03-16-2009 07:27 AM - edited 03-06-2019 04:36 AM
I have on one interface of my router-firewall set up VPN connection, and I have input access list like the following for my IPsec - VPN connection:
access-list 111 permit tcp host 172.19.49.110 host 172.27.80.100 eq 3700
access-list 111 permit tcp host 172.19.49.110 host 10.15.40.112 eq www
access-list 111 permit tcp host 172.19.49.110 host 10.15.40.112 eq 443
access-list 111 permit ip host 172.19.49.110 host 10.15.40.144
I am going to include nat like :
ip nat inside source static tcp 192.168.100.9 25 82.200.68.164
on the same interface, and I am going to include on the same interace input access list with port 22 and address 87.89.23.12 from where I could access inside server.
So, I have VPN on my interface and nat through which I can approach to the server located inside by using ssh.
I have read an article about nat order, and still I could not design my input access list after Ipsec. Do I have to include the list of ipsec? How because it is located before the nat outside to inside (global to local Translation)?
03-16-2009 08:06 AM
Hi
If I am reading your request correctly, you are trying to access an address (82.200.68.164), through an IPSec VPN.
So for outside access in, your access-list will need to permit the source address (87.89.23.12 I believe), to the inside global 82.200.68.164 on tcp port 22 on your crypto ACL.
So which ever ACL your are using within your crypto-map statement, add
permit tcp host 87.89.23.12 host 82.200.68.164 eq 22
Here is the NAT Order of operation when using IPSec
If IPSec then check input access list
decryption - for CET (Cisco Encryption Technology) or IPSec
check input access list
check input rate limits
input accounting
policy routing
routing
redirect to web cache
NAT inside to outside (local to global translation)
crypto (check map and mark for encryption)
check output access list
inspect (Context-based Access Control (CBAC))
TCP intercept
encryption
Queueing
03-17-2009 01:24 AM
No exactly. I have 3 VPN connections with 3 clients (site-to-site). That is working. Now for the new client who wants to access the server located on the inside network (private addresses) I have to include nat statement:
ip nat inside static 192.168.100.9 82.200.68.164
Ok, now I want to limit access to a particular network (I do not want that everyone use ssh to access my server 192.168.100.9:
let say: 87.89.23.12 255.255.255.0.
I do not have any access input list from the outside, and the question is whether I have to include or not in my access list the following command :
access-list xxx deny ip any any.
I do not know whether that might have impact on my VPN communication, because It comes after IPsec with input access list (that access list is not the same with the above list which I am going to instantiate in the output interface set up like:
router(config-if)#ip access-group xxx in)
My IPsec access list are included in
crypto map CRYPTO 30 ipsec-isakmp
...
match address yyy
03-17-2009 01:47 AM
I have attempted another way, instead of puttting simple nat static command for the case of smtp (port 25) and include input access list, I have tried with (this time for port 25 - SMTP):
ip nat inside source static tcp 192.168.100.9 25 82.200.68.165 25 extendable
That works fine when I send mail from the outside, and in local, but when I try to send mail to outside world I am not capable to send it. The reason might be as it is stated on cisco site:
"Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation "
The problem is that I have problem from inside-to-outside to send SMTP-out, consequently I do not know about which dynamic route-map rules it is reffereing to?
03-17-2009 02:46 AM
Hi
What do you mean by
"try to send mail to outside world I am not capable to send it"
Are you getting an SMTP error or something else.
Most Service providers will bounce connections from Mail servers without a valid reverse lookup via a PTR record.
03-17-2009 02:24 PM
I have included:
ip nat inside static 192.168.100.9 82.200.68.164
I could send and receive mail from yahoo.com etc.
Then I tried to limit access to the server, and I have included port 25 for smtp:
ip nat inside static 192.168.100.9 25 82.200.68.164 25
As a result I could receive mail from yahoo.com, but I could not send mail to let say my yahoo mail account.
I wish to stress that I do not have commands in my router running config file such as:
Ip nat inside route-map rmnameit pool nameit
Is that problem ?
âWed 2009-03-11 19:08:42: Session 1877; child 2
Wed 2009-03-11 19:06:15: [1877:2] Parsing Message <>>
Wed 2009-03-11 19:06:15: [1877:2] From: al.c@futurt.rs
Wed 2009-03-11 19:06:15: [1877:2] To: alex.c@yahoo.com
Wed 2009-03-11 19:06:15: [1877:2] Subject: test ako je uspeh
Wed 2009-03-11 19:06:15: [1877:2] Message-ID: <009901c9a273$f7bf06c0$a300a8c0@fplus.local>
Wed 2009-03-11 19:06:15: [1877:2] MX-record resolution of [yahoo.com] in progress (DNS Server: 192.168.0.2)...
Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[g.mx.mail.yahoo.com] {209.191.118.103}
Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[f.mx.mail.yahoo.com] {209.191.88.247}
Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[e.mx.mail.yahoo.com] {216.39.53.1}
Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[d.mx.mail.yahoo.com] {66.196.82.7}
Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[c.mx.mail.yahoo.com]
Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[b.mx.mail.yahoo.com] {66.196.97.250}
Wed 2009-03-11 19:06:15: [1877:2] * P=001 D=yahoo.com TTL=(108) MX=[a.mx.mail.yahoo.com] {67.195.168.31}
Wed 2009-03-11 19:06:15: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[a.mx.mail.yahoo.com] {67.195.168.31}
Wed 2009-03-11 19:06:15: [1877:2] Attempting SMTP connection to [67.195.168.31 : 25]
Wed 2009-03-11 19:06:15: [1877:2] Waiting for socket connection...
Wed 2009-03-11 19:06:36: [1877:2] Winsock Error 10060 The connection timed out.
Wed 2009-03-11 19:06:36: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[b.mx.mail.yahoo.com] {66.196.97.250}
Wed 2009-03-11 19:06:36: [1877:2] Attempting SMTP connection to [66.196.97.250 : 25]
Wed 2009-03-11 19:06:36: [1877:2] Waiting for socket connection...
Wed 2009-03-11 19:06:57: [1877:2] Winsock Error 10060 The connection timed out.
Wed 2009-03-11 19:06:57: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[c.mx.mail.yahoo.com]
03-17-2009 02:26 PM
MX=[c.mx.mail.yahoo.com]
Wed 2009-03-11 19:06:57: [1877:2] Attempting SMTP connection to [c.mx.mail.yahoo.com : 25]
Wed 2009-03-11 19:06:57: [1877:2] A-record resolution of [c.mx.mail.yahoo.com] in progress (DNS Server: 192.168.0.2)...
Wed 2009-03-11 19:06:57: [1877:2] D=c.mx.mail.yahoo.com TTL=(17) A=[216.39.53.2]
Wed 2009-03-11 19:06:57: [1877:2] Attempting SMTP connection to [216.39.53.2 : 25]
Wed 2009-03-11 19:06:57: [1877:2] Waiting for socket connection...
Wed 2009-03-11 19:07:18: [1877:2] Winsock Error 10060 The connection timed out.
Wed 2009-03-11 19:07:18: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[d.mx.mail.yahoo.com] {66.196.82.7}
Wed 2009-03-11 19:07:18: [1877:2] Attempting SMTP connection to [66.196.82.7 : 25]
Wed 2009-03-11 19:07:18: [1877:2] Waiting for socket connection...
Wed 2009-03-11 19:07:39: [1877:2] Winsock Error 10060 The connection timed out.
Wed 2009-03-11 19:07:39: [1877:2] Attempting MX: P=001 D=yahoo.com TTL=(108) MX=[e.mx.mail.yahoo.com] {216.39.53.1}
...
Waiting for socket connection...
Wed 2009-03-11 19:08:42: [1877:2] Winsock Error 10060 The connection timed out.
Wed 2009-03-11 19:08:42: [1877:2] This message is 2 minutes old; it has 118 minutes left in this queue
Wed 2009-03-11 19:08:42: [1877:2] SMTP session terminated (Bytes in/out: 0/0)
Wed 2009-03-11 19:08:42: ----------""
Well I could not figure out what was the reason, the mail server rejected my connection.
I have tested with several accounts, and it failed as yahoo one.
Then I have decided to take first approach:
ip nat inside static 192.168.100.9 82.200.68.164
with designing acl on that output interface to limit only smtp port opened:
access-list 123 permit tcp any host 82.200.68.164 eq 25
access-list 123 deny ip any any
03-17-2009 02:32 AM
I am still not 100% on what you need so will make more assumptions.
The "new" client is not connecting to the public address 82.200.68.164 via an IPSec tunnel.
If this is the case, and you want to restrict access to this server, then you have a few options.
1. Amend the ACL attached inbound to the outside interface to restrict access to the host address 82.200.68.164 on TCP port 22.
If you want everyone to have access to this server "expect" certain customers, then add explicit deny's to the top of your ACL, then below the last deny, add a permit any to the host on TCP port 22 as ACL's are processed top down, this will be more efficient.
( Your post says 'let say: 87.89.23.12 255.255.255.0.', I am not sure if you mean the host 87.89.23.12 or network 87.89.23.0/24 so I have included both in the example below )
access-list xxx deny tcp host 87.89.23.12 host 82.200.68.164 eq 22
access-list xxx deny tcp 87.89.23.0 0.0.0.255 host 82.200.68.164 eq 22
access-list 111 permit tcp any host 82.200.68.164 eq 22
If you want no access to this address except certain customers, then remove any generic access to this host address that may be in the ACL and add individual permits to the host on port TCP leaving the explicit deny at the end to catch all other connections.
access-list xxx permit tcp 87.89.23.0 0.0.0.255 host 82.200.68.164 eq 22
access-list xxx permit tcp any host 82.200.68.164 eq 22
2. If you can move the NAT to an ASA/PX, you can control the static NAT with an ACL
static (inside,outside) 82.200.68.164 access-list host-nat
access-list eres-nat extended permit tcp host 192.168.100.9
3. Leave access open on TCP port 22 on your router to the host address 82.200.68.164 and control the access from the server itself. If your server is a *NIX based OS, normally you can control access from there via the hosts.allolw file for instance on FreeBSD. AS you have locked down TCP access
03-17-2009 02:42 PM
"The "new" client is not connecting to the public address 82.200.68.164 via an IPSec tunnel"
No, it is not. VPN connections (3 of them) are only on the same interface. They do not have anything to do with nat, but I have concern that access list from crypto map have to be included in my acl which limits access to my mail server behind my router-firewall.
In fact, can I completely ignore acls (consisting of only private addresses) from crypto-map when I write acl on the output interface to limit access to the server behind router-firewall (Cisco 2801)?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: