Showing posts with label ACLs. Show all posts
Showing posts with label ACLs. Show all posts

Thursday, 6 August 2009

NAT with VLANs, ACLs and PAT & Passive FTP

Another day another blog post...oh wait thats not right...doing too many blog posts this week.


Ok here is the setup for you;

You have been asked to setup two servers in a DMZ of sorts, One HTTP server and One FTP server. However they must be in two separate VLANS and the router must stop communication between them.

Here is the lab:




Start by setting up the VLAN on FA0/0:
Vlan 200:

!
interface FastEthernet0.200
encapsulation dot1Q 200
ip address 192.168.1.1 255.255.255.0
ip nat inside
!

Vlan 300

!
interface FastEthernet0.300
encapsulation dot1Q 300
ip address 172.16.0.1 255.255.255.252
ip nat inside
!

/*********************************************************************/
Next define the traffic that will be NAT'ed for each VLAN:
VLAN200:

access-list 1 permit 192.168.1.0 0.0.0.255

VLAN300

access-list 105 permit ip 172.16.0.0 0.0.0.3 any

/*********************************************************************/
The NAT rules:
VLAN200

ip nat inside source list 1 interface Dialer1 overload

VLAN300

ip nat inside source list 105 interface Dialer1 overload

/*********************************************************************/
Finally on the Dialer0 interface:

interface Dialer1
ip nat outside


/*********************************************************************/
Now ACL to prevent intervan traffic:

interface FastEthernet0.300
encapsulation dot1Q 300
ip address 172.16.0.1 255.255.255.252
ip access-group FTP_IN in
!
!
ip access-list extended FTP_IN
deny ip any 192.168.1.0 0.0.0.255
permit ip any any


I could configure a simular one on fa0/0.200 but consider that homework :)





Now on to what the rest of the world calls "port forwarding" but cisco calls "inside local to outside global PAT"

This bit is in two sections HTTP and FTP.

First HTTP PAT.

1) Allow remote users to connect to your firewall/router on port 80 and 443:

access-list 101 remark SSL Web access to forum
access-list 101 permit tcp any any eq 443
access-list 101 remark Web access to forum
access-list 101 permit tcp any any eq www


2) Setup PAT/Port Forwarding:

ip nat inside source static tcp 192.168.1.151 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.151 80 interface Dialer1 80



Done (for HTTP)
/*********************************************************************/
Now FTP:

1) Allow remote users to connect to your firewall/router on port 21 and 20:

access-list 101 remark FTP_IN
access-list 101 permit tcp any host 207.46.197.32 eq ftp log
access-list 101 remark FTP_IN_ACTIVE
access-list 101 permit tcp any host 207.46.197.32 eq ftp-data


2) Setup PAT/Port Forwarding:

ip nat inside source static tcp 172.16.0.2 20 207.46.197.32 20 extendable
ip nat inside source static tcp 172.16.0.2 21 207.46.197.32 21 extendable


3) Setup an Inspect Policy for the Incoming FTP traffic:

ip inspect name OUTSIDE_IN ftp


4)Add inspect policy to Dialer0

ip inspect OUTSIDE_IN in


/*********************************************************************/


Finially:

Add ACL 101 to Dialer0:

ip access-group 101 in




Notes:
Replace 207.46.197.32 with your IP
Inspect requires an IOS with the Firewall feature set (K9 normally)

done!
Posted by at 9 comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)