[SOLVED] Telnet from NATed network / endpoint access-list question

[gafonator]

Hello,

would you be so kind as to illustrate for me (and is it even possible) the endpoint access-list given these examples:

1. I am starting the telnet from my IP 192.168.0.50 /24
2. My IP is NATed outside through 50.5.5.5
3. I want only my IP 192.168.0.50 to be able to access the endpoint on Telnet port 23

Is it enough for the access-list to include only the 50.5.5.5 + port 23 and to deny everything else? Bcs that would mean, anybody from my /24 network also NATed behind 50.5.5.5 would access too...?

 

[bill001g]

So are you doing

lan----192.168.0.x--router---wan 50.5.5.5---firewall

In this case you can not fix it with the firewall. As you state all the machines share the NAT ip and all will have access.

You must place a restriction on the router. How exactly you do this varies greatly and very simple router do not even have the ability.

This is so hard because the exact configuration screens are so different between routers.

What you do is ignore the NAT. The filter will take place before the nat is done.

So you want a rule that says 192.168.0.50 can get to x.x.x.x (ip of external machine) on port 23. Then a rule that blocks other machines from going to that ip and port.

 

[bill001g]

So are you doing

lan----192.168.0.x--router---wan 50.5.5.5---firewall

In this case you can not fix it with the firewall. As you state all the machines share the NAT ip and all will have access.

You must place a restriction on the router. How exactly you do this varies greatly and very simple router do not even have the ability.

This is so hard because the exact configuration screens are so different between routers.

What you do is ignore the NAT. The filter will take place before the nat is done.

So you want a rule that says 192.168.0.50 can get to x.x.x.x (ip of external machine) on port 23. Then a rule that blocks other machines from going to that ip and port.

 

[gafonator]

So are you doing

lan----192.168.0.x--router---wan 50.5.5.5---firewall

In this case you can not fix it with the firewall. As you state all the machines share the NAT ip and all will have access.

You must place a restriction on the router. How exactly you do this varies greatly and very simple router do not even have the ability.

This is so hard because the exact configuration screens are so different between routers.

What you do is ignore the NAT. The filter will take place before the nat is done.

So you want a rule that says 192.168.0.50 can get to x.x.x.x (ip of external machine) on port 23. Then a rule that blocks other machines from going to that ip and port.

To clarify - I want to know the syntax for the far-endpoint access-list. In order for my IP to be the only one to be allowed to telnet in. For example the far-endpoint is ip 100.1.1.1

But the machine at 100.1.1.1 won't recognise the traffic as sourced from 192.168.0.50 but from my NAT adress 50.5.5.5, no? Or is it going to know the "true" source? By the way we are talking about a Cisco router on both sides, I am somewhat versed. If you know the proper syntax and would be so kind, please share.

 

[bill001g]

Where are you trying to place the restriction it will only work on the router doing the NAT.

Cisco has lots of examples but a example of the key statement if I remember by stuff correctly applied inbound on the lan.

access-list 101 permit tcp host 192.168.0.50 host 100.1.1.1 eq telnet