Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL's with NAT

Status
Not open for further replies.
jonny2495

jonny2495

Technical User
Aug 3, 2006
16
GB
Hi Guys,

I have set up a 1721 as a nat roter on my broadband connection and it all works great. What I know want to do is lock it down as at the moment port 23 is wide open amongst others.

I dont want anything fancy just local net out and nothing coming in except established connections.

I have a go with a couple of ACL's but so far have only managed to break what I have done.

Heres what I have so that works:

interface Ethernet0
description LAN Interface
ip address 10.0.0.1 255.255.255.0
ip nat inside
half-duplex
!
interface FastEthernet0
description WAN Interface
ip address dhcp
ip nat outside
speed auto
!
interface Serial0
no ip address
shutdown
!
ip nat inside source list 103 interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
no ip http server
no ip http secure-server
!
!
logging 10.0.0.10
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit tcp any 10.0.0.0 0.0.0.255 established
access-list 103 permit ip 10.0.0.0 0.0.0.255 any
!

ACL's 101 & 102 I tried using on fa0 using:

ip access-group 101 out
ip access-group 102 in

But that just broke it!

Any suggestions?

Thanks

Jon

Jon - CCNA to be :)
UK
 
Sort by date Sort by votes
Do you really need to restrict any traffic outbound? If not, forget about an outbound acl.
For inbound, if you only have the one private LAN address range, just do any any, and apply it inbound.

Burt
 
Upvote 0 Downvote
Burt,

No, I dont have to restrict outbound traffic but I would have thought it would generally be good practice to restrict outgoing to your own IP address range. If ISP's did this imagine how much better the web would be with no infected pcs with spoofed source ip's flooding the net with rubbish.

I am going to try to get it working with out first but have tried just an incoming filter and it still didnt work.

Jon

Jon - CCNA to be :)
UK
 
Upvote 0 Downvote
Hello
If you have cisco SDM it does a really good job.SDM can do a "security audit" and then it let you locks everything.Then you can view the commands from console and learn the differnt weakness of default configs.
Regards
 
Upvote 0 Downvote
Hi,

Thanks for the SDM tip, I will have a look at it.

Jon

Jon - CCNA to be :)
UK
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
186
BIS
BIS
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
86
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
125
Geraldine Souza
Geraldine Souza
Collab_Guy
  • Locked
  • Question
Anyone using automation with their CUCM?
Replies
1
Views
98
kyle555
kyle555
darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
92
darktriad
darktriad

Part and Inventory Search

Sponsor

Back
Top