Announcement

Collapse
No announcement yet.

Nat translation Whitelist

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nat translation Whitelist

    I've got a 2811 router, i've setup vpn, to several locations, and i've setup lots of port forwards/nat translations, I have a route-map containing the nat translations, and an access-list that ignores the forwards for the vpn tunnel, so that they can access those ports across the vpn. I'm trying to setup one the translations so that is accessable from a whitelist of external addesses (and the machines on the vpn.) But not from anything else. i have the modified access-list and i could use someone else check it over to be sure it's doing what i want to do.

    i've marked the parts that are applicable (i think). At the bottom is the proposed changes

    !!!!!!!!!!!!!!!!!!!!!! APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
    !!!!!!!!!!!!!!!!!!!!!! END APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



    ip nat inside source static tcp 10.1.2.3 21 XXX.XXX.XXX.XXX 21 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.5 443 XXX.XXX.XXX.XXX 443 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.10 3389 XXX.XXX.XXX.XXX 1234 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.64 1999 XXX.XXX.XXX.XXX 1999 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.9 2000 XXX.XXX.XXX.XXX 2000 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.96 2001 XXX.XXX.XXX.XXX 2001 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.33 3000 XXX.XXX.XXX.XXX 3000 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.62 3389 XXX.XXX.XXX.XXX 3389 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.64 4158 XXX.XXX.XXX.XXX 4158 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.114 5674 XXX.XXX.XXX.XXX 5674 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.64 6051 XXX.XXX.XXX.XXX 6051 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.64 6054 XXX.XXX.XXX.XXX 6054 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.33 7000 XXX.XXX.XXX.XXX 7000 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.33 7021 XXX.XXX.XXX.XXX 7021 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.33 8000 XXX.XXX.XXX.XXX 8000 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.33 8001 XXX.XXX.XXX.XXX 8001 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.33 8002 XXX.XXX.XXX.XXX 8002 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.33 8003 XXX.XXX.XXX.XXX 8003 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8080 XXX.XXX.XXX.XXX 8080 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8081 XXX.XXX.XXX.XXX 8081 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8082 XXX.XXX.XXX.XXX 8082 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8083 XXX.XXX.XXX.XXX 8083 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8084 XXX.XXX.XXX.XXX 8084 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8085 XXX.XXX.XXX.XXX 8085 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8086 XXX.XXX.XXX.XXX 8086 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8087 XXX.XXX.XXX.XXX 8087 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8088 XXX.XXX.XXX.XXX 8088 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.32 8089 XXX.XXX.XXX.XXX 8089 route-map SDM_RMAP_1 extendable

    !!!!!!!!!!!!!!!!!!!!!! APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ip nat inside source static tcp 10.1.2.4 1433 XXX.XXX.XXX.XXX 1433 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.4 2009 XXX.XXX.XXX.XXX 2009 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.4 2010 XXX.XXX.XXX.XXX 2010 route-map SDM_RMAP_1 extendable
    ip nat inside source static tcp 10.1.2.4 3390 XXX.XXX.XXX.XXX 3390 route-map SDM_RMAP_1 extendable
    !!!!!!!!!!!!!!!!!!!!!! END APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


    !
    access-list 10 remark SDM_ACL Category=16
    access-list 10 permit 10.2.2.0 0.0.0.255
    access-list 10 permit 0.0.0.0 255.255.255.0
    access-list 23 permit 76.XXX.XXX.XXX
    access-list 23 permit 64.XXX.XXX.XXX
    access-list 23 permit 10.1.2.0 0.0.0.255
    access-list 23 permit 10.1.5.0 0.0.0.255
    access-list 23 permit 10.1.3.0 0.0.0.255
    access-list 23 permit 10.2.1.0 0.0.0.255

    !!!!!!!!!!!!!!!!!!!!!! APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.5.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.11.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.9.0 0.0.0.255
    access-list 101 permit ip 10.1.2.0 0.0.0.255 any
    !!!!!!!!!!!!!!!!!!!!!! END APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



    access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
    access-list 103 permit ip 10.1.2.0 0.0.0.255 10.1.5.0 0.0.0.255
    access-list 104 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 105 permit ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255
    access-list 106 permit ip 10.1.2.0 0.0.0.255 10.1.11.0 0.0.0.255
    access-list 107 permit ip 10.1.2.0 0.0.0.255 10.1.9.0 0.0.0.255
    access-list 150 remark VOIP (sip/iax/iax2) QOS Priority
    access-list 150 permit udp any any eq 4569
    access-list 150 permit udp any any eq 5004
    access-list 150 permit udp any any eq 5036
    access-list 150 permit udp any any eq 5060
    access-list 150 permit tcp any any eq 5060
    access-list 150 permit tcp any any eq 5036
    access-list 150 permit tcp any any eq 5004
    access-list 150 permit tcp any any eq 4569
    access-list 150 permit ip host 10.1.5.5 host 10.1.2.5
    access-list 150 permit ip host 10.1.2.5 host 10.1.5.5
    access-list 150 permit ip any any tos min-delay
    access-list 150 permit udp any any range 16384 32767
    access-list 151 permit esp any any
    !

    !!!!!!!!!!!!!!!!!!!!!! APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    !!!!!!!!!!!!!!!!!!!!!! END APPLICABLE PART !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


    MY PROPOSED CHANGES
    access-list 101 deny tcp any eq 1433 10.1.2.4 0.0.0.0
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.5.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.11.0 0.0.0.255
    access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.9.0 0.0.0.255
    access-list 101 permit tcp 64.209.134.212 255.255.255.255 eq 1433 10.1.2.4 0.0.0.0
    access-list 101 permit tcp 64.50.57.186 255.255.255.255 eq 1433 10.1.2.4 0.0.0.0
    access-list 101 permit tcp 208.73.251.238 255.255.255.255 eq 1433 10.1.2.4 0.0.0.0
    access-list 101 permit ip 10.1.2.0 0.0.0.255 any

    -Dylan
Working...
X