Tuesday, April 26, 2011

Fun with NATs and ACLs (Firewalls)

Network Setup for NATs and ACLs

NAT configuration on RT1 for PC1 to remote access PC2 192.168.1.2 via NAT IP 172.16.1.3:
RT1(config)#ip nat inside source static 192.168.1.2 172.16.1.3

NAT configuration on RT2 for PC2 to remote access PC1 172.16.1.2 via NAT IP 192.168.1.3:
RT2(config)#ip nat inside source static tcp 172.16.1.2 23 192.168.1.3 23

Extended IP Access Lists configuration on RT1 and RT2 for PC1 to remote access (Telnet) PC2:
PC1 to PC2:
RT1(config)#access-list 101 permit tcp host 172.16.1.2 host 172.16.1.3 eq 23
RT2(config)#access-list 103 permit tcp host 172.16.1.2 host 192.168.1.2 eq 23

PC2 back to PC1:
RT2(config)#access-list 104 permit tcp host 192.168.1.2 eq 23 host 192.168.1.3
RT1(config)#access-list 102 permit tcp host 192.168.1.2 eq 23 host 172.16.1.2

Extended IP Access Lists configuration on RT1 and RT2 for PC2 to remote access (Telnet) PC1:
PC2 to PC1:
RT2(config)#access-list 104 permit tcp host 192.168.1.2 host 192.168.1.3 eq 23
RT1(config)#access-list 102 permit tcp host 192.168.1.2 host 172.16.1.2 eq 23

PC1 back to PC2:
RT1(config)#access-list 101 permit tcp host 172.16.1.2 eq 23 host 172.16.1.3
RT2(config)#access-list 103 permit tcp host 172.16.1.2 eq 23 host 192.168.1.2

Below shows the NAT operations on RT1 and RT2 and ACL hit counts when PC1 accesses PC2:
RT1#debug ip nat
IP NAT debugging is on
RT1#
00:02:30: NAT: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14748]
00:02:32: NAT: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14748]
00:02:36: NAT: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14748]
00:02:38: NAT*: s=192.168.1.2->172.16.1.3, d=172.16.1.2 [19343]
00:02:38: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14749]
00:02:38: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14750]
--- output omitted ---
RT1#
RT1#sh access-list
Extended IP access list 101
    10 permit tcp host 172.16.1.2 host 172.16.1.3 eq telnet (28 matches)
    20 permit tcp host 172.16.1.2 eq telnet host 172.16.1.3
Extended IP access list 102
    10 permit tcp host 192.168.1.2 eq telnet host 172.16.1.2 (14 matches)
    20 permit tcp host 192.168.1.2 host 172.16.1.2 eq telnet
RT1#
RT1#sh ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/0
Inside interfaces:
  FastEthernet1/0
Hits: 36  Misses: 0
Expired translations: 0
Dynamic mappings:
RT1#
----------------------------------------------------------------------
RT2#
00:02:31: NAT: s=172.16.1.2->192.168.1.3, d=192.168.1.2 [14748]
00:02:37: NAT*: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [19343]
00:02:37: NAT*: s=172.16.1.2->192.168.1.3, d=192.168.1.2 [14749]
--- output omitted ---
RT2#sh access-list
Extended IP access list 103
    10 permit tcp host 172.16.1.2 host 192.168.1.2 eq telnet (25 matches)
    20 permit tcp host 172.16.1.2 eq telnet host 192.168.1.2
Extended IP access list 104
    10 permit tcp host 192.168.1.2 eq telnet host 192.168.1.3 (14 matches)
    20 permit tcp host 192.168.1.2 host 192.168.1.3 eq telnet
RT2#
----------------------------------------------------------------------
PC1#telnet 172.16.1.3
Trying 172.16.1.3 ... Open


User Access Verification

Password:
PC2>who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:56
* 66 vty 0                idle                 00:00:00 192.168.1.3

  Interface    User               Mode         Idle     Peer Address

PC2>

Below shows the NAT operations on RT2 and RT1 and ACL hit counts when PC2 accesses PC1:
RT2#debug ip nat
IP NAT debugging is on
RT2#
00:04:42: NAT: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [50878]
00:04:42: NAT*: s=172.16.1.2->192.168.1.3, d=192.168.1.2 [2634]
00:04:42: NAT*: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [50879]
00:04:42: NAT*: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [50880]
--- output omitted ---
RT2#
RT2#sh access-list
Extended IP access list 103
    10 permit tcp host 172.16.1.2 host 192.168.1.2 eq telnet
    20 permit tcp host 172.16.1.2 eq telnet host 192.168.1.2 (17 matches)
Extended IP access list 104
    10 permit tcp host 192.168.1.2 eq telnet host 192.168.1.3
    20 permit tcp host 192.168.1.2 host 192.168.1.3 eq telnet (25 matches)
RT2#
RT2#sh ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/0
Inside interfaces:
  FastEthernet1/0
Hits: 40  Misses: 0
Expired translations: 0
Dynamic mappings:
RT2#
----------------------------------------------------------------------
RT1#
00:04:43: NAT: s=192.168.1.2->172.16.1.3, d=172.16.1.2 [50878]
00:04:43: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [2634]
00:04:43: NAT*: s=192.168.1.2->172.16.1.3, d=172.16.1.2 [50879]
00:04:43: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [2635]
--- output omitted ---
RT1#sh access-list
Extended IP access list 101
    10 permit tcp host 172.16.1.2 host 172.16.1.3 eq telnet
    20 permit tcp host 172.16.1.2 eq telnet host 172.16.1.3 (17 matches)
Extended IP access list 102
    10 permit tcp host 192.168.1.2 eq telnet host 172.16.1.2
    20 permit tcp host 192.168.1.2 host 172.16.1.2 eq telnet (25 matches)
RT1#
----------------------------------------------------------------------
PC2#telnet 192.168.1.3
Trying 192.168.1.3 ... Open


User Access Verification

Password:
PC1>
PC1>who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:35
* 66 vty 0                idle                 00:00:00 172.16.1.3

  Interface    User               Mode         Idle     Peer Address

PC1>

No comments:

Post a Comment