Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 2821 ISR - Public & Private NAT access

Reply
Thread Tools

Cisco 2821 ISR - Public & Private NAT access

 
 
Jack
Guest
Posts: n/a
 
      09-22-2009
Hi there,

I was wondering what the best method of securing the following
situation is:

I have a Cisco 2821 ISR - configured as follows:

Gig 0/0 - LAN wire
Gig 0/1 - WAN subnets (I have 2 routable subnets)
Dot11 - WIFI
BVI1 - ties LAN and WIFI together - has local ip - has NAT
Dialer1 - ADSL (MLPPP ADSL)
ATM0, 1, 3 - 3x ADSL lines

What is happening is that the LAN can ping all outside IP addresses,
everything works fine - which I want.

But the WAN can also ping/communicate with all LAN addresses - with
are NATed- which I don't want.

I tried to setup the Firewall via SDM, i kinda worked but that was a
big mess - ended up having to re-configure from scratch back to
original.

Anyone give an example of how to deny the WAN access to the LAN?

Thanks,
Jack
 
Reply With Quote
 
 
 
 
Jack
Guest
Posts: n/a
 
      09-22-2009
On Sep 22, 3:10*pm, Jack <(E-Mail Removed)> wrote:
> Hi there,
>
> I was wondering what the best method of securing the following
> situation is:
>
> I have a Cisco 2821 ISR - configured as follows:
>
> Gig 0/0 - LAN wire
> Gig 0/1 - WAN subnets (I have 2 routable subnets)
> Dot11 - WIFI
> BVI1 - ties LAN and WIFI together - has local ip - has NAT
> Dialer1 - ADSL (MLPPP ADSL)
> ATM0, 1, 3 - 3x ADSL lines
>
> What is happening is that the LAN can ping all outside IP addresses,
> everything works fine - which I want.
>
> But the WAN can also ping/communicate with all LAN addresses - with
> are NATed- which I don't want.
>
> I tried to setup the Firewall via SDM, i kinda worked but that was a
> big mess - ended up having to re-configure from scratch back to
> original.
>
> Anyone give an example of how to deny the WAN access to the LAN?
>
> Thanks,
> Jack


This is weird, it looks like the router is just routing the packets
regardless if they are local or not (so all internal addresses can
route to all external addresses and flipped).

Any ideas why this would happen?
 
Reply With Quote
 
 
 
 
bod43
Guest
Posts: n/a
 
      09-23-2009
On 22 Sep, 22:19, Jack <(E-Mail Removed)> wrote:
> On Sep 22, 3:10*pm, Jack <(E-Mail Removed)> wrote:
>
>
>
> > Hi there,

>
> > I was wondering what the best method of securing the following
> > situation is:

>
> > I have a Cisco 2821 ISR - configured as follows:

>
> > Gig 0/0 - LAN wire
> > Gig 0/1 - WAN subnets (I have 2 routable subnets)
> > Dot11 - WIFI
> > BVI1 - ties LAN and WIFI together - has local ip - has NAT
> > Dialer1 - ADSL (MLPPP ADSL)
> > ATM0, 1, 3 - 3x ADSL lines

>
> > What is happening is that the LAN can ping all outside IP addresses,
> > everything works fine - which I want.

>
> > But the WAN can also ping/communicate with all LAN addresses - with
> > are NATed- which I don't want.

>
> > I tried to setup the Firewall via SDM, i kinda worked but that was a
> > big mess - ended up having to re-configure from scratch back to
> > original.

>
> > Anyone give an example of how to deny the WAN access to the LAN?

>
> > Thanks,
> > Jack

>
> This is weird, it looks like the router is just routing the packets
> regardless if they are local or not (so all internal addresses can
> route to all external addresses and flipped).
>
> Any ideas why this would happen?


What version and feature set have you?

Please post sh ver and sh run.
You will likely need to sanitise the sh run and you can remove
the Processor board ID from the sh ver if you are paranoid
like me.

sh tech contains a sh run with passwords removed.

sh ver
Cisco IOS Software, C870 Software ...
(C870-ADVIPSERVICESK9-M), ...
Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
....
System image file is "flash:c870-advipservicesk9-mz.124-15.T7.bin"


This is Advanced IP Services version 12.4(15)T7

 
Reply With Quote
 
Jack
Guest
Posts: n/a
 
      09-23-2009
On Sep 22, 3:10*pm, Jack <(E-Mail Removed)> wrote:
> Hi there,
>
> I was wondering what the best method of securing the following
> situation is:
>
> I have a Cisco 2821 ISR - configured as follows:
>
> Gig 0/0 - LAN wire
> Gig 0/1 - WAN subnets (I have 2 routable subnets)
> Dot11 - WIFI
> BVI1 - ties LAN and WIFI together - has local ip - has NAT
> Dialer1 - ADSL (MLPPP ADSL)
> ATM0, 1, 3 - 3x ADSL lines
>
> What is happening is that the LAN can ping all outside IP addresses,
> everything works fine - which I want.
>
> But the WAN can also ping/communicate with all LAN addresses - with
> are NATed- which I don't want.
>
> I tried to setup the Firewall via SDM, i kinda worked but that was a
> big mess - ended up having to re-configure from scratch back to
> original.
>
> Anyone give an example of how to deny the WAN access to the LAN?
>
> Thanks,
> Jack


Turns out this fixes it:

I didn't have "ip nat outside" on my other interface.

As long as all interfaces have "ip nat *" the general behind-NAT
addresses cant be accessed - but addresses that have internal address
(on 1 NIC) and external address (on another NIC) can still be accessed
- since they are all routing off the same gateway - be it an internal
or external address.

To fix that up I put in a simple ACL to deny the public traffic to the
local traffic:

ip access-list extended NoWANtoLAN
deny ip <ext1 /29> 0.0.0.7 10.9.8.0 0.0.0.255
deny ip <ext1 /29> 0.0.0.7 10.9.10.0 0.0.0.255
deny ip <ext2 /28> 0.0.0.15 10.9.10.0 0.0.0.255
deny ip <ext2 /28> 0.0.0.15 10.9.8.0 0.0.0.255
permit ip any any

then:
int Gig0/1
ip access-group NoWANtoLAN in

Now my LAN can access the WAN, and WAN can't access the LAN.

Glad I noticed the "ip nat *" on the other interface - that was key.

Jack Baker
NeuStyle Solutions Ltd.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM
microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework,microsoft.public.dotnet.framework.windowsforms,microsoft.public.dotnet.general,microsoft.public.dotnet.languages.vb Charles A. Lackman ASP .Net 1 12-08-2004 07:08 PM



Advertisments