GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: NAT and ACL [7:102911] posted 09/22/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


That is a very loaded question and again, not one I'm going to straight out
answer for you.  If you are participating in this list for its intended
purpose, which is to learn then I will help set you in the right direction.
If you need technical assistance and don't care about the learning part then
call TAC.  I want you to become a stronger Engineer and the best way for
that to happen is to learn to research your questions.

H.323 is really a suite of several protocols and so this request is not as
simple as permitting a TCP port.  Nearly each protocol within the suite has
a unique Layer 4 ID (port).  Those, while numerous, are not really the
problem.  The problem is caused by the protocols that don't use a fixed
port.  Not only that but they don't always use sequential ports.  For
example, RTCP may use only odd-numbered UDP ports 1024-65535 but RTP may use
the even-numbered ports in the same range.

Your best bet if you really need to do this is to use an application-aware
form of filtering.  The IOS firewall feature set will handle this
requirement much better since it has dynamic controls (CBAC) built right
into the code, which non-firewall versions do not.  You could also consider
trying tunnels of some sort (GRE or IPIP) between H.323 endpoints so you
could bypass the filtering requirements.

Here are some links that may help:

www.teamsolutions.co.uk/tsfirewall.html

www.chebucto.ns.ca/~rakerman/articles/ig-h323_firewalls.html

www.cisco.com/warp/public/cc/pd/iosw/ioft/mmcm/tech/h323_wp.htm

Good luck!

Rik

-----Original Message-----
From: Tran Nhu Quang [mailto:nhuquang.tran@xxxxxxxxxxxx] 
Sent: Wednesday, September 21, 2005 10:28 PM
To: cisco@xxxxxxxxxxxxxx
Subject: Re: NAT and ACL [7:102911]

Hi,
I'm using c2600-io3-mz.123-3 as my IOS version. I try to use an ACL to allow
h323 transfer through the router but it seems not exist an ACL for h323 on
this version of IOS. Does anyone know which version of IOS that support h323
on ACL and how much RAM and Flash that I must have?
Thanks
----- Original Message -----
From: "Guyler, Rik" 
To: 
Sent: Wednesday, September 21, 2005 8:06 PM
Subject: RE: NAT and ACL [7:102911]


>I won't tell you how to build your ACL's as that would take all the fun out
> of it for you!   However, here are some tips to get you started:
>
> If you are applying an inbound ACL to the inside (private) interface 
> then use the private source addresses of your hosts/subnet.  If you 
> plan to apply an outbound ACL on the outside (public) interface then 
> use the NAT'd
> address(es) as the source.  Once the data has entered the router, the 
> NAT process will occur before the outbound ACL process.
>
> As for ACL's, enter all of your permit statements first in an extended 
> IP ACL.  I like to use the "ip access-list ext NAME" format as it 
> creates a more modular and editable ACL than the old style, which was 
> a pain.  Once all of the permits are in place, I like to add a "deny 
> any any log" at the end using a large sequence number like 1000 or 
> whatever.  This logs unauthorized attempts (without running debugs) 
> and the high sequence number makes it easy to add more permits later 
> on without having to remove the deny statement each time or cramming 
> your sequence numbers together.
>
> HTH,
>
> Rik
>
> -----Original Message-----
> From: Tran Nhu Quang [mailto:nhuquang.tran@xxxxxxxxxxxx]
> Sent: Wednesday, September 21, 2005 12:06 AM
> To: cisco@xxxxxxxxxxxxxx
> Subject: NAT and ACL [7:102911]
>
> Hi,
> I'm confused with how IOS handle NAT and ACL concurrently. I suppose 
> that I use NAT and ACL for my configuration. In that, all my inside 
> local IP address except the IP address of the email server will be 
> NATed to one inside global IP address. The email server address will 
> be statically NATed to another inside global IP address. Our policy is 
> that we will permit only the packets which have the dst port is one of 
> 53, 80, 443, 20, 21, 22, 25, 465, 110, 995 access the internet. We 
> will deny the rest. Beside that, I will permit internet user can 
> access to the email server via ports 80, 25, 110. So, how can I 
> present all of these by ACL language.
> Thanks for support
> TNQ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=102959&t=102911
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html