NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Cisco firewall before RN104.
Hi guys, I know this forum is for readyNAS but I struggle configuring CISCO NAT to provide external access to my ReadyNAS. I was wondering if someone could be of some help here. I bought a cheap s...
You assume right. NAT Only (and VLans to be able to manage switched interface up to layer 3).
Layer 7 means applicative filtering. I think Cisco can differentiate SSH from HTTP no matter the TCP port used, so it's more than layer4. That said it is limited to some protocols and is no way near what checkpoint can do but I think it will be better than IPTables anyway. What you mean by it's not layer7 is that it only reads headers and do not test the entire instructions of the packet ?
You seem to know your stuff so, I think you should be able to read the conf directly (with a few modifications on username/passwords of course ;) ).
As you can see no ACL and when going directly to 172.16.0.0/24 network I can access the NAS via HTTPS so no connectivity problem. Just the NAT/PAT not working I think. This is probably something I totally forgot but as said I'm a bit rusty with Cisco.
Layer 7 means applicative filtering. I think Cisco can differentiate SSH from HTTP no matter the TCP port used, so it's more than layer4. That said it is limited to some protocols and is no way near what checkpoint can do but I think it will be better than IPTables anyway. What you mean by it's not layer7 is that it only reads headers and do not test the entire instructions of the packet ?
You seem to know your stuff so, I think you should be able to read the conf directly (with a few modifications on username/passwords of course ;) ).
Building configuration...
Current configuration : 1568 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname kerberos
!
boot-start-marker
boot-end-marker
!
enable secret 5 EnableSecret
!
aaa new-model
!
!
!
!
aaa session-id common
!
!
ip cef
!
!
!
!
no ip domain lookup
ip domain name kerberos.mydomain.com
!
multilink bundle-name authenticated
!
!
!
username SSHUser secret 5 SSH-User-Password
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 192.168.0.10 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description VM
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 172
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
!
interface Vlan172
ip address 172.16.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 30
ip nat translation tcp-timeout 30
ip nat translation udp-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
end
As you can see no ACL and when going directly to 172.16.0.0/24 network I can access the NAS via HTTPS so no connectivity problem. Just the NAT/PAT not working I think. This is probably something I totally forgot but as said I'm a bit rusty with Cisco.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
