04-23-2012 03:09 AM - edited 03-07-2019 06:16 AM
Hello,
As shown in pic that I attach, I configure NAT on R1. Now i want to deny telnet on R2 for qemu1. How can i do that?
04-23-2012 03:22 AM
I run these commands:
1. access-list 1 deny 10.0.0.2 0.0.0.0
2. access-list 1 permit any
3. line vty 0 4
4. access-class 1 in.
But telnet remain permit on R2 because IP 10.0.0.2 doesn't go outside and request for 10.0.0.2 go out through 192.168.1.1.
Should i use IP 192.168.1.1 in place of 10.0.0.2 in access-list command. Then what will happen when on R1's interface s0/0/0 have not a static ip and I configures NAT on R1 by nat inside source list 10 interface s0/0/0 overload command.
04-23-2012 03:49 AM
If you're using nat, you'll need to deny the outside address of R1, so your acl will look like:
1. access-list 1 deny host 192.168.1.1
2. access-list 1 permit any
HTH,
John
04-23-2012 03:54 AM
Thanx Blakley.
I am agree with u but if s0/0/0 (R1) have a dynamic IP then what will we do???
04-23-2012 04:03 AM
If the address changes, your acl won't match up and it's going to allow the traffic like you're seeing. The only other thing that you could do is strictly permit the addresses that you want, or if you know the block that the site could possibly get then block it by the whole block and not just your one host.
Let's say that they have a block of 128 addresses. You could do something like:
access-list 1 deny 5.5.5.0 0.0.0.127
access-list 1 permit any
The above would deny addresses 5.5.5.1 - 5.5.5.126. If you know that your router will fall in this range, then you should be ok.
04-23-2012 04:04 AM
Hi,
R1 is source NAT-ing all the packets from the host (10.0.0.2 ) , but the TCP/23 (telnet). This will mean that the telnet packets will get to R2 with the original source IP and you can apply the access-list with deny host IP.
====== R1
int f1/0
ip nat inside
int s0/0
ip nat outside
ip access-l ex PAT
deny tcp host 10.0.0.2 any eq 23
permit ip host 10.0.0.2 any
ip nat inside source list PAT fa1/0 over
======= R2
ip access-l ex VTY
deny host 10.0.0.2
permit any
line vty 0 4
access-class VTY in
Dan
04-23-2012 04:21 AM
Dan,
That's a good way of doing it
John
04-23-2012 05:03 AM
Hey Dan,
Please share R1 and R2 Configuration. U said in R2 that deny host 10.0.0.2. Witch services should I deny there??
04-23-2012 05:10 AM
I've posted the R2 configuration in my previous post :
ip access-l ex VTY
deny host 10.0.0.2
permit any
line vty 0 4
access-class VTY in
04-23-2012 05:15 AM
I run this configuration on my router but deny host 10.0.0.2 command giving error.
04-23-2012 05:23 AM
Yes the issue is that I created an extended access-list
no ip access-l ex VTY
ip access-l stan VTY
deny host 10.0.0.2
permit any
line vty 0 4
access-class VTY in
Dan
04-23-2012 09:13 PM
In R1's configuration You used a command ip nat inside source list PAT fa1/0 over . I am confused why you used fa1/0 in this command because this interface is in local inside area according to picture.
04-24-2012 12:45 AM
Hi ,
You are right, the interface should be the outside interface in this case s0/0. I wrote the config fast
Dan
04-24-2012 12:54 AM
Its Ok Dan. I have an another doubt, I think When we apply deny tcp host 10.0.0.2 any eq 23 and permit ip host 10.0.0.2 any command on R1, This router will not forward telnet packet outside through NAT (Am I Right). Means why we need R2's configuration (as you shown).
04-24-2012 01:00 AM
No, not quite.
The deny statement is on PAT access-list.
PAT access-list is used to match the traffic that will be source NATed with the R1's outside interface.
This means that the traffic from 10.0.0.2 that has as a destination protocol telnet, will not be source NATed.
This means that this telnet traffic will be only switched from interface F0/1 to S0/0 without any change in the IP Header. This is why you can restrict the access on the R2 vtys based on the 10.0.0.2 address.
I hope I cleared some things.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide