Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IP NAT INSIDE RULES and ACL

Hello,

Thank you for taking the time to read this.

I am trying to achieve the following scenario. I would like the below IP NAT rules to only be usable on an external basis from a handful of hosts then implcitly deny all other traffic Inbound.

The IP NAT rules are for portforwarding to an internal server, these rules all work fine I can access them from any host but as said I would like to lock this down to only a couple of hosts on the internet and then to deny the rest.

++++ INTERFACES ++++

interface GigabitEthernet0/0

description +++ CIRCUIT ID +++

ip address 79.x.x.x 255.255.255.252

ip nat outside

duplex auto

speed auto

interface GigabitEthernet0/1

description +++ LAN +++

ip address 192.168.1.254 255.255.255.0 secondary

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

++++ IP NAT RULES * ++++

ip nat inside source static tcp 192.168.1.15 8819 79.x.x.x 8819 extendable

ip nat inside source static udp 192.168.1.15 8819 79.x.x.x 8819 extendable

ip nat inside source static tcp 192.168.1.15 8845 79.x.x.x 8845 extendable

ip nat inside source static udp 192.168.1.15 8845 79.x.x.x 8845 extendable

ip nat inside source static tcp 192.168.1.15 8989 79.x.x.x 8989 extendable

ip nat inside source static udp 192.168.1.15 8989 79.x.x.x 8989 extendable

++++ ACCESS LIST ++++

access-list 101 remark Allowed IP NAT HOSTS

access-list 101 permit tcp host 195.x.x.x any log

access-list 101 permit udp host 195.x.x.x any log

access-list 101 permit tcp host 79.x.x.x any log

access-list 101 permit udp host 79.x.x.x any log

access-list 101 deny ip any host 255.255.255.255 log

Can anyone provide some advise on how I can achieve this?

Thank you all very much for taking the time to assist me with this.

- Ashley

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: IP NAT INSIDE RULES and ACL

Hi Ashley,

An ACL will do the trick.

Router(config)# object-group network obj-allowhosts
Router(config-network-group)# host 209.165.200.237
Router(config-network-group)# host 209.165.200.238
Router(config-network-group)# range 209.165.200.239 209.165.200.240
Router(config-network-group)# 209.165.200.241 255.255.255.224


Router(config)# object-group service obj-allowports
Router(config-service-group)# tcp 8819
Router(config-service-group)# udp 8819
Router(config-service-group)# tcp 8845
Router(config-service-group)# udp 8845
Router(config-service-group)# tcp 8989
Router(config-service-group)# udp 8989

Router(config)# ip access-list extended acl-allowinside

Router(config-ext-nacl)# permit object-group obj-allowports object-group obj-allowhosts host 79.x.x.x

Router(config-ext-nacl)# deny object-group obj-allowports any host 79.x.x.x

Router(config-ext-nacl)# permit any any

If you have CBAC setup on your router you can also change very last entry "permit any any" to deny any any.

if you have do not have a CBAC then you require permit "any any" at the end of the ACL.

at last do not forget to apply the ACL on the interface.

interface GigabitEthernet0/0

  ip access-group acl-allowinside in

Hope that helps.

thanks

2 REPLIES
Super Bronze

Re: IP NAT INSIDE RULES and ACL

Hi,

I'm rusty reagards the NAT/ACL configurations on routers/L3 switches.

It seems in the configurations that you havent attached the access-list to the interface yet. I think you still need to add some statements/ACEs to the ACL you have there. As were dealing with a router, you will have to take into consideration the return traffic to your connections from the LAN.

The above ACL would to my understanding block all return traffic for normal web browsing etc.

I think the ACE that you needed to add to the top of the ACL was "access-list 101 permit tcp any any established" so it permits return traffic for already established TCP connections.

Also if the ACL is meant to be an access-list attached to the outside interface for traffic entering the interface I think you could specify the service ports in the permit statements instead of permitting the whole port range.

All this would be much easier though if you handled the firewall/NAT with an actual firewall appliance.

I will leave the more specific answer and suggestions to someone who has more expirience with routers as I probably have missed something.

- Jouni

Re: IP NAT INSIDE RULES and ACL

Hi Ashley,

An ACL will do the trick.

Router(config)# object-group network obj-allowhosts
Router(config-network-group)# host 209.165.200.237
Router(config-network-group)# host 209.165.200.238
Router(config-network-group)# range 209.165.200.239 209.165.200.240
Router(config-network-group)# 209.165.200.241 255.255.255.224


Router(config)# object-group service obj-allowports
Router(config-service-group)# tcp 8819
Router(config-service-group)# udp 8819
Router(config-service-group)# tcp 8845
Router(config-service-group)# udp 8845
Router(config-service-group)# tcp 8989
Router(config-service-group)# udp 8989

Router(config)# ip access-list extended acl-allowinside

Router(config-ext-nacl)# permit object-group obj-allowports object-group obj-allowhosts host 79.x.x.x

Router(config-ext-nacl)# deny object-group obj-allowports any host 79.x.x.x

Router(config-ext-nacl)# permit any any

If you have CBAC setup on your router you can also change very last entry "permit any any" to deny any any.

if you have do not have a CBAC then you require permit "any any" at the end of the ACL.

at last do not forget to apply the ACL on the interface.

interface GigabitEthernet0/0

  ip access-group acl-allowinside in

Hope that helps.

thanks

2417
Views
0
Helpful
2
Replies
CreatePlease to create content