Help on NAT - Security

Answered Question
Jun 13th, 2009

Hi,

Internet Browsing for LAN users is via Microsoft ISA Server.

This Server is natted with Public IP on Router.

Router IP : 192.168.1.100

ISA Server : 192.168.1.101

LAN Users : 172.20.16.0/24

I want all traffic from Router to inside network should reach only ISA Server

I want to block SSH/Telnet from outside

I want to block relaying of Mails on this IP

Can Someone reveiw the configuration and advice if it looks ok in terms of security and fullfil my requirement

********Configuration ******************

****************************************

ip subnet-zero

ip domain lookup source-interface FastEthernet0/0

ip name-server 4.4.4.4

interface FastEthernet0/0

description Connected to ISP

ip address 10.10.10.66 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Connection to LAN-Switch

ip address 192.168.1.100 255.255.255.0

ip accounting output-packets

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.65

ip route 172.20.16.0 255.255.255.0 192.168.1.1

no ip http server

no ip http secure-server

ip nat pool Internet_Range 10.10.10.68 10.10.10.70 netmask 255.255.255.224

ip nat inside source list 50 pool NAT_Range

!

access-list 50 permit 192.168.1.101

access-list 50 deny any

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 6 months ago

Hello Ronald,

the configuration looks like correct.

Notes:

lan users are not allowed to access internet but this is wanted I suppose

with your NAT config it should be the ISA server to try to connect to outside world:

new attempts to connect to it from outside world can be not allowed.

To fix this you may look at a simpler configuration that uses ip nat source inside static 192.168.1.101 public-address

to filter ssh/telnet from outside:

if you mean to the router you need

line vty 0 4

access-class 25 in

access-list 25 permit 192.168.1.0 0.0.0.255

if you mean ssh/telnet access to the server you may need a port specific static nat otherwise you are opening all the ip with NAT statements (with the one I've suggested).

the command is similar but specifies the protocol and the ports too for local socket and global socket.

see port static nat here

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011696

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Sat, 06/13/2009 - 05:21

Hello Ronald,

the configuration looks like correct.

Notes:

lan users are not allowed to access internet but this is wanted I suppose

with your NAT config it should be the ISA server to try to connect to outside world:

new attempts to connect to it from outside world can be not allowed.

To fix this you may look at a simpler configuration that uses ip nat source inside static 192.168.1.101 public-address

to filter ssh/telnet from outside:

if you mean to the router you need

line vty 0 4

access-class 25 in

access-list 25 permit 192.168.1.0 0.0.0.255

if you mean ssh/telnet access to the server you may need a port specific static nat otherwise you are opening all the ip with NAT statements (with the one I've suggested).

the command is similar but specifies the protocol and the ports too for local socket and global socket.

see port static nat here

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011696

Hope to help

Giuseppe

Paolo Bevilacqua Sat, 06/13/2009 - 05:26

Seems fine.

You do not need ip virtual-reassembly on any interface.

You mean ip route 172.20.16.0 255.255.255.0 192.168.1.101

Use access-class under vty config to prevent access from outside.

Router doesn't know anything about mail relay, configure your server for that.

Actions

This Discussion