Allowing only Postini addresses for static NAT

Hasrat Raja · ‎02-10-2010

Hi,

I have an 1841 router, need to allow Postini address range 64.18.0.0 255.255.240.0 to talk to mail server, I have following static NAT entry.

ip nat inside source static tcp 192.168.0.240 25 207.152.70.253 25 extendable

Thanks

hasrat

Jon Marshall · ‎02-10-2010

hasratraj wrote:
Hi,
I have an 1841 router, need to allow Postini address range 64.18.0.0 255.255.240.0 to talk to mail server, I have following static NAT entry.
ip nat inside source static tcp 192.168.0.240 25 207.152.70.253 25 extendable
Thanks
hasrat

Hasrat

access-list 101 permit tcp 64.18.0.0 0.0.15.255 host 152.70.253.25 eq 25

int gi0/1 <--- interface facing the internet

ip access-group 101 in

However you need to be careful here. If you apply this to the internet facing interface it would only allow that address range to your mail server on port 25. Everything else would be blocked. And because an acl is not stateful that would mean any return traffic is blocked as well ie.

you have a user on your LAN who connects to a webserver on the internet. If you apply the above acl then it would drop the return traffic from the webserver back to the user. You can look to use the "established" keyword (TCP only), reflexive acls or CBAC (IOS stateful firewall) to get around this.

Without knowing how your acls are setup it's not possible to say exactly which one you need.

Jon

Hasrat Raja · ‎02-10-2010

Hi Jon,

Thank you for the reply, mail was working with NAT entry to .113 but Postini wasn't, did a showmyipaddress and it showed .253 address which is outside interface. I added second NAT translation and Postini is also working but due to security concern want to block access, here is the relevant config:

!
interface GigabitEthernet0/0.1
description Inside Interface$ETH-LAN$
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip policy route-map Citrix_1
no cdp enable
!

!
interface ATM0/0/0.1 point-to-point
description Connected to DSL$FW_OUTSIDE$
ip address 207.152.70.253 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0 0/35
encapsulation aal5snap
!
!

ip nat inside source route-map SDM_RMAP_1 interface ATM0/0/0.1 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.0.210 80 207.152.69.49 80 extendable
ip nat inside source static tcp 172.16.1.5 443 207.152.69.49 443 extendable
ip nat inside source static tcp 192.168.0.210 1494 207.152.69.49 1494 extendable
ip nat inside source static tcp 192.168.0.210 2598 207.152.69.49 2598 extendable
ip nat inside source static tcp 172.16.1.5 3389 207.152.69.49 3389 extendable
ip nat inside source static 192.168.3.230 207.152.70.19
ip nat inside source static tcp 192.168.0.240 25 207.152.70.113 25 extendable ====> initial entry for smtp
ip nat inside source static tcp 192.168.0.240 80 207.152.70.113 80 extendable
ip nat inside source static tcp 192.168.0.240 110 207.152.70.113 110 extendable
ip nat inside source static tcp 192.168.0.240 443 207.152.70.113 443 extendable
ip nat inside source static tcp 192.168.0.240 3389 207.152.70.113 3389 extendable
ip nat inside source static 192.168.0.230 207.152.70.134
ip nat inside source static 192.168.2.230 207.152.70.144
ip nat inside source static 192.168.0.231 207.152.70.157
ip nat inside source static tcp 192.168.0.220 1494 207.152.70.186 1494 extendable
ip nat inside source static 192.168.3.6 207.152.70.190
ip nat inside source static tcp 192.168.0.240 25 207.152.70.253 25 extendable ====> Postini entry for smtp
!

thanks

hasrat