cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1875
Views
0
Helpful
19
Replies

ACL question...

I have a Cisco 3925 Router..

I want to "redirect" Port 80/443 to a different port ...I am hoping you may let me know if this is right..

ip nat inside source static tcp xxxx.xxxx.x.x 80 interface GigabitEthernet0/0 30080
ip nat inside source static tcp xxxx.xxxx.x.x 443 interface GigabitEthernet0/0 30443

access-list 101 permit tcp any any eq 30080 log
access-list 101 permit tcp any any eq 30443 log

Also do i always need to specify an ACL when oprening Ports?

Thanks.....

 

1 Accepted Solution

Accepted Solutions

access-list 1 remark --- GigabitEthernet0/2 MY LAN-(LAN) ---

access-list 100 remark --- GigabitEthernet0/2 MY LAN ---

access-list 101 remark --- GigabitEthernet0/0 SPECTRUM-(WAN)(DHCP-bootps/bootpc) ---

 

ONLY you need what you mention in your original post, this ACL need to pass the ACL you apply to WAN interface. 

access-list 101 permit tcp any any eq 30080 log
access-list 101 permit tcp any any eq 30443 log

no need any other change. you config is perfect. 

View solution in original post

19 Replies 19

no need acl, only NAT need.

balaji.bandi
Hall of Fame
Hall of Fame

i am hoping the traffic coming from out side  and you like to port-forward to internal Server ?

xxxx.xxxx.x.x  - is the internal IP ?

GigabitEthernet0/0  - IP getting from ISP ? or static ?

so the router knows  internal server xxxxxxxx  how to reach? never connect IP address ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

xxxx.xxx.xx.x is internal IP

Gigabitethernet0/0 is OUTSIDE (DDNS)

the only case that we use ACL with port forwarding it to exclude the IP-L4Port from dynamic NAT applied to same interface.

so just to clarify...so I really understand...all of the ACL'S I have been using a worthless in my configuration?

access-list 101 remark *******************************
access-list 101 remark --- SOME SERVICE ---
access-list 101 permit tcp any any eq 31000 log
access-list 101 permit udp any any eq 32000 log
access-list 101 remark *******************************

the ACL you sharing is no need, the port is open by default since you dont config any other ACL. 
so you dont need it. 

why you think that you need it ?

below lines work as exected for port-forward external to internal (taking grant router not running any service on 30090 and 300443 port)

ip nat inside source static tcp xxxx.xxxx.x.x 80 interface GigabitEthernet0/0 30080
ip nat inside source static tcp xxxx.xxxx.x.x 443 interface GigabitEthernet0/0 30443

access-list 101  - is this ACL you match to NAT going out ?

then I would deny the host NAT traffic.

access-list 101 deny TCP x.x.x.x eq 80 any

access-list 101 deny TCP x.x.x.x eq 443 any

I also take into account that you do not have any ACL configured on gig 0/0 coming in traffic.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

here is g0/0

ip nat inside source list 1 interface GigabitEthernet0/0 overload

 

 

ip nat inside source list 1 interface GigabitEthernet0/0 overload <<- this the answer why you need ACL for port fowrding 

also thhis

access-list 101 remark --- GigabitEthernet0/0 SPECTRUM-(WAN)(DHCP-bootps/bootpc) ---
access-list 101 permit udp any any eq bootps log
access-list 101 permit udp any any eq bootpc log

replace my example 101 with 1 - that should work as expected.

access-list 1 deny TCP x.x.x.x eq 80 any

access-list 1 deny TCP x.x.x.x eq 443 any

 

still an issue, post complete show run (removing passwords and any confidential information - not need to remove RFC 1918 address)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ip nat inside source list 1 interface GigabitEthernet0/0 overload 
the above nat must be 

ip nat inside source list 101 interface GigabitEthernet0/0 overload  <<- if you use ACL 101 in other place please make it 110

!
ip access-list extended 101

 deny TCP x.x.x.x eq 80 any

deny TCP x.x.x.x eq 443 any

permit ip any any <<- instead of source any you can specify your local LAN