Can't get Access-List to work with 2514 using Dynamic and Static NAT

Discussion in 'Cisco' started by Harvey Colwell, Nov 19, 2004.

  1. Out local public library had a 2514 donated to them and they asked me if I
    could configure it to replace the LinkSys they currently use for Internet
    access. I have almost identical configurations running on a 1600 series with
    1 WAN IP and on a 1700 series with 6 WAN IPs. The only difference is that
    they both have a stateful firewall and the 2514's IOS (IP/PLUS) doesn't.

    As long as I don't apply an access-list 101, both the incoming static NATed
    traffic and the outgoing dynamic NATed traffic works just fine. I've tried
    many variations on the access-list shown below. But anytime I try to limit
    the ports that are allowed to pass to the internal (static) email/web
    server, no replies to the dynamic NAT outgoing traffic ever get through. As
    I said, these access lists are identical to ones I use in other routers.

    I've never worked with a router this old. Nor with only the IP/Plus feature
    set. By process of elimination, my problem most like has to do with the
    missing stateful Firewall feature. But I can't prove that or understand why
    this would be the case.

    Does anyone know how to apply an access list to safely limit the traffic
    coming into the internal server while allowing unlimited Internet access for
    the internal workstations?

    TIA

    !
    version 12.1
    service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    hostname Cisco2514-INET
    !
    enable secret 5 <hidden>
    !
    ip name-server 206.166.57.20
    ip name-server 206.166.83.20
    !
    interface Ethernet0
    description WAN
    ip address xxx.xxx.xxx.197 255.255.255.0
    ip access-group 101 in
    ip nat outside
    no cdp enable
    !
    interface Ethernet1
    description LAN
    ip address yyy.yyy.yyy.6 255.255.255.0
    ip access-group 100 in
    ip nat inside
    no cdp enable
    !
    interface Serial0
    no ip address
    shutdown
    !
    interface Serial1
    no ip address
    shutdown
    !
    logging monitor errors
    logging trap debugging
    logging facility local5
    !
    ip subnet-zero
    !
    ip classless
    ip default-gateway xxx.xxx.xxx.254
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.254
    !
    ip nat pool my_natpool xxx.xxx.xxx.197 xxx.xxx.xxx.197 netmask 255.255.255.0
    ip nat inside source list 1 pool my_natpool overload
    ip nat inside source static yyy.yyy.yyy.33 xxx.xxx.xxx.197
    !
    access-list 1 permit yyy.yyy.yyy.0 0.0.0.255
    access-list 10 permit yyy.yyy.yyy.0 0.0.0.255
    access-list 100 permit ip any any
    access-list 101 deny ip host xxx.xxx.xxx.197 any
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq smtp
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq www
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq pop3
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq 143
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq 1000
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq 3000
    access-list 101 deny ip any host xxx.xxx.xxx.197
    !
    snmp-server community public RO
    !
    line con 0
    line aux 0
    transport input all
    line vty 0 1
    access-class 10 in
    password <hidden>
    login
    line vty 2
    access-class 10 in
    password <hidden>
    login
    length 39
    line vty 3 4
    access-class 10 in
    password <hidden>
    login
    !
    end
     
    Harvey Colwell, Nov 19, 2004
    #1
    1. Advertisements

  2. Harvey Colwell

    Doan Guest

    Looked like you are doing PAT with a single public address
    (xxx.xxx.xxx.197). So all your inside hosts will be NAT'd to
    this address.

    Yet, your access-list 101 deny any traffic going to this same address.

    Doan
     
    Doan, Nov 19, 2004
    #2
    1. Advertisements

  3. When you have the firewall features it looks at the connections created
    by your internal hosts and allows the responses back in dynamically.
    Without the firewall you need to leave a big enough hole in your ACL that
    the response can get through without making it so big that the router is
    wide open, i.e.

    !
    ! Change the pool to using interface overload
    !
    no ip nat pool my_natpool xxx.xxx.xxx.197 xxx.xxx.xxx.197 netmask 255.255.255.0
    no ip nat inside source list 1 pool my_natpool overload
    ip nat inside source list 1 interface Ethernet0 overload
    !
    ! Remove the one to one static. It clashes with the overload anyway.
    !
    no ip nat inside source static yyy.yyy.yyy.33 xxx.xxx.xxx.197
    !
    ! Use port static translations for the inbound traffic we want to allow.
    !
    ip nat inside source static tcp yyy.yyy.yyy.33 25 xxx.xxx.xxx.197 25
    ip nat inside source static tcp yyy.yyy.yyy.33 80 xxx.xxx.xxx.197 80
    ip nat inside source static tcp yyy.yyy.yyy.33 110 xxx.xxx.xxx.197 110
    !
    ! Should the next line really be port 443 (https)?
    ! Applies to the ACL as well.
    !
    ip nat inside source static tcp yyy.yyy.yyy.33 143 xxx.xxx.xxx.197 143
    ip nat inside source static tcp yyy.yyy.yyy.33 1000 xxx.xxx.xxx.197 1000
    ip nat inside source static tcp yyy.yyy.yyy.33 3000 xxx.xxx.xxx.197 3000
    !
    ! Rewrite access list 101
    no access-list 101
    access-list 101 deny ip host xxx.xxx.xxx.197 any
    !
    ! Allow replies to outbound tcp connections from
    ! any inside host
    !
    access-list 101 permit tcp any host xxx.xxx.xxx.197 established
    !
    ! Permit DNS lookups
    !
    access-list 101 permit udp any eq domain host xxx.xxx.xxx.197
    !
    ! Allow some useful and necessary ICMP
    ! Check the spelling. I don have a router to check on.
    !
    access-list 101 permit icmp any host xxx.xxx.xxx.197 echo-reply
    access-list 101 permit icmp any host xxx.xxx.xxx.197 unreachable
    access-list 101 permit icmp any host xxx.xxx.xxx.197 packet-too-big
    !
    ! Allow inbound connections to the server.
    !
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq smtp
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq www
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq pop3
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq 143
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq 1000
    access-list 101 permit tcp any host xxx.xxx.xxx.197 eq 3000
    !
    ! Whatever is not allowed is denied,
    !
    access-list 101 deny ip any any
    !
     
    Martin Gallagher, Nov 20, 2004
    #3
  4.  
    david_lynch74, Dec 8, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.