07-03-2009 11:24 PM - edited 03-04-2019 05:19 AM
Hi,
Can someone review the configuration and help to understand why anyone from Internet can connect to ISA Server and use it as SPAM.
My Requirement is anyone from LAN shoould send internet request to ISA Server and ISA Server should forward the request to INTERNET using the NAT.
How to ensure the Router blocks traffic for anything initiated from Internet
********Configuration ******************
****************************************
ip subnet-zero
ip domain lookup source-interface FastEthernet0/0
ip name-server 4.4.4.4
interface FastEthernet0/0
description Connected to ISP
ip address 10.10.10.66 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to LAN-Switch
ip address 192.168.1.100 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.65
ip route 172.20.16.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
ip nat inside source static 192.168.1.101 10.10.10.68
ISA Server : 192.168.1.101
Public IP : 10.10.10.68
Solved! Go to Solution.
07-05-2009 09:10 AM
You are not apply the correct acl to the fa0/0 interface.
You are applying the fa0/1 acl in the wrong direction.
I would do something like:-
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny icmp any any log
int fa 0/0
ip access-group 101 in
And for the inside hosts:-
access-list 1 permit ip 192.168.1.101
access-list 1 deny any log
int fa 0/1
ip access-group 1 in
HTH>
07-04-2009 12:05 AM
You are not blocking anyone from the outside to the inside.
You are not blocking anyone on the inside from accessing the internet, except for the ISA server.
Just implementing NAT is not a complete security solution.
HTH>
07-04-2009 03:28 AM
Hi,
If you see the configuration, I am only natting from inside (ISA Server) to Public IP, so nobody should be allowed except ISA.
From Outside to insdie, I am not clear.
Can you help to understand what is missing.
Thanks
07-05-2009 04:46 AM
Ahh OK - I did not think that was all the config.
That is not entirely true - all you have done is specified that the inside IP must be translated to the specific IP. All other hosts will not be translated, and leave ther interface with there original IP address.
Currently your router is acting as a router not a firewall. If you do not want anyone from the outside to be able to connect to your ISA server - then you need to write an ACL.
Also for the inside hosts - if you only want to allow the ISA server to go out to the internet - you need to wirte an ACL.
HTH>
07-05-2009 08:14 AM
Thanks for replying.
I try this but didnt work, can you advice.
int fa 0/0
ip access-group OUTIN in
int fa 0/1
ip access-group OUT out
ip access-list extended OUTIN
deny ip any any
ip access-list extended OUT
permit ip 192.168.1.101
deny ip any any
07-05-2009 09:10 AM
You are not apply the correct acl to the fa0/0 interface.
You are applying the fa0/1 acl in the wrong direction.
I would do something like:-
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny icmp any any log
int fa 0/0
ip access-group 101 in
And for the inside hosts:-
access-list 1 permit ip 192.168.1.101
access-list 1 deny any log
int fa 0/1
ip access-group 1 in
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide