Announcement

Collapse
No announcement yet.

nat & acl - one specific host

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • nat & acl - one specific host

    i've got the following config for my outbound NAT.


    ip nat pool RotPool X.Y.Z.A X.Y.Z.B netmask 255.255.255.248 type rotary
    ip nat inside source route-map nonat pool RotPool

    access-list 120 permit ip 192.168.X.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 120

    now.. I wish to add an outbound NAT for just a single computer.


    f I put the following, would it work?

    access-list 120 deny ip 192.168.x.Y 0.0.0.255 any

    access-list 130 allow ip 192.168.x.y 0.0.0.255 any
    access-list 130 deny ip any any

    ip nat inside source list 130 x.y.z.C (interface within the pool that I want to use)
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: nat & acl - one specific host

    That should work. Also you can drop deny any at the end of ACL 30 as there is always a deny. Sometimes it helps to type it in for clarity.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: nat & acl - one specific host

      by saying there's always a deny - you mean it's implicit?
      I tohught as much..

      I also have the following ACL that I created. My intent was to add it to the WAN interface, so i created the acl, then did
      conf t
      int fa4
      access-list 101 in

      which immediately destroyed both my external connection, and the nat for the people in the office
      (thank you reload in 2!!!)
      where did i go wrong with that ?


      access-list 101 remark --- Inbound ACL to block WAN ---
      access-list 101 remark --- Block invalid source IP addresses inbound on WAN ---
      access-list 101 deny ip 10.0.0.0 0.255.255.255 any
      access-list 101 deny ip 172.16.0.0 0.15.255.255 any
      access-list 101 deny ip 192.168.0.0 0.0.255.255 any
      access-list 101 deny ip 169.254.0.0 0.0.255.255 any
      access-list 101 remark --- Block traffic originating from the Internet with a local IP address (spoofing) ---
      access-list 101 deny ip 192.168.10.0 0.0.0.255 any log
      access-list 101 deny ip host 192.168.10.254 any log
      access-list 101 deny ip 192.168.20.0 0.0.0.255 any log
      access-list 101 remark --- Block any attempts to reach the router from the Internet ---
      access-list 101 deny ip any host 192.168.10.254 log
      access-list 101 remark --- Allow all other inbound traffic to LAN subnet ---
      access-list 101 permit ip any 192.168.10.0 0.0.0.255
      access-list 101 permit ip any 192.168.20.0 0.0.0.255
      access-list 101 remark --- Block and log everything else ---
      access-list 101 deny ip any any log

      I also think I found a slight issue with acl130 above:

      i should have
      access-list 130 permit IP 192.168.X.232 0.0.0.0 any (the example I had above was an entire subnet)
      Last edited by tehcamel; 27th June 2013, 01:48.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: nat & acl - one specific host

        Yes there is always an implicit deny at the end of any acl. It helps to type it in for clarity though or logging but other than that its not needed.


        Yes be careful with your acl's in regards to return traffic. If your not using CBAC or zone based firewall then the router is not keeping any state information in regards to return traffic so you would have to explicitly allow the return traffic (web traffic etc...)


        access-list 101 remark --- Inbound ACL to block WAN ---
        access-list 101 remark --- Block invalid source IP addresses inbound on WAN ---
        access-list 101 deny ip 10.0.0.0 0.255.255.255 any
        access-list 101 deny ip 172.16.0.0 0.15.255.255 any
        access-list 101 deny ip 192.168.0.0 0.0.255.255 any
        access-list 101 deny ip 169.254.0.0 0.0.255.255 any
        access-list 101 remark --- Block traffic originating from the Internet with a local IP address (spoofing) ---
        access-list 101 deny ip 192.168.10.0 0.0.0.255 any log
        access-list 101 deny ip host 192.168.10.254 any log
        access-list 101 deny ip 192.168.20.0 0.0.0.255 any log
        access-list 101 remark --- Block any attempts to reach the router from the Internet ---
        access-list 101 deny ip any host 192.168.10.254 log
        access-list 101 remark --- Allow all other inbound traffic to LAN subnet ---
        access-list 101 permit ip any 192.168.10.0 0.0.0.255
        access-list 101 permit ip any 192.168.20.0 0.0.0.255
        access-list 101 remark --- Block and log everything else ---
        access-list 101 deny ip any any log
        Some of these entries can be removed as they overlap with the other statements.

        Example:

        access-list 101 deny ip 192.168.0.0 0.0.255.255 any

        and

        access-list 101 deny ip 192.168.10.0 0.0.0.255 any log


        There first entry covers that range so no need to have it there (except your logging it)

        Be careful with logging as it can take up alot of resources on the router.

        If your router has an IOS that has CBAC or Zone Based Firewall then I would use that configuration instead. That way your inbound acl will be minimal and you won't have to put exceptions in that ACL for any return traffic.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: nat & acl - one specific host

          i will have to sort out cbac - i think this router does that..
          thanks
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment

          Working...
          X