Thursday, 6 August 2009

NAT with VLANs, ACLs and PAT & Passive FTP

Another day another blog post...oh wait thats not right...doing too many blog posts this week.


Ok here is the setup for you;

You have been asked to setup two servers in a DMZ of sorts, One HTTP server and One FTP server. However they must be in two separate VLANS and the router must stop communication between them.

Here is the lab:




Start by setting up the VLAN on FA0/0:
Vlan 200:

!
interface FastEthernet0.200
encapsulation dot1Q 200
ip address 192.168.1.1 255.255.255.0
ip nat inside
!

Vlan 300

!
interface FastEthernet0.300
encapsulation dot1Q 300
ip address 172.16.0.1 255.255.255.252
ip nat inside
!

/*********************************************************************/
Next define the traffic that will be NAT'ed for each VLAN:
VLAN200:

access-list 1 permit 192.168.1.0 0.0.0.255

VLAN300

access-list 105 permit ip 172.16.0.0 0.0.0.3 any

/*********************************************************************/
The NAT rules:
VLAN200

ip nat inside source list 1 interface Dialer1 overload

VLAN300

ip nat inside source list 105 interface Dialer1 overload

/*********************************************************************/
Finally on the Dialer0 interface:

interface Dialer1
ip nat outside


/*********************************************************************/
Now ACL to prevent intervan traffic:

interface FastEthernet0.300
encapsulation dot1Q 300
ip address 172.16.0.1 255.255.255.252
ip access-group FTP_IN in
!
!
ip access-list extended FTP_IN
deny ip any 192.168.1.0 0.0.0.255
permit ip any any


I could configure a simular one on fa0/0.200 but consider that homework :)





Now on to what the rest of the world calls "port forwarding" but cisco calls "inside local to outside global PAT"

This bit is in two sections HTTP and FTP.

First HTTP PAT.

1) Allow remote users to connect to your firewall/router on port 80 and 443:

access-list 101 remark SSL Web access to forum
access-list 101 permit tcp any any eq 443
access-list 101 remark Web access to forum
access-list 101 permit tcp any any eq www


2) Setup PAT/Port Forwarding:

ip nat inside source static tcp 192.168.1.151 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.151 80 interface Dialer1 80



Done (for HTTP)
/*********************************************************************/
Now FTP:

1) Allow remote users to connect to your firewall/router on port 21 and 20:

access-list 101 remark FTP_IN
access-list 101 permit tcp any host 207.46.197.32 eq ftp log
access-list 101 remark FTP_IN_ACTIVE
access-list 101 permit tcp any host 207.46.197.32 eq ftp-data


2) Setup PAT/Port Forwarding:

ip nat inside source static tcp 172.16.0.2 20 207.46.197.32 20 extendable
ip nat inside source static tcp 172.16.0.2 21 207.46.197.32 21 extendable


3) Setup an Inspect Policy for the Incoming FTP traffic:

ip inspect name OUTSIDE_IN ftp


4)Add inspect policy to Dialer0

ip inspect OUTSIDE_IN in


/*********************************************************************/


Finially:

Add ACL 101 to Dialer0:

ip access-group 101 in




Notes:
Replace 207.46.197.32 with your IP
Inspect requires an IOS with the Firewall feature set (K9 normally)

done!

9 comments:

Anonymous said...

ACLS is know as Advanced Cardiac Life Support, is a set of clinical interventions for the urgent treatment of cardiac arrest, stroke and other life threatening medical emergencies, and taking knowledge and skills to deploy those interventions. Visit here for more info on ACLS.

Alex said...

This is definitely an amazing website for a beginner to get started.
Custom Essay Writing

Fabian Smith said...

Thanks for sharing this information with us. Your material is up to date and quite informative, I would like to bookmark this page so I can come here to read this again, as you have done a wonderful job. Hamilton Resourcing
Human Resource Solutions UAE
Psychometrics Tests
Psychometrics Test Dubai
Talent Management
Integrity International
Executive Recruitment
The McQuaig Psychometric System
The McQuaig Job Survey
The McQuaig Word Survey
The McQuaig Self-Development Survey
Executive Search Firms in Dubai
Head Hunters Dubai
Executive Recruitment in Dubai
Emirati Talent Management

Maya Angelou said...
This comment has been removed by the author.
Maya Angelou said...

informative post
Storage services dubai
Furniture Installation In Dubai
Moving and Storage
Movers And Packers
International relocation companies in Dubai
Mover companies in dubai

Maya Angelou said...

interestin post
Hijama Training Course
Hijama Courses London
Hijama Courses Institute
Cupping Therapy
Hijama Therapy Diploma

Unknown said...

Your Blog is so informative!
Niagara Falls Airport Taxi
Richmond Hill Airport Taxi
Markham Airport Taxi
Vaughan Airport Taxi
Pickering Airport Taxi

Unknown said...

I really appreciate the efforts you put into reviewing these useful resources.

--------------------------
Also checkout our New Year 2017 Shayari new collections.

Tristar Traders said...

Ultimate article post in this blog. Thanks for sharing to us. It can help a lot to improve our knowledge
Gone are the days when a business laid down an annual sum to have its information listed in the Yellow Pages. These days it’s crucial for all businesses to instead prominently list themselves in online directories.AIR pros is a directory of service companies in your area with a geolocation system, automatic translation of the content.The site is optimized to facilitate the referencing of referenced companies.You can search for companies by department or city and look at their profile before contacting them.