Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static NAT, inbound traffic permitted by default?

Hi, I have a simple question here, regarding the static nat, suppose that webserver is 192.168.1.2 and public ip 200.200.200.202

static (inside,ouside) 200.200.200.202 192.168.1.2 netmask 255.255.255.255

and there is no access-list to permit inbound tcp port 80, but there is sigle access-list permy ip any any inside the config,

can outside user reach the webserver? because i saw my customer's config, it works without applying eg. access-list inbound permit tcp any host 200.200.200.202 eq 80

Thanks

6 REPLIES

Re: Static NAT, inbound traffic permitted by default?

It should work as it permit everything (any IP) from internet to the internal network - not limited to whatever specified IP via the permitted port.

This is not recommended from security point of view as if possible, you should only permit access to known/specific internal server mapped with specific Public IP, not any IP.

Best practise (recommended) is to specify specific destination address and tcp/udp port, or for common server/services, i.e webserver, you can permit any IP but to specific server via specific TCP/UDP port only.

HTH

AK

HTH

AK

Community Member

Re: Static NAT, inbound traffic permitted by default?

ok thanks, please confirm whether the following config is secure

access-list inbound permit tcp any host eq 80

access-list inbound deny ip any any

access-list inbound permit ip any any

another question is, are there any impact if we apply permit ip any any? because if dont apply it, all the traffic stop. From my opinion, permit ip any any is important if we have apply ACLs inbound permit tcp any host eq 80,

if permit ip any any is working alone without permit tcp 80, then it open all the inbound connections. correct me if i'm wrong.

thanks

Community Member

Re: Static NAT, inbound traffic permitted by default?

opps missing ip there

access-list inbound permit tcp any host 200.200.200.202 eq 80

Re: Static NAT, inbound traffic permitted by default?

access-list inbound permit tcp any host 200.200.200.202 eq 80

access-list inbound deny ip any any

access-list inbound permit ip any any ---> remove this, not required as conflict with the 2nd acl (access-list inbound deny ip any any)

The ACL is only permitting any outside IPs to access 200.200.200.202 via www/80.

But this will deny ALL other IPs and services. Looks not good unless if you really want outsiders to only access 200.200.200.202 for web services.

If you have other services and need to allow any IPs from outside/internet, pls identify the servers and mapped with public IP. Allow inbound access simialr to the 200.200.200.202 rule. Can you specify any?

HTH

AK

Community Member

Re: Static NAT, inbound traffic permitted by default?

for the 3rd acl, if not specify access-list inbound permit ip any any , can other traffic that we permitted pass through? public ip 200.200.200.202 is for web server only, no other services allowed. actually, there are 12 web servers here, 1 mail server. Now i'm confuse about permit ip any any, if not apply it, the traffic that i've permitted will stop.

Thanks

Re: Static NAT, inbound traffic permitted by default?

No, because the second acl already denied everything. Any permit statement will completely be ignored.

access-list inbound permit tcp any host 200.200.200.202 eq 80

access-list inbound deny ip any any

access-list inbound permit ip any any

Same if your permit any comes before deny any, it will permit ALL, and will ignore the deny statement.

HTH. Pls rate all useful post(s)

AK

322
Views
15
Helpful
6
Replies
CreatePlease to create content