Solved: Allow only access to one IP and one port

TristanGude · ‎12-12-2019

Hi,

I am trying to create a ICL to allow only Incoming traffic to IP XX.XX.XX.XX port 80

But it does not work.

Extended IP access list Outside-Traffic
40 permit tcp any host XX.XX.XX.XX eq www
900 deny ip any any

Class Map type inspect match-any Incoming-Traffic (id 4)
Match access-group name Outside-Traffic

Policy Map type inspect Incoming-Traffic-Policy
Class Incoming-Traffic
Inspect
Class class-default
Drop log

Zone-pair name Out-To-In
Source-Zone Outside Destination-Zone Inside
service-policy Incoming-Traffic-Policy

interface GigabitEthernet0/0/0
description Internet
zone-member security Outside

interface TenGigabitEthernet0/0/0.1
description Native VLAN
encapsulation dot1Q 1 native
ip address 172.16.0.1 255.255.255.0
ip nat inside
zone-member security Inside
!

ip nat inside source static 172.16.0.226 XX.Xx.XX.XX

Rob Ingram · ‎12-12-2019

I mean define the private IP address (172.16.0.226) in the ACL not the nat/translated address.

View solution in original post

Rob Ingram · ‎12-12-2019

Hi,
Try changing the ACL to use the real IP address of the host rather than the natted IP.

HTH

TristanGude · ‎12-12-2019

It has the real IP. I did not write it because we are a School and have been attacked several times. 45.59.xxx.xxx

Rob Ingram · ‎12-12-2019

I mean define the private IP address (172.16.0.226) in the ACL not the nat/translated address.

TristanGude · ‎12-12-2019

Wow. That was it. Thank you very much