Stephen,
The second group of commands are much more secure, however as you know you
have restricted port access to a point that keeps out ping (Can be a good
thing!) and DNS resolution.
I would suggest opening TCP AND UDP ports 53 for DNS resolution in addition
to 25 and 110.
That should fix your problem of internal name resolution.
As for Ping, It really is better if you don't allow ping to come in from the
outside. In your network configuration (I am assuming that it is small),
you are using your router as your security perimeter. If you start allowing
Ping though, people can find ways to map out your network a bit better, by
restricting ping, you eliminate that potential security risk. If you want
to be able to ping your mail server from the outside, why not just telnet to
port 25 or port 110 instead. That would give you the added knowledge about
your mail server operating.
If you must allow ICMP, I would suggest allowing it through CBAC (Firewall
feature set) instead of access lists. Once you start using access lists on
a router that is in your type of configuration, you have to specifically
allow the protocols that you want in both directions, that can be a daunting
task. Additionally, that adds a good bit of overhead to your router (A 1600
is not really beefy).
For the record though, Check out:
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/tech/firew_wp.htm
Specifically Appendix B.
Tom McNamara
MCSE, CCNA
Account Manager, U.S. Datacom
[EMAIL PROTECTED]
Direct line: (407)398-6521
Toll-Free: (800)216-5517
Dear List,
Been reading the list and learning lots of cool things over the past few
months. This is the first time I have posted, and I have some questions
regarding NAT.
We have a T1 coming into the office on Cisco 1604 with an internal
serial WIC. All of my internal to external NAT translastions are working
fine. Where I am running into trouble is doing an external to internal
translation for my email server.
I am trying to understand what exactly the nat commands are doing - I
haven't been able to find real good documentation on the commands. What I
have found on Cisco's site seems pretty basic to me.
My mail server's internal IP is 172.16.2.4, the external is
216.143.254.250. When I put in this command:
ip nat inside source static 172.16.2.4 216.143.254.250,
everything works well, but it appears that that command opens all ports.
When I remove that command and put in:
ip nat inside source static tcp 172.16.2.4. 25 216.143.254.250 25
ip nat inside source static tcp 172.16.2.4 110 216.143.254.250 110,
mail transfers fine, but then I can no long ping the server externally -
which I would like to be able to do to check for problems at home. The other
problem is, when I have all ports open with the first nat command, my users
can resolve our DNS name to the internal address of 172.16.2.4. When I use
the second commands I listed (effectively closing other ports), the internal
clients resolve the name to the external IP address and is noticeably slower
transferring mail. It's as though it is sending mail over the T1 to the port
on the other side and back to the server.
So my questions is this: what series of nat commands (or ACL's) do I
effectively close all the unused ports on my internal mail server from the
outside, but still be able to ping remotely and have the internal users
resolve the name to the internal address?
Thanks in advance to all who offer help!
Stephen Hoover
Dallas, Texas
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
