Cisco 2821 ISR - Public & Private NAT access

Hi there,

I was wondering what the best method of securing the following situation is:

I have a Cisco 2821 ISR - configured as follows:

Gig 0/0 - LAN wire Gig 0/1 - WAN subnets (I have 2 routable subnets) Dot11 - WIFI BVI1 - ties LAN and WIFI together - has local ip - has NAT Dialer1 - ADSL (MLPPP ADSL) ATM0, 1, 3 - 3x ADSL lines

What is happening is that the LAN can ping all outside IP addresses, everything works fine - which I want.

But the WAN can also ping/communicate with all LAN addresses - with are NATed- which I don't want.

I tried to setup the Firewall via SDM, i kinda worked but that was a big mess - ended up having to re-configure from scratch back to original.

Anyone give an example of how to deny the WAN access to the LAN?

Thanks, Jack

Reply to
Jack
Loading thread data ...

This is weird, it looks like the router is just routing the packets regardless if they are local or not (so all internal addresses can route to all external addresses and flipped).

Any ideas why this would happen?

Reply to
Jack

What version and feature set have you?

Please post sh ver and sh run. You will likely need to sanitise the sh run and you can remove the Processor board ID from the sh ver if you are paranoid like me.

sh tech contains a sh run with passwords removed.

sh ver Cisco IOS Software, C870 Software ... (C870-ADVIPSERVICESK9-M), ... Version 12.4(15)T7, RELEASE SOFTWARE (fc3) ... System image file is "flash:c870-advipservicesk9-mz.124-15.T7.bin"

This is Advanced IP Services version 12.4(15)T7

Reply to
bod43

Turns out this fixes it:

I didn't have "ip nat outside" on my other interface.

As long as all interfaces have "ip nat *" the general behind-NAT addresses cant be accessed - but addresses that have internal address (on 1 NIC) and external address (on another NIC) can still be accessed

- since they are all routing off the same gateway - be it an internal or external address.

To fix that up I put in a simple ACL to deny the public traffic to the local traffic:

ip access-list extended NoWANtoLAN deny ip 0.0.0.7 10.9.8.0 0.0.0.255 deny ip 0.0.0.7 10.9.10.0 0.0.0.255 deny ip 0.0.0.15 10.9.10.0 0.0.0.255 deny ip 0.0.0.15 10.9.8.0 0.0.0.255 permit ip any any

then: int Gig0/1 ip access-group NoWANtoLAN in

Now my LAN can access the WAN, and WAN can't access the LAN.

Glad I noticed the "ip nat *" on the other interface - that was key.

Jack Baker NeuStyle Solutions Ltd.

Reply to
Jack

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.