Cisco 2821 ISR - Public & Private NAT access

Discussion in 'Cisco' started by Jack, Sep 22, 2009.

  1. Jack

    Jack Guest

    Hi there,

    I was wondering what the best method of securing the following
    situation is:

    I have a Cisco 2821 ISR - configured as follows:

    Gig 0/0 - LAN wire
    Gig 0/1 - WAN subnets (I have 2 routable subnets)
    Dot11 - WIFI
    BVI1 - ties LAN and WIFI together - has local ip - has NAT
    Dialer1 - ADSL (MLPPP ADSL)
    ATM0, 1, 3 - 3x ADSL lines

    What is happening is that the LAN can ping all outside IP addresses,
    everything works fine - which I want.

    But the WAN can also ping/communicate with all LAN addresses - with
    are NATed- which I don't want.

    I tried to setup the Firewall via SDM, i kinda worked but that was a
    big mess - ended up having to re-configure from scratch back to
    original.

    Anyone give an example of how to deny the WAN access to the LAN?

    Thanks,
    Jack
    Jack, Sep 22, 2009
    #1
    1. Advertising

  2. Jack

    Jack Guest

    On Sep 22, 3:10 pm, Jack <> wrote:
    > Hi there,
    >
    > I was wondering what the best method of securing the following
    > situation is:
    >
    > I have a Cisco 2821 ISR - configured as follows:
    >
    > Gig 0/0 - LAN wire
    > Gig 0/1 - WAN subnets (I have 2 routable subnets)
    > Dot11 - WIFI
    > BVI1 - ties LAN and WIFI together - has local ip - has NAT
    > Dialer1 - ADSL (MLPPP ADSL)
    > ATM0, 1, 3 - 3x ADSL lines
    >
    > What is happening is that the LAN can ping all outside IP addresses,
    > everything works fine - which I want.
    >
    > But the WAN can also ping/communicate with all LAN addresses - with
    > are NATed- which I don't want.
    >
    > I tried to setup the Firewall via SDM, i kinda worked but that was a
    > big mess - ended up having to re-configure from scratch back to
    > original.
    >
    > Anyone give an example of how to deny the WAN access to the LAN?
    >
    > Thanks,
    > Jack


    This is weird, it looks like the router is just routing the packets
    regardless if they are local or not (so all internal addresses can
    route to all external addresses and flipped).

    Any ideas why this would happen?
    Jack, Sep 22, 2009
    #2
    1. Advertising

  3. Jack

    bod43 Guest

    On 22 Sep, 22:19, Jack <> wrote:
    > On Sep 22, 3:10 pm, Jack <> wrote:
    >
    >
    >
    > > Hi there,

    >
    > > I was wondering what the best method of securing the following
    > > situation is:

    >
    > > I have a Cisco 2821 ISR - configured as follows:

    >
    > > Gig 0/0 - LAN wire
    > > Gig 0/1 - WAN subnets (I have 2 routable subnets)
    > > Dot11 - WIFI
    > > BVI1 - ties LAN and WIFI together - has local ip - has NAT
    > > Dialer1 - ADSL (MLPPP ADSL)
    > > ATM0, 1, 3 - 3x ADSL lines

    >
    > > What is happening is that the LAN can ping all outside IP addresses,
    > > everything works fine - which I want.

    >
    > > But the WAN can also ping/communicate with all LAN addresses - with
    > > are NATed- which I don't want.

    >
    > > I tried to setup the Firewall via SDM, i kinda worked but that was a
    > > big mess - ended up having to re-configure from scratch back to
    > > original.

    >
    > > Anyone give an example of how to deny the WAN access to the LAN?

    >
    > > Thanks,
    > > Jack

    >
    > This is weird, it looks like the router is just routing the packets
    > regardless if they are local or not (so all internal addresses can
    > route to all external addresses and flipped).
    >
    > Any ideas why this would happen?


    What version and feature set have you?

    Please post sh ver and sh run.
    You will likely need to sanitise the sh run and you can remove
    the Processor board ID from the sh ver if you are paranoid
    like me.

    sh tech contains a sh run with passwords removed.

    sh ver
    Cisco IOS Software, C870 Software ...
    (C870-ADVIPSERVICESK9-M), ...
    Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
    ....
    System image file is "flash:c870-advipservicesk9-mz.124-15.T7.bin"


    This is Advanced IP Services version 12.4(15)T7
    bod43, Sep 23, 2009
    #3
  4. Jack

    Jack Guest

    On Sep 22, 3:10 pm, Jack <> wrote:
    > Hi there,
    >
    > I was wondering what the best method of securing the following
    > situation is:
    >
    > I have a Cisco 2821 ISR - configured as follows:
    >
    > Gig 0/0 - LAN wire
    > Gig 0/1 - WAN subnets (I have 2 routable subnets)
    > Dot11 - WIFI
    > BVI1 - ties LAN and WIFI together - has local ip - has NAT
    > Dialer1 - ADSL (MLPPP ADSL)
    > ATM0, 1, 3 - 3x ADSL lines
    >
    > What is happening is that the LAN can ping all outside IP addresses,
    > everything works fine - which I want.
    >
    > But the WAN can also ping/communicate with all LAN addresses - with
    > are NATed- which I don't want.
    >
    > I tried to setup the Firewall via SDM, i kinda worked but that was a
    > big mess - ended up having to re-configure from scratch back to
    > original.
    >
    > Anyone give an example of how to deny the WAN access to the LAN?
    >
    > Thanks,
    > Jack


    Turns out this fixes it:

    I didn't have "ip nat outside" on my other interface.

    As long as all interfaces have "ip nat *" the general behind-NAT
    addresses cant be accessed - but addresses that have internal address
    (on 1 NIC) and external address (on another NIC) can still be accessed
    - since they are all routing off the same gateway - be it an internal
    or external address.

    To fix that up I put in a simple ACL to deny the public traffic to the
    local traffic:

    ip access-list extended NoWANtoLAN
    deny ip <ext1 /29> 0.0.0.7 10.9.8.0 0.0.0.255
    deny ip <ext1 /29> 0.0.0.7 10.9.10.0 0.0.0.255
    deny ip <ext2 /28> 0.0.0.15 10.9.10.0 0.0.0.255
    deny ip <ext2 /28> 0.0.0.15 10.9.8.0 0.0.0.255
    permit ip any any

    then:
    int Gig0/1
    ip access-group NoWANtoLAN in

    Now my LAN can access the WAN, and WAN can't access the LAN.

    Glad I noticed the "ip nat *" on the other interface - that was key.

    Jack Baker
    NeuStyle Solutions Ltd.
    Jack, Sep 23, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page