Two-interface Router With NAT

    2514 Router

    Current configuration:

    !

    version 12.0

    service timestamps debug uptime

    service timestamps log uptime

    no service password-encryption

    !

    hostname horton

    !

    enable secret 5 $1$GwRz$YS/82LXSYcgD1d5Nua9Ob1

    enable password ww

    !

    ip subnet-zero

    !

    ip inspect name ethernetin cuseeme timeout 3600

    ip inspect name ethernetin ftp timeout 3600

    ip inspect name ethernetin h323 timeout 3600

    ip inspect name ethernetin http timeout 3600

    ip inspect name ethernetin rcmd timeout 3600

    ip inspect name ethernetin realaudio timeout 3600

    ip inspect name ethernetin smtp timeout 3600

    ip inspect name ethernetin sqlnet timeout 3600

    ip inspect name ethernetin streamworks timeout 3600

    ip inspect name ethernetin tcp timeout 3600

    ip inspect name ethernetin tftp timeout 30

    ip inspect name ethernetin udp timeout 15

    ip inspect name ethernetin vdolive timeout 3600

    !

    interface Ethernet0

    ip address 20.20.20.2 255.255.255.0

    ip access-group 101 in

    no ip directed-broadcast

    ip nat inside

    ip inspect ethernetin in

    !

    interface Ethernet1

    no ip address

    no ip directed-broadcast

    shutdown
   
    !

    interface Serial0

    ip address 150.150.150.1 255.255.255.0

    ip access-group 112 in

    no ip directed-broadcast

    ip nat outside

    clockrate 4000000

    !

    interface Serial1

    no ip address

    no ip directed-broadcast

    shutdown

    !

    ip nat pool serialzero 150.150.150.3 150.150.150.255 netmask 255.255.255.0

    ip nat inside source list 1 pool serialzero

    ip classless

    ip route 0.0.0.0 0.0.0.0 150.150.150.2

    ip route 20.30.30.0 255.255.255.0 20.20.20.1

    !

    access-list 1 permit 20.0.0.0 0.255.255.255

    access-list 101 permit tcp 20.0.0.0 0.255.255.255 any

    access-list 101 permit udp 20.0.0.0 0.255.255.255 any

    access-list 101 permit icmp 20.0.0.0 0.255.255.255 any

    access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable

    access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply

    access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big

    access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded

    access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute

    access-list 112 permit icmp any 150.150.150.0 0.0.0.255 administratively-prohibited

    access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo

    access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq telnet

    access-list 112 deny ip 127.0.0.0 0.255.255.255 any

    access-list 112 deny ip any any

    !

    line con 0

    transport input none

    line aux 0

    line vty 0 4

    password ww

    login

    !

    end

    关于ip inspect name

    if you deny SMTP mail on the external ACL, no external SMTP servers will ever be able to make a connection to the internal SMTP server.

    CBAC is totally independent of access lists - CBAC is associated with ACLs because one function of CBAC is to ensure return traffic of a

    session is permitted back to the source - however don't confuse CBAC by thinking ACLs are required. If you apply an inspect list to an interface, inspection takes place, no matter what ACLs are or are not in place. However, remember that ACLs are processed first, so the ACL must allow through the appropriate traffic to be passed thru to the inspection list.

    I'm guessing your config would look something like this:

    ! Internal Interface

    Interface e0 ip inspect WEB inbound

    ! External Interface

    Interface e1 ip access-group 100 in

    ip inspect SMTP inbound

    access-list 100 permit tcp any host x.x.x.x eq smtp

    access-list 100 deny ip any any

    ip inspect name WEB http

    ip inspect name WEB ftp

    ip inspect name WEB smtp

    ip inspect name WEB tcp

    ip inspect name WEB udp

    ip inspect name SMTP smtp

    On your external ACL, you must have an opening to allow SMTP in - there is no way CBAC can automatically do this for you as traffic is first processed by the ACL and must pass. So once the SMTP traffic is allowed

    in, it is passed to the inspection list SMTP, which applys SMTP protocol-based inspection (and opens up any ACLs if necessary - in this

    example this function is not required).

    Note that in this example you could place the SMTP inspection list on the internal interface in the outbound direction as well. This is a better placement option if you had say a DMZ interface that was also

    receiving SMTP mail for the internal SMTP server, as you would only require a single inspection point (outbound on the internal interface)

    rather than inbound on the external and DMZ interfaces.