fnkylinguist
IS-IT--Management
- Aug 24, 2004
- 9
Hello All,
I'm new to Cisco IOS and am just wondering what a few lines mean so that I can possibly tweak our current config.
1.) NAT Why have I specified ip nat outside below? I've assumed that I am translating all of my internal address to my public address however, is it done in the state ip nat outside.
A.) Is there another way to write it that would be more specific so that when I see it, I know exactly what it is doing? for example translate l 192.168.10.1 - 192.168.10.160 to "public address". This way I have control over what Ips are being translated to the public address.
interface FastEthernet0/1
description connected to Internet
ip address x.x.x.x 255.255.255.248
ip access-group extended-outbound out
ip nat outside
speed 100
full-duplex
2.) Again, why am I using "ip nat inside"? Is it translating my "public address" back to my internal address here? If this is the case, should I place an access list on this interface to filter some of the unwanted traffic.
interface FastEthernet0/0
description connected to EthernetLAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
speed 100
full-duplex
3.) I currently have my access list placed on interface 0/1 because it is connected to the Internet, and I have specified a few of the suggested filters that I received from Cisco and other places on the net, however, I now wonder if it is sufficient. There seems to be some errors in the list below.
A.) The deny echo reply doesn't deny echo reply. I am still able to get a response from the interface internally and externally.
B.) What does deny ip host 0.0.0.0 any log deny. What ip address will will enter my network with this information?
C.) The allow specific ports access to the network, can't this section be removed since I already have a section that allows specific ports access to the network because we use PC Anywhere for remote connectivity. I'm assuming that all other ports can be closed off except port 80, 8081 which is used for the Internet, 21 for our FTP traffic and I guess 25 for our Pop Account?
D.) We already have a ports forwarded toip addresses for PC Anywhere, is this sufficient and can I delete the PC Anywhere section?
E.) The permit established connection seems correct, however, I just need to make sure that no other connection should be allowed to enter the router except connection established from within our network. Now that I've mentioned it, I am able to connect to it from anywhere on the net, perhaps this isn't working. What exactly is it doing?
p access-list extended outbound
deny icmp any any
deny icmp any any echo-reply
permit tcp any any eq telnet
deny ip any any
remark The below set the rfc918 private exclusions.
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on routers FA Interfaces
remark pPermit specific ICMP for ping / traceroute response
permit icmp any 8.7.1.0 0.0.0.255 net-unreachable
permit icmp any 8.7.1.0 0.0.0.255 echo
permit icmp any 8.7.1.0 0.0.0.255 host-unreachable
permit icmp any 8.7.1.0 0.0.0.255 port-unreachable
permit icmp any 8.7.1.0 0.0.0.255 packet-too-big
permit icmp any 8.7.1.0 0.0.0.255 administratively-prohibited
permit icmp any 8.7.1.0 0.0.0.255 source-quench
permit icmp any 8.7.1.0 0.0.0.255 ttl-exceeded
remark allow specific ports access to network
permit tcp any 8.7.1.0 0.0.0.255 eq www
permit tcp any 8.7.1.0 0.0.0.255 eq 443
permit tcp any 8.7.1.0 0.0.0.255 eq smtp
permit tcp any 8.7.1.0 0.0.0.255 eq pop3
permit tcp any 8.7.1.0 0.0.0.255 eq 143
permit tcp any 8.7.1.0 0.0.0.255 eq ftp-data
permit tcp any 8.7.1.0 0.0.0.255 eq ftp
permit tcp any 8.7.1.0 0.0.0.255 eq nntp
permit tcp any 8.7.1.0 0.0.0.255 eq 8081
permit tcp any 8.7.1.0 0.0.0.255 eq domain
remark permit PCAnywhere
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any 8.7.1.0 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any eq domain any
deny ip any any log
deny udp any any
deny 53 any any
deny 55 any any
deny 77 any any
deny pim any any
I'm new to Cisco IOS and am just wondering what a few lines mean so that I can possibly tweak our current config.
1.) NAT Why have I specified ip nat outside below? I've assumed that I am translating all of my internal address to my public address however, is it done in the state ip nat outside.
A.) Is there another way to write it that would be more specific so that when I see it, I know exactly what it is doing? for example translate l 192.168.10.1 - 192.168.10.160 to "public address". This way I have control over what Ips are being translated to the public address.
interface FastEthernet0/1
description connected to Internet
ip address x.x.x.x 255.255.255.248
ip access-group extended-outbound out
ip nat outside
speed 100
full-duplex
2.) Again, why am I using "ip nat inside"? Is it translating my "public address" back to my internal address here? If this is the case, should I place an access list on this interface to filter some of the unwanted traffic.
interface FastEthernet0/0
description connected to EthernetLAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
speed 100
full-duplex
3.) I currently have my access list placed on interface 0/1 because it is connected to the Internet, and I have specified a few of the suggested filters that I received from Cisco and other places on the net, however, I now wonder if it is sufficient. There seems to be some errors in the list below.
A.) The deny echo reply doesn't deny echo reply. I am still able to get a response from the interface internally and externally.
B.) What does deny ip host 0.0.0.0 any log deny. What ip address will will enter my network with this information?
C.) The allow specific ports access to the network, can't this section be removed since I already have a section that allows specific ports access to the network because we use PC Anywhere for remote connectivity. I'm assuming that all other ports can be closed off except port 80, 8081 which is used for the Internet, 21 for our FTP traffic and I guess 25 for our Pop Account?
D.) We already have a ports forwarded toip addresses for PC Anywhere, is this sufficient and can I delete the PC Anywhere section?
E.) The permit established connection seems correct, however, I just need to make sure that no other connection should be allowed to enter the router except connection established from within our network. Now that I've mentioned it, I am able to connect to it from anywhere on the net, perhaps this isn't working. What exactly is it doing?
p access-list extended outbound
deny icmp any any
deny icmp any any echo-reply
permit tcp any any eq telnet
deny ip any any
remark The below set the rfc918 private exclusions.
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
remark Deny Testnet
deny ip 192.0.2.0 0.0.0.255 any log
remark Deny packets from localhost, broadcast, and multicast addresses
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 255.0.0.0 0.255.255.255 any log
remark Deny packets without an IP address
deny ip host 0.0.0.0 any log
remark Prevent Spoofing on routers FA Interfaces
remark pPermit specific ICMP for ping / traceroute response
permit icmp any 8.7.1.0 0.0.0.255 net-unreachable
permit icmp any 8.7.1.0 0.0.0.255 echo
permit icmp any 8.7.1.0 0.0.0.255 host-unreachable
permit icmp any 8.7.1.0 0.0.0.255 port-unreachable
permit icmp any 8.7.1.0 0.0.0.255 packet-too-big
permit icmp any 8.7.1.0 0.0.0.255 administratively-prohibited
permit icmp any 8.7.1.0 0.0.0.255 source-quench
permit icmp any 8.7.1.0 0.0.0.255 ttl-exceeded
remark allow specific ports access to network
permit tcp any 8.7.1.0 0.0.0.255 eq www
permit tcp any 8.7.1.0 0.0.0.255 eq 443
permit tcp any 8.7.1.0 0.0.0.255 eq smtp
permit tcp any 8.7.1.0 0.0.0.255 eq pop3
permit tcp any 8.7.1.0 0.0.0.255 eq 143
permit tcp any 8.7.1.0 0.0.0.255 eq ftp-data
permit tcp any 8.7.1.0 0.0.0.255 eq ftp
permit tcp any 8.7.1.0 0.0.0.255 eq nntp
permit tcp any 8.7.1.0 0.0.0.255 eq 8081
permit tcp any 8.7.1.0 0.0.0.255 eq domain
remark permit PCAnywhere
permit tcp any any eq 65301
permit tcp any any eq 22
permit udp any any eq 65301
permit udp any any eq 22
remark Permit Established connections
permit tcp any 8.7.1.0 0.0.0.255 established
remark Permit Internal DNS Out
permit udp any eq domain any
deny ip any any log
deny udp any any
deny 53 any any
deny 55 any any
deny 77 any any
deny pim any any