One-to-One NAT with limited ports?
One-to-One NAT with limited ports?
I have multiple static IP's with my ISP configured. I have a Node on my network that is mapped to one of those static IPs. I can't seem to get the firewall rule in place to only allow port 80 and 443 through. I have tried both Gateway ACLs and Switch ACLs. Can someone point me in the right direction?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
muzicman0 wrote
I have multiple static IP's with my ISP configured. I have a Node on my network that is mapped to one of those static IPs. I can't seem to get the firewall rule in place to only allow port 80 and 443 through. I have tried both Gateway ACLs and Switch ACLs. Can someone point me in the right direction?
Hi @muzicman0
Could you provide the topology of your network, and share the screenshots of your One-to-One NAT setting page and ACL setting page?
Please also help to confirm the controller version, the models of your devices and the versions of them.
- Copy Link
- Report Inappropriate Content
I will try to get some images of that put together today. I think I mostly have it working now, but what would be helpful is know the order in which various services are processed. IE: does it go {WAN Interface} -> NAT -> Gateway ACL -> Switch ACL?
I will try to describe my topology:
Internet with multiple IP's -> ER707-M2 (Gateway) -> Omada 24 port switch
I have multiple AP's hanging off the switch.
DMZ: 192.168.2.0/24
Corp LAN(s): 10.1.0.0/16
PUBLIC_IP 2: One to One NAT to 192.168.2.3
The DMZ Network in question (we call it EngageNet) is simply defined as a VLAN with ACLs to allow no communication from the DMZ to the Corp LAN, but we do allow established communication INTO the DMZ from the Corp LAN
So, 10.1.0.0/16 -> 192.168.2.0/24 is allowed, but
192.168.2.0/24 -> 10.1.0.0/16 is not allowed unless initiated from the Corp LAN.
I currently have a Switch ACL allowing certain ports (80,448,3478,5900) from IPGroup_any to 192.168.2.3/32 and then a rule denying all traffic to 192.168.2.0/24.
This seems to work.
I also have a Gateway ACL that specifically blocks port 5900 on WAN_In so that VNC can't happen from the public internet, but it is allowed on the LAN. This also seems to work.
What I can't figure out is how to selectively block traffic from a specific public IP.
For instance, (not that I do, but) if I wanted to allow port 5900 on public IP 1, but not on Public IP 2 I am not sure how to do this.
- Copy Link
- Report Inappropriate Content
@Hank21 Ignore the above. I mostly have this working, but how can I create a Gateway ACL that ONLY applies to a specific static IP.
An example would be that I have 2 IP addresses, and I want 4.4.4.1 to block port 443 (which it will by default), but I want 4.4.4.2 to allow 443. Is that possible? I have tried various things but none seem to work.
Everything I have found is just a blanket allow or deny 443 for every configured Public IP.
For reference here is what I have that is working, but again, it works on all 5 of my public static IP addresses.
- Copy Link
- Report Inappropriate Content
muzicman0 wrote
@Hank21 Ignore the above. I mostly have this working, but how can I create a Gateway ACL that ONLY applies to a specific static IP.
An example would be that I have 2 IP addresses, and I want 4.4.4.1 to block port 443 (which it will by default), but I want 4.4.4.2 to allow 443. Is that possible? I have tried various things but none seem to work.
Everything I have found is just a blanket allow or deny 443 for every configured Public IP.
For reference here is what I have that is working, but again, it works on all 5 of my public static IP addresses.
Hello @muzicman0
Have you set up the permit rule priority to the deny rule? For example, what if you create a permit rule as 4.4.4.2 port 443 first, and then deny rule for other IP?
- Copy Link
- Report Inappropriate Content
@Hank21 where do I specify the wan ip? I don't see a way to specify the WAN IP address, so I don't see how I would do that. Am I missing something? I only seem to be able to specify WAN IN, not WAN IN 4.4.4.2.
- Copy Link
- Report Inappropriate Content
muzicman0 wrote
@Hank21 where do I specify the wan ip? I don't see a way to specify the WAN IP address, so I don't see how I would do that. Am I missing something? I only seem to be able to specify WAN IN, not WAN IN 4.4.4.2.
Hi @muzicman0
You can create the IP-Port group with 4.4.4.2 and put in on destination. The communication is bidirectional, it should achieve your request somehow.
- Copy Link
- Report Inappropriate Content
@Hank21 Doesn't seem to work, or I am doing it wrong.
I have 1 to 1 NAT set up to translate 10.1.10.252 to 4.4.4.2, and DMZ is checked in the 1 to 1 NAT rule:
I have a gateway ACL that denies port 443 on 4.4.4.2:
But I am still able to reach the server at 10.1.10.252 on port 443 via 4.4.4.2 on the public internet. Am I doing this wrong?
- Copy Link
- Report Inappropriate Content
Hi @muzicman0
Sorry for my mistake. The current controller does not support selecting one of the WAN IP when configure the One to One NAT. This function is under development now, and we could expect this function will be implemented in the future. Thanks for understanding.
- Copy Link
- Report Inappropriate Content
@Hank21 I am trying to come up with a way to block VNC on my public IP address, but this limitation makes it not work.
I tried to create a rule on the switch that 'allows' ALL traffice from the 10.0.0.0/8 IP addresses to the entire 192,168.2.0/24 subnet. I then created a deny ANY IP to 192.168.2.3/32, but it doesn't work. it just denies all traffic. Which doesn't make sense to me.
- Copy Link
- Report Inappropriate Content
Hi @Hank21
I have similar requirement to the OP to limit traffic to private IP with One-To-One NAT rule applied. Is this still not possible? Can you supply an ETA if it is known?
Thanks
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 580
Replies: 11
Voters 0
No one has voted for it yet.