NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Cisco firewall before RN104.
Hi guys,
I know this forum is for readyNAS but I struggle configuring CISCO NAT to provide external access to my ReadyNAS. I was wondering if someone could be of some help here. I bought a cheap second-hand CISCO 1711 with IOS 12.4T15 adv security. I wanted to have a real firewall protecting a device with no firewall and since I needed to practice on CISCO devices...
FYI I used to have CCNA (academic) 1 to 4 but didn't practice for a while and never on 1711 or alike.
The goal is to set up things like this :
INTERNET router (192.168.0.1) => CISCO FA0 (192.168.0.10) => CISCO ACL with OSI layer7 firewall + NAT => CISCO FA2 (172.16.0.254) => RN104 ETH1 (172.16.0.200)
In a second time I would like to add an L2TP/Ipsec VPN on 10.0.0.0/24 subnet for remote access but I'll do that later.
I configured my interfaces, everything works fine, for the fa2 I had to setup VLAN172 to be able to handle layer3 capabilities for switched ports. I can ping and access the web interface of the NAS (the ETH1 with 172.16.0.200) from my computer (192.168.0.0/24) but nat is not working when I try to access 192.168.0.10:60443 which should be redirected to 172.16.0.200:443 I got nothing.
@boot I got :
When trying to access I get :
Seems to me that's working as expected but I get no access to the NAS.
Can anyone be of any help ? I can send the full config if needed.
I know this forum is for readyNAS but I struggle configuring CISCO NAT to provide external access to my ReadyNAS. I was wondering if someone could be of some help here. I bought a cheap second-hand CISCO 1711 with IOS 12.4T15 adv security. I wanted to have a real firewall protecting a device with no firewall and since I needed to practice on CISCO devices...
FYI I used to have CCNA (academic) 1 to 4 but didn't practice for a while and never on 1711 or alike.
The goal is to set up things like this :
INTERNET router (192.168.0.1) => CISCO FA0 (192.168.0.10) => CISCO ACL with OSI layer7 firewall + NAT => CISCO FA2 (172.16.0.254) => RN104 ETH1 (172.16.0.200)
In a second time I would like to add an L2TP/Ipsec VPN on 10.0.0.0/24 subnet for remote access but I'll do that later.
I configured my interfaces, everything works fine, for the fa2 I had to setup VLAN172 to be able to handle layer3 capabilities for switched ports. I can ping and access the web interface of the NAS (the ETH1 with 172.16.0.200) from my computer (192.168.0.0/24) but nat is not working when I try to access 192.168.0.10:60443 which should be redirected to 172.16.0.200:443 I got nothing.
@boot I got :
show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
When trying to access I get :
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 192.168.0.35:53327 192.168.0.35:53327
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
Seems to me that's working as expected but I get no access to the NAS.
Can anyone be of any help ? I can send the full config if needed.
5 Replies
Replies have been turned off for this discussion
- Whats your Nat configuration?
I presume u have the FW config disabled to get the NAT part working first?
Just FYI the FW is not a L7 Firewall in the sense that term is commonly used. It does support pin-holing which requires some limited inspection of some protocols, but its not a L7 Firewall. For what you are using it for though the L3/L4 capabilities are fine.
A. - You assume right. NAT Only (and VLans to be able to manage switched interface up to layer 3).
Layer 7 means applicative filtering. I think Cisco can differentiate SSH from HTTP no matter the TCP port used, so it's more than layer4. That said it is limited to some protocols and is no way near what checkpoint can do but I think it will be better than IPTables anyway. What you mean by it's not layer7 is that it only reads headers and do not test the entire instructions of the packet ?
You seem to know your stuff so, I think you should be able to read the conf directly (with a few modifications on username/passwords of course ;) ).Building configuration...
Current configuration : 1568 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname kerberos
!
boot-start-marker
boot-end-marker
!
enable secret 5 EnableSecret
!
aaa new-model
!
!
!
!
aaa session-id common
!
!
ip cef
!
!
!
!
no ip domain lookup
ip domain name kerberos.mydomain.com
!
multilink bundle-name authenticated
!
!
!
username SSHUser secret 5 SSH-User-Password
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 192.168.0.10 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description VM
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 172
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
!
interface Vlan172
ip address 172.16.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 30
ip nat translation tcp-timeout 30
ip nat translation udp-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
end
As you can see no ACL and when going directly to 172.16.0.0/24 network I can access the NAS via HTTPS so no connectivity problem. Just the NAT/PAT not working I think. This is probably something I totally forgot but as said I'm a bit rusty with Cisco. - Thought you would do needed an outside nat rule since 192.168... Is an outside interface.
Also try
#debug ip nat detailed
A. - "Layer 7 means applicative filtering. I think Cisco can differentiate SSH from HTTP no matter the TCP port used, so it's more than layer4. That said it is limited to some protocols and is no way near what checkpoint can do but I think it will be better than IPTables anyway. What you mean by it's not layer7 is that it only reads headers and do not test the entire instructions of the packet ? "
Ah you must be referring to the T train NBAR based FW. That application recognition technology is pretty basic and limited, also I wouldn't advocate using anything but "well known port" policies when using a FW to essentially reduce the attack surface as you seem to be doing.
Application based FW features are really for "acceptable use " type of purposes, I.e. Don't allow BitTorrent traffic out of my network, stop people from using Dropbox etc.
A. - For the firewall, yes my usage is pretty basic I am to use HTTP(S)/(s)FTP/SSH mainly, maybe a little bit of DNS. I will also need the VPN (L2TP/IPSec on the router) to pass through. Anything more evolved than that will be filtered via VPN credentials only (once connected you get full access). I'd just like to filter a little bit and practice Cisco doing it. I'm giving up the IPS feature because having a second hand router I don't have the account it was registered with and the router's memory/CPU is limited but would have been nice.
I'm testing out the NAS command from this conf (the same you already read except I added description to interfaces and with no NAT except inside/outside int definitions)Building configuration...
Current configuration : 1526 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname kerberos
!
boot-start-marker
boot-end-marker
!
enable secret 5 SECRET
!
aaa new-model
!
!
!
!
aaa session-id common
!
!
ip cef
!
!
!
!
no ip domain lookup
ip domain name kerberos.mydomain.fr
!
multilink bundle-name authenticated
!
!
!
username xeltros secret 5 SECRET
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description INTERNET (bad guys)
ip address 192.168.0.10 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description VLAN10 (VPN) dedicaced interface
switchport access vlan 10
!
interface FastEthernet2
description VLAN172 (DMZ) dedicaced interface
switchport access vlan 172
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
no ip address
!
interface Vlan10
description future VPN (good distant guys)
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan172
description DMZ (good protected guys)
ip address 172.16.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
end
I'll send raw results to avoid any error from my side.
IP NAT detailed debugging is on (activated after sending the conf)
I do a full router reload between each configuration to be sure to start on the clean conf above.
With no NAT (witness config)
I will only be testing NAT on the other configs, since basic IP shouldn't be disturb much by NAT only.
FROM ROUTER :
ping 192.168.0.1 (internet gateway) => OK
ping 172.16.0.200 (NAS eth1) => OK
FROM MAC (having a static route to 172.16.0.200(NAS eth1) via 192.168.0.10 (Router FA0)
=> ping 172.16.0.200 => OK
=> ping 192.168.0.10 => OK
=> ping 172.16.0.254 => OK (router vlan 172)
=> web interface 172.16.0.200 => OK
=> web interface 192.168.0.10 => TIMEOUT
NAT INSIDE (the one I already posted)
Web interface (192.168.0.10) => TIMEOUT
router output :kerberos#sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
kerberos#
*Jan 21 08:29:37.591: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [47325]
*Jan 21 08:29:37.591: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [47325]
*Jan 21 08:29:37.595: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:37.595: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [47325]
*Jan 21 08:29:37.735: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [56852]
*Jan 21 08:29:37.735: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:37.735: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [56852]
*Jan 21 08:29:37.935: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [46679]
*Jan 21 08:29:37.939: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:37.939: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [46679]
*Jan 21 08:29:38.139: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [59982]
*Jan 21 08:29:38.139: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.139: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [59982]
*Jan 21 08:29:38.339: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [27074]
*Jan 21 08:29:38.339: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.339: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [27074]
*Jan 21 08:29:38.543: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [14430]
*Jan 21 08:29:38.543: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.543: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [14430]
*Jan 21 08:29:38.843: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [748]
*Jan 21 08:29:38.843: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:38.843: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [748]
*Jan 21 08:29:39.343: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [38102]
*Jan 21 08:29:39.343: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:39.343: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [38102]
*Jan 21 08:29:40.247: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [40722]
*Jan 21 08:29:40.247: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:40.247: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [40722]
*Jan 21 08:29:42.055: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [59666]
*Jan 21 08:29:42.055: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:42.055: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [59666]
*Jan 21 08:29:45.711: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [18061]
*Jan 21 08:29:45.715: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:45.715: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [18061]
*Jan 21 08:29:52.391: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [15853]
*Jan 21 08:29:52.391: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:52.391: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [15853]
*Jan 21 08:29:59.191: NAT*: o: tcp (192.168.0.26, 54949) -> (192.168.0.10, 60443) [26239]
*Jan 21 08:29:59.191: NAT*: TCP s=54949, d=60443->443
*Jan 21 08:29:59.191: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [26239]
kerberos#sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 192.168.0.26:54949 192.168.0.26:54949
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
kerberos#
*Jan 21 08:30:59.211: NAT: expiring 192.168.0.10 (172.16.0.200) tcp 60443 (443)
NAT OUTSIDE
using command ip nat outside source static tcp 192.168.0.10 60443 172.16.0.200 443 extendable
router output :
*Jan 21 08:40:00.251: ipnat_add_static_cfg: id 2, flag 6
*Jan 21 08:40:00.251: id 2, flags 0, domain 1, lookup 1, from_addr C0A8000A, from_mask FFFFFFFF, from_port EC1B, to_addr AC1000C8, to_port 1BB to_mask FFFFFFFF, proto 6
*Jan 21 08:40:00.255: NAT: installing alias for address 172.16.0.200
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp --- --- 172.16.0.200:443 192.168.0.10:60443
NAT OUTSIDE BIS
using command ip nat outside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
router output :
*Jan 21 08:52:43.003: ipnat_add_static_cfg: id 2, flag 6
*Jan 21 08:52:43.003: id 2, flags 0, domain 1, lookup 1, from_addr AC1000C8, from_mask FFFFFFFF, from_port 1BB, to_addr C0A8000A, to_port EC1B to_mask FFFFFFFF, proto 6
*Jan 21 08:52:43.007: NAT: installing alias for address 192.168.0.10
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp --- --- 192.168.0.10:60443 172.16.0.200:443
NAT INSIDE BOTH WAYS
ip nat inside source static tcp 172.16.0.200 443 192.168.0.10 60443 extendable
ip nat inside source static tcp 192.168.0.10 60443 172.16.0.200 443 extendable
router output :kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
tcp 172.16.0.200:443 192.168.0.10:60443 --- ---
kerberos(config)#
*Jan 21 08:46:59.723: NAT*: o: tcp (192.168.0.26, 55025) -> (192.168.0.10, 60443) [56183]
*Jan 21 08:46:59.723: NAT*: o: tcp (192.168.0.26, 55025) -> (192.168.0.10, 60443) [56183]
*Jan 21 08:46:59.727: NAT*: TCP s=55025, d=60443->443
*Jan 21 08:46:59.727: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [56183]
*Jan 21 08:46:59.727: NAT: i: tcp (172.16.0.200, 443) -> (192.168.0.26, 55025) [44274]
*Jan 21 08:46:59.731: NAT: TCP s=443->60443, d=55025
*Jan 21 08:46:59.731: NAT: s=172.16.0.200->192.168.0.10, d=192.168.0.26 [44274]
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:60443 172.16.0.200:443 192.168.0.26:55025 192.168.0.26:55025
tcp 192.168.0.10:60443 172.16.0.200:443 --- ---
tcp 172.16.0.200:443 192.168.0.10:60443 --- ---
NAT address to address
command ip nat inside source static 172.16.0.200 192.168.0.10
*Jan 21 08:56:03.379: ipnat_add_static_cfg: id 3, flag 6
*Jan 21 08:56:03.379: id 3, flags 0, domain 0, lookup 0, from_addr AC1000C8, from_mask FFFFFFFF, from_port 0, to_addr C0A8000A, to_port 0 to_mask FFFFFFFF, proto 0
*Jan 21 08:56:03.383: NAT: installing alias for address 192.168.0.
kerberos(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
--- 192.168.0.10 172.16.0.200 --- ---
(while pinging 192.168.0.10 from MAC (ping OK))
kerberos(config)#
*Jan 21 08:56:25.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [4938]
*Jan 21 08:56:25.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [4938]
*Jan 21 08:56:25.847: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [4938]
*Jan 21 08:56:26.847: NAT*: o: icmp (192.168.0.26, 56136) -> (192.168.0.10, 56136) [39977]
*Jan 21 08:56:26.847: NAT*: s=192.168.0.26, d=192.168.0.10->172.16.0.200 [39977]
NAT address to address with 192.168.0.11
command : ip nat inside source static 172.16.0.200 192.168.0.11
*Jan 21 08:58:54.867: ipnat_add_static_cfg: id 5, flag 6
*Jan 21 08:58:54.867: id 5, flags 0, domain 0, lookup 0, from_addr AC1000C8, from_mask FFFFFFFF, from_port 0, to_addr C0A8000B, to_port 0 to_mask FFFFFFFF, proto 0
*Jan 21 08:58:54.867: NAT: installing alias for address 192.168.0.11do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
--- 192.168.0.11 172.16.0.200 --- ---
(while pinging 192.168.0.11 from MAC, ping OK)
kerberos(config)#
*Jan 21 08:59:31.347: NAT*: o: icmp (192.168.0.26, 24137) -> (192.168.0.11, 24137) [29439]
*Jan 21 08:59:31.347: NAT*: o: icmp (192.168.0.26, 24137) -> (192.168.0.11, 24137) [29439]
*Jan 21 08:59:31.351: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [29439]
While accessing web interface (192.168.0.11, TIMEOUT)
*Jan 21 09:03:59.871: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [18909]
*Jan 21 09:03:59.871: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [18909]
*Jan 21 09:03:59.871: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [18909]
*Jan 21 09:04:00.871: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [22728]
*Jan 21 09:04:00.871: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [22728]
*Jan 21 09:04:01.875: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [5438]
*Jan 21 09:04:01.879: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [5438]
*Jan 21 09:04:02.883: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [64158]
*Jan 21 09:04:02.883: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [64158]
*Jan 21 09:04:03.887: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [16652]
*Jan 21 09:04:03.887: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [16652]
*Jan 21 09:04:04.891: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [47748]
*Jan 21 09:04:04.895: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [47748]
*Jan 21 09:04:06.907: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [42904]
*Jan 21 09:04:06.907: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [42904]
*Jan 21 09:04:10.927: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [50389]
*Jan 21 09:04:10.927: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [50389]
*Jan 21 09:04:18.935: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [33094]
*Jan 21 09:04:18.935: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [33094]
*Jan 21 09:04:34.967: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [50797]
*Jan 21 09:04:34.971: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [50797]
*Jan 21 09:05:07.075: NAT*: o: tcp (192.168.0.26, 55067) -> (192.168.0.11, 80) [61870]
*Jan 21 09:05:07.075: NAT*: s=192.168.0.26, d=192.168.0.11->172.16.0.200 [61870]
None of the config got me to access the web interface, but as far as I can judge with ip nat inside anything goes well on the router... (PS when there is no debug in NAT, that means NAT wasn't triggered, I copied the output I got).
Because everything seems fine to me, I wondered if I should set a route, but the router is directly connected it knows where to send anything. Moreover when accessing 172.16.0.200 telling my MAC to route via 192.168.0.10 it works so I don't see any reason this wouldn't work while doing NAT...
Xel
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
