NAT IP -2

Answered Question
Jul 3rd, 2009
User Badges:

Hi,

Can someone review the configuration and help to understand why anyone from Internet can connect to ISA Server and use it as SPAM.


My Requirement is anyone from LAN shoould send internet request to ISA Server and ISA Server should forward the request to INTERNET using the NAT.


How to ensure the Router blocks traffic for anything initiated from Internet


********Configuration ******************

****************************************

ip subnet-zero


ip domain lookup source-interface FastEthernet0/0

ip name-server 4.4.4.4



interface FastEthernet0/0

description Connected to ISP

ip address 10.10.10.66 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Connection to LAN-Switch

ip address 192.168.1.100 255.255.255.0

ip accounting output-packets

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.65

ip route 172.20.16.0 255.255.255.0 192.168.1.1

no ip http server

no ip http secure-server

ip nat inside source static 192.168.1.101 10.10.10.68



ISA Server : 192.168.1.101

Public IP : 10.10.10.68

You are not apply the correct acl to the fa0/0 interface.


You are applying the fa0/1 acl in the wrong direction.


I would do something like:-


access-list 101 deny tcp any any log

access-list 101 deny udp any any log

access-list 101 deny icmp any any log

int fa 0/0

ip access-group 101 in


And for the inside hosts:-


access-list 1 permit ip 192.168.1.101

access-list 1 deny any log

int fa 0/1

ip access-group 1 in


HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ronald.ramzy Sat, 07/04/2009 - 03:28
User Badges:

Hi,


If you see the configuration, I am only natting from inside (ISA Server) to Public IP, so nobody should be allowed except ISA.


From Outside to insdie, I am not clear.


Can you help to understand what is missing.


Thanks

Ahh OK - I did not think that was all the config.


That is not entirely true - all you have done is specified that the inside IP must be translated to the specific IP. All other hosts will not be translated, and leave ther interface with there original IP address.


Currently your router is acting as a router not a firewall. If you do not want anyone from the outside to be able to connect to your ISA server - then you need to write an ACL.


Also for the inside hosts - if you only want to allow the ISA server to go out to the internet - you need to wirte an ACL.


HTH>

ronald.ramzy Sun, 07/05/2009 - 08:14
User Badges:

Thanks for replying.


I try this but didnt work, can you advice.


int fa 0/0

ip access-group OUTIN in


int fa 0/1

ip access-group OUT out


ip access-list extended OUTIN

deny ip any any



ip access-list extended OUT

permit ip 192.168.1.101

deny ip any any


Correct Answer

You are not apply the correct acl to the fa0/0 interface.


You are applying the fa0/1 acl in the wrong direction.


I would do something like:-


access-list 101 deny tcp any any log

access-list 101 deny udp any any log

access-list 101 deny icmp any any log

int fa 0/0

ip access-group 101 in


And for the inside hosts:-


access-list 1 permit ip 192.168.1.101

access-list 1 deny any log

int fa 0/1

ip access-group 1 in


HTH>

Actions

This Discussion