topic Re: Allow only access to one IP and one port in Network Security

Allow only access to one IP and one port

TristanGude — Thu, 12 Dec 2019 16:37:54 GMT

Hi,

I am trying to create a ICL to allow only Incoming traffic to IP XX.XX.XX.XX port 80

But it does not work.

Extended IP access list Outside-Traffic
40 permit tcp any host XX.XX.XX.XX eq www
900 deny ip any any

Class Map type inspect match-any Incoming-Traffic (id 4)
Match access-group name Outside-Traffic

Policy Map type inspect Incoming-Traffic-Policy
Class Incoming-Traffic
Inspect
Class class-default
Drop log

Zone-pair name Out-To-In
Source-Zone Outside Destination-Zone Inside
service-policy Incoming-Traffic-Policy

interface GigabitEthernet0/0/0
description Internet
zone-member security Outside

interface TenGigabitEthernet0/0/0.1
description Native VLAN
encapsulation dot1Q 1 native
ip address 172.16.0.1 255.255.255.0
ip nat inside
zone-member security Inside
!

ip nat inside source static 172.16.0.226 XX.Xx.XX.XX

Re: Allow only access to one IP and one port

Rob Ingram — Thu, 12 Dec 2019 17:18:46 GMT

Hi,
Try changing the ACL to use the real IP address of the host rather than the natted IP.

HTH

Re: Allow only access to one IP and one port

TristanGude — Thu, 12 Dec 2019 17:55:32 GMT

It has the real IP. I did not write it because we are a School and have been attacked several times. 45.59.xxx.xxx

Re: Allow only access to one IP and one port

Rob Ingram — Thu, 12 Dec 2019 18:08:25 GMT

I mean define the private IP address (172.16.0.226) in the ACL not the nat/translated address.

Re: Allow only access to one IP and one port

TristanGude — Thu, 12 Dec 2019 18:17:38 GMT

Wow. That was it. Thank you very much