06-25-2014 06:37 AM - edited 03-11-2019 09:22 PM
Hi Friends,
In this scenario, the trafffic from INSIDE to OUTSIDE is working, but from OUTSIDE to INSIDE isnt working. For example, i created the NAT to 3389 , to external access to RDP, but no sucess.
Follow my config, TKS:
!
class-map type inspect match-any TRAFFIC
description TRAFFIC_MATCH
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any OUT-TO-IN
match access-group name OUT-TO-IN
!
!
policy-map type inspect OUT-TO-IN
class type inspect OUT-TO-IN
inspect
class class-default
drop
policy-map type inspect TRAFFIC_CLASS
class type inspect TRAFFIC
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security TRAF source INSIDE destination OUTSIDE
service-policy type inspect TRAFFIC_CLASS
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN
!
!
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.248
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security OUTSIDE
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.92.251 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
zone-member security INSIDE
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list inside_nat0_outbound interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.92.89 50 1.1.1.2 50 extendable
ip nat inside source static tcp 192.168.92.89 3389 1.1.1.2 3389 extendable
!
ip access-list extended OUT-TO-IN
permit tcp any host 192.168.92.11 eq 3389
permit tcp any host 192.168.92.89 eq 3389
permit tcp any host 1.1.1.2 eq 3389
permit tcp any host 192.168.92.89 eq 50
permit tcp any host 1.1.1.2 eq 50
ip access-list extended inside_nat0_outbound
deny ip 192.168.92.0 0.0.0.255 10.0.70.0 0.0.0.255
deny ip 192.168.93.0 0.0.0.255 10.0.70.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.255 10.0.70.0 0.0.0.255
deny ip 10.2.1.0 0.0.0.255 10.0.20.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 192.168.92.0 0.0.0.255
deny ip 192.168.92.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.92.0 0.0.0.255 any
permit ip 172.31.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
!
disable-eadi
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
06-25-2014 07:51 AM
The access-list is checked prior to un-NATting the address. Try with the outside address of your servers in "ip access-list extended OUT-TO-IN".
06-25-2014 09:25 AM
But the IP is there, look :
ip access-list extended OUT-TO-IN
permit tcp any host 192.168.92.11 eq 3389
permit tcp any host 192.168.92.89 eq 3389
permit tcp any host 1.1.1.2 eq 3389
permit tcp any host 192.168.92.89 eq 50
permit tcp any host 1.1.1.2 eq 50
06-25-2014 09:25 AM
I mean the 1.1.1.x public IP address that appears on your outside interface and associated zone.
06-25-2014 10:08 AM
Sorry i´ve digited wrong
The ACL is the follow but dont working yet :
ip access-list extended OUT-TO-IN
permit tcp any host 192.168.92.11 eq 3389
permit tcp any host 192.168.92.89 eq 3389
permit tcp any host 1.1.1.2 eq 3389
permit tcp any host 192.168.92.89 eq 50
permit tcp any host 1.1.1.2 eq 50
06-26-2014 04:34 AM
Friends, I removed the command ip nat enable and works!!!
interface FastEthernet0/0
ip nat enable
!
interface FastEthernet0/1.1
ip nat enable
But i have another question, I created the DMZ ZONE, everthing works, but the DMZ network can ping the IP 192.168.92.251 ( Interface of the router-Inside Network). But following the config, the DMZ couldnt ping this address, is it correct?
zone security DMZ
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.0.33 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security DMZ
class-map type inspect match-any DMZ-TO-ALL
match access-group name dmz_out
policy-map type inspect DMZ-TO-ALL
class type inspect DMZ-TO-ALL
inspect
class class-default
drop
zone-pair security DMZ-TO-ALL source DMZ destination OUTSIDE
service-policy type inspect DMZ-TO-ALL
ip access-list extended lab_out
deny ip 192.168.0.0 0.0.0.255 192.168.92.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: