Re: Access-lists and NAT [7:9417]

Thu, 21 Jun 2001 13:39:25 -0700 

OK I'm a little confused, but I'm assuming you mean reverse NAT used as a
static translation to provide a public IP to an internal IP?  If so you only
open the needed ports to that server.  If you know all of the networks and
subnets that users will be coming from you can limit source IP's to only
those networks.

When you say "if I create an inbound ACL on the S0 interface to allow all
IP" do you mean allowing all external IP's to have access to it?  If so, see
above comment.  If you don't know sources you'll have to do this and your
only line of defense is the username/password scheme for users.

Once they get into the VPN are they going to be assigned a virtual IP on the
inside network?

Maybe I'm misinterpreting the question.  Is the public IP of the server in
the NAT pool?  If so, take it out or you'll have a problem there if NAT
tries to use the ports needed for the VPN connection.

Let me know if I got close to what you were asking ;)  It's getting close to
5 and the coffee isn't working any more.

Allen
----- Original Message -----
From: "Stephen Hoover" 
To: 
Sent: Thursday, June 21, 2001 3:30 PM
Subject: Access-lists and NAT [7:9417]


> List,
>
>     Two questions regarding ACL's and NAT.
>
> 1) Is there anyway to apply an ACL to a static NAT entry?
>
> 2) My router (1604) has two active interfaces, E0 and S0. S0 has a public
IP
> that does not answer to any service (Not part of NAT scheme) E0 has
private
> 172.16 network. I have 6 public IP's that I use in the NAT scheme. My
> question is this: if I create an inbound ACL on the S0 interface to allow
> all IP, does this present any security risk given the fact the interface
> isn't mapped anywhere via NAT and is also NOT part of my internal IP
scheme?
>
>
> What I am trying to do is allow pptp VPN to an NT server, which entails
> NAT'ing tcp 1723 and passing GRE. GRE has to pass on an ACL, so the only
way
> I can think to do it is to create an inbound ACL allowing all IP, so
> returning NAT information from internally initiated conversations is not
> interupted. Am I way off base here?
>
> Thanks!
> Stephen Hoover
> Dallas, Texas




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9423&t=9417
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to