above list which I am going to instantiate in the output interface set up like:


router(config-if)#ip access-group xxx in)


My IPsec access list are included in

crypto map CRYPTO 30 ipsec-isakmp

...

match address yyy






hoffenheim Tue, 03/17/2009 - 01:47
User Badges:

I have attempted another way, instead of puttting simple nat static command for the case of smtp (port 25) and include input access list, I have tried with (this time for port 25 - SMTP):


ip nat inside source static tcp 192.168.100.9 25 82.200.68.165 25 extendable


That works fine when I send mail from the outside, and in local, but when I try to send mail to outside world I am not capable to send it. The reason might be as it is stated on cisco site:


"Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation "


The problem is that I have problem from inside-to-outside to send SMTP-out, consequently I do not know about which dynamic route-map rules it is reffereing to?

hoffenheim Tue, 03/17/2009 - 14:24
User Badges:


I have included:


ip nat inside static 192.168.100.9 82.200.68.164


I could send and receive mail from yahoo.com etc.


Then I tried to limit access to the server, and I have included port 25 for smtp:


ip nat inside static 192.168.100.9 25 82.200.68.164 25


As a result I could receive mail from yahoo.com, but I could not send mail to let say my yahoo mail account.


I wish to stress that I do not have commands in my router running config file such as:


Ip nat inside route-map rmnameit pool nameit


Is that problem ?


“Wed 2009-03-11 19:08:42: Session 1877; child 2

Wed 2009-03-11 19:06:15: [1877:2] Parsing Message

Wed 2009-03-11 19:06:15: [1877:2] From: [email protected]

Wed 2009-03-11 19:06:15: [1877:2] To: [email protected]

Wed 2009-03-11 19:06:15: [1877:2] Subject: test ako je uspeh

Wed 2009-03-11 19:06:15: [1877:2] Message-ID: <009901c9a273$f7bf06c0$[email protected]>

Wed 2009-03-11 19:06:15: [1877:2] MX-record resolution of [yahoo.com] in progress (DNS Server: 192.168.0.2)...

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[g.mx.mail.yahoo.com] {209.191.118.103}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[f.mx.mail.yahoo.com] {209.191.88.247}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[e.mx.mail.yahoo.com] {216.39.53.1}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[d.mx.mail.yahoo.com] {66.196.82.7}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[c.mx.mail.yahoo.com]

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[b.mx.mail.yahoo.com] {66.196.97.250}

Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[a.mx.mail.yahoo.com] {67.195.168.31}

Wed 2009-03-11 19:06:15: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[a.mx.mail.yahoo.com] {67.195.168.31}

Wed 2009-03-11 19:06:15: [1877:2] Attempting SMTP connection to [67.195.168.31 : 25]

Wed 2009-03-11 19:06:15: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:06:36: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:06:36: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[b.mx.mail.yahoo.com] {66.196.97.250}

Wed 2009-03-11 19:06:36: [1877:2] Attempting SMTP connection to [66.196.97.250 : 25]

Wed 2009-03-11 19:06:36: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:06:57: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:06:57: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[c.mx.mail.yahoo.com]


hoffenheim Tue, 03/17/2009 - 14:26
User Badges:

MX=[c.mx.mail.yahoo.com]

Wed 2009-03-11 19:06:57: [1877:2] Attempting SMTP connection to [c.mx.mail.yahoo.com : 25]

Wed 2009-03-11 19:06:57: [1877:2] A-record resolution of [c.mx.mail.yahoo.com] in progress (DNS Server: 192.168.0.2)...

Wed 2009-03-11 19:06:57: [1877:2] D=c.mx.mail.yahoo.com TTL=(17) A=[216.39.53.2]

Wed 2009-03-11 19:06:57: [1877:2] Attempting SMTP connection to [216.39.53.2 : 25]

Wed 2009-03-11 19:06:57: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:07:18: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:07:18: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[d.mx.mail.yahoo.com] {66.196.82.7}

Wed 2009-03-11 19:07:18: [1877:2] Attempting SMTP connection to [66.196.82.7 : 25]

Wed 2009-03-11 19:07:18: [1877:2] Waiting for socket connection...

Wed 2009-03-11 19:07:39: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:07:39: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[e.mx.mail.yahoo.com] {216.39.53.1}



...

Waiting for socket connection...

Wed 2009-03-11 19:08:42: [1877:2] Winsock Error 10060 The connection timed out.

Wed 2009-03-11 19:08:42: [1877:2] This message is 2 minutes old; it has 118 minutes left in this queue

Wed 2009-03-11 19:08:42: [1877:2] SMTP session terminated (Bytes in/out: 0/0)

Wed 2009-03-11 19:08:42: ----------""

Well I could not figure out what was the reason, the mail server rejected my connection.


I have tested with several accounts, and it failed as yahoo one.


Then I have decided to take first approach:


ip nat inside static 192.168.100.9 82.200.68.164


with designing acl on that output interface to limit only smtp port opened:


access-list 123 permit tcp any host 82.200.68.164 eq 25

access-list 123 deny ip any any






adamclarkuk_2 Tue, 03/17/2009 - 02:32
User Badges:
  • Silver, 250 points or more

I am still not 100% on what you need so will make more assumptions.


The "new" client is not connecting to the public address 82.200.68.164 via an IPSec tunnel.


If this is the case, and you want to restrict access to this server, then you have a few options.


1. Amend the ACL attached inbound to the outside interface to restrict access to the host address 82.200.68.164 on TCP port 22.

If you want everyone to have access to this server "expect" certain customers, then add explicit deny's to the top of your ACL, then below the last deny, add a permit any to the host on TCP port 22 as ACL's are processed top down, this will be more efficient.


( Your post says 'let say: 87.89.23.12 255.255.255.0.', I am not sure if you mean the host 87.89.23.12 or network 87.89.23.0/24 so I have included both in the example below )


access-list xxx deny tcp host 87.89.23.12 host 82.200.68.164 eq 22


access-list xxx deny tcp 87.89.23.0 0.0.0.255 host 82.200.68.164 eq 22

access-list 111 permit tcp any host 82.200.68.164 eq 22


If you want no access to this address except certain customers, then remove any generic access to this host address that may be in the ACL and add individual permits to the host on port TCP leaving the explicit deny at the end to catch all other connections.


access-list xxx permit tcp 87.89.23.0 0.0.0.255 host 82.200.68.164 eq 22

access-list xxx permit tcp any host 82.200.68.164 eq 22



2. If you can move the NAT to an ASA/PX, you can control the static NAT with an ACL


static (inside,outside) 82.200.68.164 access-list host-nat


access-list eres-nat extended permit tcp host 192.168.100.9


3. Leave access open on TCP port 22 on your router to the host address 82.200.68.164 and control the access from the server itself. If your server is a *NIX based OS, normally you can control access from there via the hosts.allolw file for instance on FreeBSD. AS you have locked down TCP access


hoffenheim Tue, 03/17/2009 - 14:42
User Badges:

"The "new" client is not connecting to the public address 82.200.68.164 via an IPSec tunnel"


No, it is not. VPN connections (3 of them) are only on the same interface. They do not have anything to do with nat, but I have concern that access list from crypto map have to be included in my acl which limits access to my mail server behind my router-firewall.


In fact, can I completely ignore acls (consisting of only private addresses) from crypto-map when I write acl on the output interface to limit access to the server behind router-firewall (Cisco 2801)?


Actions

This Discussion