Cisco 2821 ISR - Public & Private NAT access

Discussion in 'Cisco' started by Jack, Sep 22, 2009.

  1. Jack

    Jack Guest

    Hi there,

    I was wondering what the best method of securing the following
    situation is:

    I have a Cisco 2821 ISR - configured as follows:

    Gig 0/0 - LAN wire
    Gig 0/1 - WAN subnets (I have 2 routable subnets)
    Dot11 - WIFI
    BVI1 - ties LAN and WIFI together - has local ip - has NAT
    Dialer1 - ADSL (MLPPP ADSL)
    ATM0, 1, 3 - 3x ADSL lines

    What is happening is that the LAN can ping all outside IP addresses,
    everything works fine - which I want.

    But the WAN can also ping/communicate with all LAN addresses - with
    are NATed- which I don't want.

    I tried to setup the Firewall via SDM, i kinda worked but that was a
    big mess - ended up having to re-configure from scratch back to

    Anyone give an example of how to deny the WAN access to the LAN?

    Jack, Sep 22, 2009
    1. Advertisements

  2. Jack

    Jack Guest

    This is weird, it looks like the router is just routing the packets
    regardless if they are local or not (so all internal addresses can
    route to all external addresses and flipped).

    Any ideas why this would happen?
    Jack, Sep 22, 2009
    1. Advertisements

  3. Jack

    bod43 Guest

    What version and feature set have you?

    Please post sh ver and sh run.
    You will likely need to sanitise the sh run and you can remove
    the Processor board ID from the sh ver if you are paranoid
    like me.

    sh tech contains a sh run with passwords removed.

    sh ver
    Cisco IOS Software, C870 Software ...
    (C870-ADVIPSERVICESK9-M), ...
    Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
    System image file is "flash:c870-advipservicesk9-mz.124-15.T7.bin"

    This is Advanced IP Services version 12.4(15)T7
    bod43, Sep 23, 2009
  4. Jack

    Jack Guest

    Turns out this fixes it:

    I didn't have "ip nat outside" on my other interface.

    As long as all interfaces have "ip nat *" the general behind-NAT
    addresses cant be accessed - but addresses that have internal address
    (on 1 NIC) and external address (on another NIC) can still be accessed
    - since they are all routing off the same gateway - be it an internal
    or external address.

    To fix that up I put in a simple ACL to deny the public traffic to the
    local traffic:

    ip access-list extended NoWANtoLAN
    deny ip <ext1 /29>
    deny ip <ext1 /29>
    deny ip <ext2 /28>
    deny ip <ext2 /28>
    permit ip any any

    int Gig0/1
    ip access-group NoWANtoLAN in

    Now my LAN can access the WAN, and WAN can't access the LAN.

    Glad I noticed the "ip nat *" on the other interface - that was key.

    Jack Baker
    NeuStyle Solutions Ltd.
    Jack, Sep 23, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.