First caveat: I did not design this network. Most of my recent networking experience is with ASAs; configuring NAT & ACLs there is pretty easy and straightforward. In this case, the engineer who installed the 2911 chose it because, in his words, the ASA didn't support the features he wanted - though I never got a straight answer when I asked which features specifically. In any case, I'm stuck with the 2911 for the time being and configuring ACLs is anything but straightforward.
We have a Cisco 2911 router as our edge device. NAT is set up and working just fine. There are currently no ACLs applied to the external or internal interfaces, so NAT just "works". However, we need to expose LDAPS on one of our servers to the public interface and restrict this to a specific source IP.
The NAT rule for this is the easy part:
ip nat inside source static tcp 192.168.x.x 636 x.x.x.2x 636 extendable
But then we need to restrict this to a specific subnet so we aren't exposing LDAP to the world. And this is where I get in over my head. The moment I apply an ACL to the interface, it kills all traffic, effectively shutting the interface.
ip access-list extended outside-inside
permit tcp x.x.x.x 0.0.15.255 host 192.168.x.x eq 636
interface GigabitEthernet0/1.10
ip access-group outside-inside in
My conclusion is that when there are no ACLs applied to the interface, the router has some implicit rules that allow outbound traffic and associated inbound traffic and which permit traffic based on PAT rules. And that by applying the ACL to the interface I am essentially disabling these "built-in" implicit rules, so I have to create these rules manually to allow outbound traffic and associated inbound traffic. (This isn't how it works on ASAs at all, and it's been 18 years since I took the CCNA so...) I have tried the following with no success:
ip access-list extended outside-inside
evaluate ipoutbound
ip access-list extended inside-outside
permit ip any any reflect ipoutbound
interface GigabitEthernet0/1.10
ip access-group inside-outside out
and
ip access-list extended outside-inside
permit ip any any established
but these aren't working at all and traffic is halted on the interface.
I've tried reading Cisco's documentation, but of course it only shows some basic syntax examples for creating ACLs and is not clear at all on what's happening in this case or why. If I do not apply any ACLs to the interface, then outbound traffic works just fine and the only permitted inbound traffic is either associated with an outbound session or an explicit PAT rule; but this would expose LDAP to the internet at large and that's no bueno.
For reference, the following standard acl is also applied globally.
access-list 10 permit 192.168.x.0 0.0.0.255
So, with an existing NAT/PAT rule ip nat inside source static tcp 192.168.x.x 636 x.x.x.2x 636 extendable
, how do I restrict access to this service without stopping all other traffic?
0 Answers