Solved: NAT IP -2

ronald.ramzy · ‎07-03-2009

Hi,

Can someone review the configuration and help to understand why anyone from Internet can connect to ISA Server and use it as SPAM.

My Requirement is anyone from LAN shoould send internet request to ISA Server and ISA Server should forward the request to INTERNET using the NAT.

How to ensure the Router blocks traffic for anything initiated from Internet

********Configuration ******************

****************************************

ip subnet-zero

ip domain lookup source-interface FastEthernet0/0

ip name-server 4.4.4.4

interface FastEthernet0/0

description Connected to ISP

ip address 10.10.10.66 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Connection to LAN-Switch

ip address 192.168.1.100 255.255.255.0

ip accounting output-packets

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.65

ip route 172.20.16.0 255.255.255.0 192.168.1.1

no ip http server

no ip http secure-server

ip nat inside source static 192.168.1.101 10.10.10.68

ISA Server : 192.168.1.101

Public IP : 10.10.10.68

andrew.prince · ‎07-05-2009

You are not apply the correct acl to the fa0/0 interface.

You are applying the fa0/1 acl in the wrong direction.

I would do something like:-

access-list 101 deny tcp any any log

access-list 101 deny udp any any log

access-list 101 deny icmp any any log

int fa 0/0

ip access-group 101 in

And for the inside hosts:-

access-list 1 permit ip 192.168.1.101

access-list 1 deny any log

int fa 0/1

ip access-group 1 in

HTH>

View solution in original post

andrew.prince · ‎07-04-2009

You are not blocking anyone from the outside to the inside.

You are not blocking anyone on the inside from accessing the internet, except for the ISA server.

Just implementing NAT is not a complete security solution.

HTH>

ronald.ramzy · ‎07-04-2009

Hi,

If you see the configuration, I am only natting from inside (ISA Server) to Public IP, so nobody should be allowed except ISA.

From Outside to insdie, I am not clear.

Can you help to understand what is missing.

Thanks

andrew.prince · ‎07-05-2009

Ahh OK - I did not think that was all the config.

That is not entirely true - all you have done is specified that the inside IP must be translated to the specific IP. All other hosts will not be translated, and leave ther interface with there original IP address.

Currently your router is acting as a router not a firewall. If you do not want anyone from the outside to be able to connect to your ISA server - then you need to write an ACL.

Also for the inside hosts - if you only want to allow the ISA server to go out to the internet - you need to wirte an ACL.

HTH>

ronald.ramzy · ‎07-05-2009

Thanks for replying.

I try this but didnt work, can you advice.

int fa 0/0

ip access-group OUTIN in

int fa 0/1

ip access-group OUT out

ip access-list extended OUTIN

deny ip any any

ip access-list extended OUT

permit ip 192.168.1.101

deny ip any any

andrew.prince · ‎07-05-2009

You are not apply the correct acl to the fa0/0 interface.

You are applying the fa0/1 acl in the wrong direction.

I would do something like:-

access-list 101 deny tcp any any log

access-list 101 deny udp any any log

access-list 101 deny icmp any any log

int fa 0/0

ip access-group 101 in

And for the inside hosts:-

access-list 1 permit ip 192.168.1.101

access-list 1 deny any log

int fa 0/1

ip access-group 1 in

HTH>