Another port forward / nat question

[ve7eje]

I'm not sure if this is even possible...
Platform Cisco 1605 IOS 12.0(5)T
E0: 192.168.253.148 (inside)
E1: 192.168.1.1 (outside)
I need to be able to forward ports tcp/23 and udp/161 from any source inside to a single host outside (192.168.1.148) and
udp/161 only from the same outside host to any inside host.
The intent here is to restrict traffic between the host on the outside and the inside network to only those 2 protocols. A rudimentary firewall.

I am very new at access lists and looking for some help.

What I have so far is.

Interface Ethernet0
ip address 192.168.253.148 255.255.255.0
ip nat inside
Interface Ethernet1
ip address 192.168.1.1 255.255.255.0
ip nat outside
access-list 100 permit udp any eq snmp host 192.168.1.148
access-list 100 permit tcp any eq telnet host 192.168.1.148
access list 101 permit udp host 192.168.1.148 eq snmp any

I know I have to apply the ACL's to the interfaces but not quite sure how to do that.

Thanks -Rob-

 

[KiscoKid]

Not sure you need to NAT but that depends if subnets 192.168.1.0 and 192.168.253.0 can talk to each other as they are.

If they can, all you need are access control lists (ACLs) to perform the firewalling you want. On this basis, I would slightly modify your config as follows:


Interface Ethernet0
ip address 192.168.253.148 255.255.255.0
ip access-group 100 in
Interface Ethernet1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in

access-list 100 permit udp any host 192.168.1.148 eq snmp
access-list 100 permit tcp any host 192.168.1.148 eq telnet
access list 101 permit udp host 192.168.1.148 any eq snmp

 

[ve7eje]

Thanks KiscoKid.
This does help.
The reason for the NAT is I was hoping I could make ports 161 and 23 on the E0 interface of the router transparently appear as their counterparts on the 192.168.1.148 host.
I also now realize that the reverse will also have to specify a host on the inside to forward the packets to in which case it would be to 192.168.253.252
Can you suggest how to do all this?
Thanks -Rob-

 

[KiscoKid]

I think I understand what you need. Is this what you want:


Interface Ethernet0
ip address 192.168.253.148 255.255.255.0
ip access-group 100 in
ip nat inside
Interface Ethernet1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat outside

access-list 100 permit udp any host 192.168.1.148 eq snmp
access-list 100 permit tcp any host 192.168.1.148 eq telnet
access list 101 permit udp host 192.168.1.148 any eq snmp

ip nat inside source static udp 192.168.253.252 161 interface e1 161

ip nat outside source static udp 192.168.1.148 161 interface e0 161
ip nat outside source static tcp 192.168.1.148 23 interface e0 23



I think this will allow people on 192.168.253.0 to send snmp/telnet to 192.168.253.148 which will be port forwarded to 192.168.1.148. Similarly people on 192.168.1.0 can send snmp to 192.168.1.1 which will get forwarded to 192.168.253.252

 

[ve7eje]

Thanks KiscoKid.
Up to my eyeballs in the proverbial alligators at the moment. I hope to be able to try this out later this week.
-Rob-

 

[ve7eje]

Just getting back to this now.
KiscoKid; I tried your idea but it didn't work so I did a bit more digging and found this document..

http://www.cisco.com/warp/public/556/8.html

So now I have...
interface Ethernet0
ip address 192.168.253.148 255.255.255.0
ip nat inside
interface Ethernet1
ip address 192.168.1.242 255.255.255.0
ip nat outside
ip nat inside source static 192.168.253.242 192.168.1.242
ip nat outside source static 192.168.1.148 192.168.253.148

access-lists have been removed for now.

The network looks like this..

SNMP 192.168.253.242
SRVR ^
|
v
RTR E0 192.168.253.148
RTR E1 192.168.1.242
^
|
SNMP v
AGENT 192.168.1.148

Still no go though.
I would think now that any snmp requests from 253.242 to 253.148 would appear on E1 of the router with 1.242 as the source address. Similarly, the response from 1.148 should appear on E0 with a source IP of 253.148.
I must be missing something somewhere.
-Rob-

 

[KiscoKid]

I'm not sure your NAT will work as you've defined as those addresses are already in use on both the router's interface. You should aim to use an unused address for both inside and outside NAT.

Would be worth trying this again but with unused addresses

 

[plshlpme]

i still don't follow what you are trying to do.

is it

a) if people try to telnet to your router you want them to be redirected to another host?

or

b) you are overloading for your clients to nat out and then need to be able to reach a server inside your lan?

in case A i don't think you need nat... maybe a routemap would do the trick. in case B static PAT statements would be needed to rereoute the requests to the IP/port.

 

[ve7eje]

What I am trying to do is create a simple NAT firewall between a managed switch on the outside of my main firewall and my management server on the inside. I have VLANed the switch so that I have a single port management VLAN with the IP 192.168.1.148. For obvious reasons I don't want to connect this port directly to my inside network. The NATed Cisco router is just an extra measure of safety. Once I get the NATting working I intend to lock the router down with access lists to further limit the type of traffic that can cross it.
I want the switch to "appear" as if it is on the inside network hence another reason for the NATting.