1801 - PAT + NAT = NAT not working how I thought it should

Discussion in 'Cisco' started by Steven Carr, Oct 20, 2007.

  1. Steven Carr

    Steven Carr Guest

    OK the gist is:

    3 vlans:
    - VLAN1 Management
    - VLAN2 Public IP space (82.71.110.224/28)
    - VLAN3 Private IP space (172.16.0.0/24)

    The route obtains it's external IP via DHCP from the ISP - the address
    it gets is 82.71.110.238 - this is also the same address as the gateway
    for VLAN2 (I was informed this is the correct way to configure that
    part, and that bit is working). VLAN3 is set as the inside NAT interface
    and the outside NAT interface is set as Dialer0.

    The clients in VLAN3 cannot "talk" to VLAN2 and vice versa but the IP
    helper is working and DHCP is being dished out fine from VLAN2 -> VLAN3.

    It's probably something to do with the firewall rules I have in place.
    I've included my config below, can anyone see where I'm going wrong? and
    if there is anything that am seriously missing can you point me in the
    right direction.

    Also what is the significance of the line:
    > permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023

    Without this DNS would not work - even though I have an permit statement
    for the 2 DNS servers further down in the config.

    Thanks in advance

    Ste

    ----------

    no service pad
    no ip domain-lookup
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname net-gw
    !
    ip name-server 212.23.3.100
    ip name-server 212.23.6.100
    ip domain name dunelm.gpf.me.uk
    !
    ip cef
    ip flow-top-talkers
    top 10
    sort-by bytes
    !
    clock timezone GMT 0
    ntp server 82.71.110.226
    !
    boot-start-marker
    boot-end-marker
    !
    enable password 0 xxxxxxxx
    username admin privilege 15 password 0 xxxxxxxx
    !
    logging 82.71.110.228
    archive
    log config
    logging enable
    logging size 500
    notify syslog
    hidekeys
    !
    interface FastEthernet0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    no ip route-cache
    shutdown
    !
    interface FastEthernet1
    spanning-tree portfast
    description trunk link to loft-sw01 fa0/24 (vlan 2)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 1
    switchport trunk allowed vlan 1,2,1002-1005
    switchport mode trunk
    duplex auto
    speed auto
    !
    interface FastEthernet2
    spanning-tree portfast
    description trunk link to loft-sw01 fa0/23 (vlan 3)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 1
    switchport trunk allowed vlan 1,3,1002-1005
    switchport mode trunk
    duplex auto
    speed auto
    !
    interface FastEthernet3
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet4
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet5
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet6
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet7
    spanning-tree portfast
    switchport mode access
    switchport access vlan 1
    duplex auto
    speed auto
    !
    interface FastEthernet8
    spanning-tree portfast
    description link to wireless ap
    switchport mode access
    switchport access vlan 3
    duplex auto
    speed auto
    !
    interface ATM0
    no ip address
    no ip route-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    no ip route-cache
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    interface Vlan1
    description Management VLAN
    ip address 192.168.255.1 255.255.255.0
    !
    interface Vlan2
    description Public VLAN
    ip address 82.71.110.238 255.255.255.240
    !
    interface Vlan3
    description Private VLAN
    ip address 172.16.0.1 255.255.255.0
    ip helper-address 82.71.110.226
    ip helper-address 82.71.110.228
    ip nat inside
    !
    interface Dialer0
    description outside world
    ip address negotiated
    ip nat outside
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    no ip proxy-arp
    no ip mask-reply
    ip access-group inbound_firewall in
    ip access-group outbound_firewall out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname xxxxxxxx
    ppp chap password 0 xxxxxxx
    no cdp enable
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0
    dialer-list 1 protocol ip permit
    access-list 1 permit 172.16.0.0 0.0.0.255
    ip nat inside source list 1 interface Dialer0 overload
    !
    no ip access-list extended inbound_firewall
    ip access-list extended inbound_firewall
    !
    ! filter out the crud
    remark deny own range
    deny ip 82.71.110.224 0.0.0.15 any
    remark deny spoof addresses
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 224.0.0.0 31.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
    remark deny non-routables
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    remark icmp traffic
    permit icmp any any echo-reply
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    deny icmp any any
    remark allow established
    permit tcp any 82.71.110.224 0.0.0.15 established
    permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023
    !
    ! hosts
    remark cookiemonster.dunelm.gpf.me.uk
    remark ssh
    permit tcp any host 82.71.110.226 eq 22
    remark mail
    permit tcp any host 82.71.110.226 eq 25
    permit tcp any host 82.71.110.226 eq 465
    remark dns
    permit tcp any host 82.71.110.226 eq 53
    permit udp any host 82.71.110.226 eq 53
    remark www
    permit tcp any host 82.71.110.226 eq 80
    permit tcp any host 82.71.110.226 eq 443
    !
    remark barkley.dunelm.gpf.me.uk
    remark ssh
    permit tcp any host 82.71.110.228 eq 22
    remark mail
    permit tcp any host 82.71.110.228 eq 25
    remark dns
    permit tcp any host 82.71.110.228 eq 53
    permit udp any host 82.71.110.228 eq 53
    remark www
    permit tcp any host 82.71.110.228 eq 80
    permit tcp any host 82.71.110.228 eq 443
    !
    !
    no ip access-list extended outbound_firewall
    ip access-list extended outbound_firewall
    !
    remark allow own range
    permit ip 82.71.110.224 0.0.0.15 any
    !
    remark block any other traffic
    deny ip any any
    !
    !
    no ip http server
    no ip http secure-server
    !
    snmp-server community xxxxxxxx RW
    snmp-server community xxxxxxxx RO
    snmp-server location Loft Cab
    snmp-server contact xxxxxxxx
    !
    banner login ^

    Unauthorised access prohibited - all access and commands are logged.

    ^
    !
    line con 0
    login local
    session-timeout 10
    line vty 0 4
    login local
    session-timeout 10
    transport input ssh
    !
    end



    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHGeoyg6K71gPSyTARAt2DAJ9NJCbYtv0CUav2B8rtELN+VAZz4ACbBVL5
    rdvxDwUUWy5dHZTSSWXIZw4=
    =n3Ee
    -----END PGP SIGNATURE-----
    Steven Carr, Oct 20, 2007
    #1
    1. Advertising

  2. Steven Carr

    Steven Carr Guest

    I dont mean PAT at all - I mean Routed - my brain is shot today....

    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHGeqxg6K71gPSyTARAjwoAJ97/Ae3Y31PWkXMvuxTBAWC1eQrDQCfcKwS
    7N0nwjohPStvgmIC6y2CVpo=
    =93i5
    -----END PGP SIGNATURE-----
    Steven Carr, Oct 20, 2007
    #2
    1. Advertising

  3. Steven Carr

    Steven Carr Guest

    OK as it turns out it is actually all working (was actually a number of
    ACL's within BIND preventing recursive lookups from the new private VLAN
    addresses and misconfiguration in the DHCP scope giving out the wrong
    gateway address (doh!))

    But anyway with regards to my inbound and outbound firewall ACLs, is
    there anything that is wrong or that I am missing + also the question
    about that "permit udp" line

    Thanks

    Ste

    ----------

    no ip access-list extended inbound_firewall
    ip access-list extended inbound_firewall
    !
    ! filter out the crud
    remark deny own range
    deny ip 82.71.110.224 0.0.0.15 any
    remark deny spoof addresses
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 224.0.0.0 31.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
    remark deny non-routables
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    remark icmp traffic
    permit icmp any any echo-reply
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    deny icmp any any
    remark allow established
    permit tcp any 82.71.110.224 0.0.0.15 established
    permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023
    !
    ! hosts
    remark cookiemonster.dunelm.gpf.me.uk
    remark ssh
    permit tcp any host 82.71.110.226 eq 22
    remark mail
    permit tcp any host 82.71.110.226 eq 25
    permit tcp any host 82.71.110.226 eq 465
    remark dns
    permit tcp any host 82.71.110.226 eq 53
    permit udp any host 82.71.110.226 eq 53
    remark www
    permit tcp any host 82.71.110.226 eq 80
    permit tcp any host 82.71.110.226 eq 443
    !
    remark barkley.dunelm.gpf.me.uk
    remark ssh
    permit tcp any host 82.71.110.228 eq 22
    remark mail
    permit tcp any host 82.71.110.228 eq 25
    remark dns
    permit tcp any host 82.71.110.228 eq 53
    permit udp any host 82.71.110.228 eq 53
    remark www
    permit tcp any host 82.71.110.228 eq 80
    permit tcp any host 82.71.110.228 eq 443
    !
    !
    no ip access-list extended outbound_firewall
    ip access-list extended outbound_firewall
    !
    remark allow own range
    permit ip 82.71.110.224 0.0.0.15 any
    !
    remark block any other traffic
    deny ip any any
    !
    !

    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHGfhMg6K71gPSyTARAi5cAJ0RLkzKNdRpESRLqBx3yM1QyPJ/igCgn6ez
    nYDXQCJjkU5T4qItvyOM97g=
    =0ysr
    -----END PGP SIGNATURE-----
    Steven Carr, Oct 20, 2007
    #3
  4. Steven Carr

    Merv Guest

    For packets from inside, the router should perfom routing first then
    NAT so not sure why packet do not make it to VLAN 2

    to a debug ip icmp and ping from a host on VLAN 3 to host on VLAN 2
    and see what output is display

    also do a traceroute


    display translations using sh ip nat translations to see if the
    traffic between VLANS is being translated
    Merv, Oct 20, 2007
    #4
  5. Steven Carr

    Steven Carr Guest

    Merv wrote:
    > For packets from inside, the router should perfom routing first then
    > NAT so not sure why packet do not make it to VLAN 2
    >
    > to a debug ip icmp and ping from a host on VLAN 3 to host on VLAN 2
    > and see what output is display
    >
    > also do a traceroute
    >
    >
    > display translations using sh ip nat translations to see if the
    > traffic between VLANS is being translated
    >
    >


    Sorted that, it was a cockup else where with DHCP+DNS config. Can you
    see any problems with the actual firewall rules I have in place (just
    from a general security point of view), is there any others you can
    think of to add, or any that shouldn't be there.

    Thanks

    Ste

    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHGgp2g6K71gPSyTARAprqAJ9H9bmw71+i0ahhGv6PK4XcxktvTQCfUu9c
    7+2J8nhmUzOzX1Ktj5f+JVE=
    =BAAp
    -----END PGP SIGNATURE-----
    Steven Carr, Oct 20, 2007
    #5
  6. Steven Carr

    Merv Guest

    acl's for security look ok

    use enable secret instead of enable password
    ditto for username priv password - use username priv secret <>

    no logging console ! disable console logging
    Merv, Oct 20, 2007
    #6
  7. Steven Carr

    Steven Carr Guest

    Hi Merv,

    Really appreciate all of the help you provide on this newsgroup, can you
    explain what this rule is for and why the 2 rules below it don't seem to
    work, if I take the "permit udp any range..." rule out DNS stops working
    completely, but shouldn't the 2 rules for DNS allow it to continue to
    work. Just from my looking at it that rule says that any host can send
    udp packets to ports 1-1023 from any port higher than 1023, which to me
    seems like a whole for lots of traffic to potentially get through.

    > permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023
    > remark dns
    > permit tcp any host 82.71.110.226 eq 53
    > permit udp any host 82.71.110.226 eq 53


    Thanks

    Ste


    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHGooag6K71gPSyTARAmHLAJ9t9VwN2j5xxI2xR8FH7nGCn8CfLACcDnBh
    zCkOlbBQuOYTjuSy2MP3/04=
    =2Cp8
    -----END PGP SIGNATURE-----
    Steven Carr, Oct 21, 2007
    #7
  8. Steven Carr

    Merv Guest

    see Cisco doc "Transit Access Control Lists: Filtering at Your Edge"


    !--- Permit legitimate business traffic.

    access-list 110 permit tcp any 192.168.201.0 0.0.0.255 established
    access-list 110 permit udp any range 1 1023 192.168.201.0 0.0.0.255 gt
    1023



    !--- Explicitly permit externally sourced traffic.
    !--- These are incoming DNS queries.

    access-list 110 permit udp any gt 1023 host <primary DNS server> eq 53

    !-- These are zone transfer DNS queries to primary DNS server.

    access-list 110 permit tcp host secondary DNS server gt 1023 host
    primary DNS server eq 53

    !--- Permit older DNS zone transfers.

    access-list 110 permit tcp host secondary DNS server eq 53 host
    primary DNS server eq 53

    !--- Deny all other DNS traffic.

    access-list 110 deny udp any any eq 53
    access-list 110 deny tcp any any eq 53
    Merv, Oct 21, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BinSur
    Replies:
    4
    Views:
    5,795
    BinSur
    Jan 13, 2006
  2. Natan
    Replies:
    3
    Views:
    4,075
    Natan
    Apr 28, 2006
  3. opietexas
    Replies:
    0
    Views:
    4,082
    opietexas
    Jul 6, 2006
  4. opietexas
    Replies:
    0
    Views:
    452
    opietexas
    Jul 6, 2006
  5. skweetis
    Replies:
    0
    Views:
    1,174
    skweetis
    Dec 11, 2006
Loading...

Share This Page