Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need just one NAT line checked here, please 1

Status
Not open for further replies.
GeneralDzur

GeneralDzur

Technical User
Joined
Jan 10, 2005
Messages
204
Location
US
I'm in the process of locking down our router more, and I want to lock down all the ports below 1023 (the ports that NAT use). Is this the correct command for closing off all ports except for 1023 and above? (to allow NAT to continue)

access-list 105 permit tcp any gt 1023 [router public IP] gt 1023

any help would be great

- stephan
 
Sort by date Sort by votes
you need to specify a port range, don't think gt will do, usually eq is the syntax followed by port rangeeg 1023-65353 don't forget to do one for udp as well, and what about all your ports below 1023? have you done access lists that allow the ones you need 25,80 etc?

best of luck WGM
 
Upvote 0 Downvote
From your acl, I'm not clear on what you're trying to do. Since you have a router and an internet connection, don't you want users to surf the web and send e-mail? There isn't a lot of internet services using ports above 1023. Web (incl. https), mail, ftp will all be blocked this way.

I suspect that you want to permit inbound traffic with a source < 1024 and a destination > 1023. Also, you might want to simplify things with the "established" keyword.

watchguardmonkey may be right, unless your intent is to block all UDP, ICMP and everything else not permitted by your above ACL. Remember that *anything* not explicitly permitted by an access-list is denied.
 
Upvote 0 Downvote


1) Would you mind explaining "established1" to me, because I don't understand what it does, specifically.

2) We are using NAT, which is why I wan't to allow ports coming in above 1023

3) I have the other ports I want open (80, 8080, etc) later in the ACL. Right now I just need advice on setting up NAT to allow it's returning connections

- stephan
 
Upvote 0 Downvote
We are using NAT" isn't really related. NAT doesn't use ports differently than non-NAT access, except that it does change them.

When your internal user connects to a web site, the connection is outbound a high port to port 80. No problem there. However, the reply from the web server is from port 80 to the original high port.

You need to allow traffic in that is destined to the high ports FROM PORT 80. Your acl allows traffic from > 1023 to > 1023, which will block web access for your users. Unless this is later in your acl, you need this:

access-list 105 permit tcp any eq 80 [router public IP] gt 1023
... and repeat for any public services which internal users should be able to access, like 443, 25, 20&21, etc.

Now, the "established" keyword allows for stateful inspection. Instead of simply opening the port, it checks to see that the inbound traffic is in reply to an outbound request.
 
Upvote 0 Downvote

Thanks lgarner - that was really helpful. I've been trying to track down an explanation forever.

Much appreciation

- stephan
 
Upvote 0 Downvote
Having problems...when I apply the ACL inbound - It blocks mostly everything. Here's a copy & paste of it. I can't figure out which port I'm not allowing.


begin
--------------------
Extended IP access list 102
deny ip 207.218.245.0 0.0.0.255 any
deny ip 206.154.105.0 0.0.0.255 any
deny ip 206.154.102.0 0.0.0.255 any
deny ip 208.240.240.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny udp any any range 135 netbios-ss
deny tcp any any range 135 139
deny tcp any any eq 554
deny tcp any any eq 6346
deny tcp any any range 8000 8001
deny tcp any any eq telnet
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
permit tcp any eq 8080 host 81.31.197.161 gt 1023 established
permit tcp any eq xx.xx.197.161 gt 1023 established
permit tcp any eq 995 host xx.xx.197.161 gt 1023 established (7 matches)
permit tcp any eq 443 host xx.xx.197.161 gt 1023 established (8 matches)
permit udp any eq domain host xx.xx.197.161 gt 1023 (36 matches)
permit tcp any eq pop3 host xx.xx.197.161 gt 1023 established
permit tcp any eq 3128 host xx.xx.197.161 gt 1023 established (5 matches)
permit tcp any eq smtp host xx.xx.197.161 gt 1023 established (1 match)
permit tcp any eq ftp host xx.xx.197.161 gt 1023 established (6 matches)
permit tcp any eq ftp-data host xx.xx.197.161 gt 1023 established
deny ip any any (106 matches)
 
Upvote 0 Downvote
Here's the debug log. It's blocking connections from port 80!? I don't understand, because the ACL explicitly says to let connections originating on port 80 through.

Need some help here

5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 65.54.152.120(80) -> xx.xx.197.162(1860), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 64.4.61.250(80) -> xx.xx.197.162(1865), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 216.155.193.132(23) -> xx.xx.197.162(3297), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 68.33.62.186(3993) -> xx.xx.197.162(3298), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 213.248.112.115(80) -> xx.xx.197.162(3361), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 216.109.127.17(80) -> xx.xx.197.162(2478), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 207.46.4.85(1863) -> xx.xx.197.162(2451), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 213.254.245.30(80) -> xx.xx.197.162(1874), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 65.54.195.188(80) -> xx.xx.197.162(2480), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 205.188.248.168(5190) -> xx.xx.197.162(1544), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 65.54.194.118(80) -> xx.xx.197.162(1858), 2 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 207.68.177.124(80) -> xx.xx.197.162(1861), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 209.202.240.100(80) -> xx.xx.197.162(1246), 3 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 213.200.97.62(80) -> xx.xx.197.162(1075), 3 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 216.155.193.132(23) -> xx.xx.197.162(3297), 2 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 213.248.112.115(80) -> xx.xx.197.162(1872), 5 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 65.54.195.188(80) -> xx.xx.197.162(2480), 4 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 207.46.4.85(1863) -> xx.xx.197.162(2451), 10 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 160.138.85.149(80) -> xx.xx.197.162(2830), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 199.181.132.250(80) -> xx.xx.197.162(1826), 4 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied udp 81.217.32.50(52467) -> xx.xx.197.162(50020), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 207.68.179.219(80) -> xx.xx.197.162(2481), 2 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 216.45.19.33(80) -> xx.xx.197.162(2607), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied udp 84.252.56.132(51754) -> xx.xx.197.162(50020), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied udp 85.64.181.243(1928) -> xx.xx.197.162(50020), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 213.248.112.114(80) -> xx.xx.197.162(1640), 4 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 213.248.112.114(80) -> xx.xx.197.162(1028), 4 packets
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 207.68.179.219(80) -> xx.xx.197.162(2481), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 216.155.193.145(23) -> xx.xx.197.162(3377), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 207.46.0.64(1863) -> xx.xx.197.162(1833), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied udp 141.211.207.122(2126) -> xx.xx.197.162(50020), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied udp 81.13.134.104(46970) -> xx.xx.197.162(50020), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 213.254.245.30(80) -> xx.xx.197.162(1874), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 199.181.132.244(80) -> xx.xx.197.162(1840), 1 packet
5d22h: %SEC-6-IPACCESSLOGP: list 102 denied tcp 216.109.127.60(80) -> xx.xx.197.162(1660), 1 packet
 
Upvote 0 Downvote
Your ACL permits "tcp any eq xx.xx.197.161 gt 1023 established", but your log shows that you're blocking traffic to xx.x.197.162. It looks like your NAT address is .162, not .161.
 
Upvote 0 Downvote
ARGH...(bangs head on desk).

Thanks that fixed it. Man I'm a retard.

- stephan the careless ACL builder
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

woza
  • Locked
  • Question Question
GNS3: Delete the lines &quot;transport preferred none&quot;
Replies
1
Views
747
DrB0b
DrB0b
telemarksman
  • Locked
  • Question Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
300
telemarksman
telemarksman
DigiByte34
  • Locked
  • Question Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
889
DigiByte34
DigiByte34
acabezas2014
  • Locked
  • Question Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
300
acabezas2014
acabezas2014
HollTel
  • Locked
  • Question Question
Cisco UC520 Shared Line issue
Replies
0
Views
233
HollTel
HollTel

Part and Inventory Search

Sponsor

Back
Top