Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1461
Views
0
Helpful
19
Replies

ACL question...

Go to solution
DAVID RICHWALSKI
Level 1
Level 1

‎12-27-2022 02:16 PM

I have a Cisco 3925 Router..

I want to "redirect" Port 80/443 to a different port ...I am hoping you may let me know if this is right..

ip nat inside source static tcp xxxx.xxxx.x.x 80 interface GigabitEthernet0/0 30080
ip nat inside source static tcp xxxx.xxxx.x.x 443 interface GigabitEthernet0/0 30443

access-list 101 permit tcp any any eq 30080 log
access-list 101 permit tcp any any eq 30443 log

Also do i always need to specify an ACL when oprening Ports?

Thanks.....

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to DAVID RICHWALSKI

‎12-27-2022 03:52 PM - edited ‎12-27-2022 03:53 PM 

access-list 1 remark --- GigabitEthernet0/2 MY LAN-(LAN) ---

access-list 100 remark --- GigabitEthernet0/2 MY LAN ---

access-list 101 remark --- GigabitEthernet0/0 SPECTRUM-(WAN)(DHCP-bootps/bootpc) ---

 

ONLY you need what you mention in your original post, this ACL need to pass the ACL you apply to WAN interface. 

access-list 101 permit tcp any any eq 30080 log
access-list 101 permit tcp any any eq 30443 log

no need any other change. you config is perfect. 

View solution in original post

0 Helpful
19 Replies 19

Go to solution
MHM Cisco World
VIP
VIP

‎12-27-2022 02:18 PM

no need acl, only NAT need.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-27-2022 02:32 PM

i am hoping the traffic coming from out side  and you like to port-forward to internal Server ?

xxxx.xxxx.x.x  - is the internal IP ?

GigabitEthernet0/0  - IP getting from ISP ? or static ?

so the router knows  internal server xxxxxxxx  how to reach? never connect IP address ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
DAVID RICHWALSKI
Level 1
Level 1
In response to balaji.bandi

‎12-27-2022 02:53 PM

xxxx.xxx.xx.x is internal IP

Gigabitethernet0/0 is OUTSIDE (DDNS)

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to DAVID RICHWALSKI

‎12-27-2022 02:57 PM

the only case that we use ACL with port forwarding it to exclude the IP-L4Port from dynamic NAT applied to same interface.

0 Helpful

Go to solution
DAVID RICHWALSKI
Level 1
Level 1
In response to MHM Cisco World

‎12-27-2022 03:12 PM

so just to clarify...so I really understand...all of the ACL'S I have been using a worthless in my configuration?

access-list 101 remark *******************************
access-list 101 remark --- SOME SERVICE ---
access-list 101 permit tcp any any eq 31000 log
access-list 101 permit udp any any eq 32000 log
access-list 101 remark *******************************

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to DAVID RICHWALSKI

‎12-27-2022 03:20 PM

the ACL you sharing is no need, the port is open by default since you dont config any other ACL. 
so you dont need it. 

why you think that you need it ?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to DAVID RICHWALSKI

‎12-27-2022 03:18 PM

below lines work as exected for port-forward external to internal (taking grant router not running any service on 30090 and 300443 port)

ip nat inside source static tcp xxxx.xxxx.x.x 80 interface GigabitEthernet0/0 30080
ip nat inside source static tcp xxxx.xxxx.x.x 443 interface GigabitEthernet0/0 30443

access-list 101  - is this ACL you match to NAT going out ?

then I would deny the host NAT traffic.

access-list 101 deny TCP x.x.x.x eq 80 any

access-list 101 deny TCP x.x.x.x eq 443 any

I also take into account that you do not have any ACL configured on gig 0/0 coming in traffic.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
DAVID RICHWALSKI
Level 1
Level 1
In response to balaji.bandi

‎12-27-2022 03:20 PM

here is g0/0

ip nat inside source list 1 interface GigabitEthernet0/0 overload

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to DAVID RICHWALSKI

‎12-27-2022 03:22 PM

ip nat inside source list 1 interface GigabitEthernet0/0 overload <<- this the answer why you need ACL for port fowrding 

0 Helpful

Go to solution
DAVID RICHWALSKI
Level 1
Level 1
In response to DAVID RICHWALSKI

‎12-27-2022 03:22 PM

also thhis

access-list 101 remark --- GigabitEthernet0/0 SPECTRUM-(WAN)(DHCP-bootps/bootpc) ---
access-list 101 permit udp any any eq bootps log
access-list 101 permit udp any any eq bootpc log

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to DAVID RICHWALSKI

‎12-27-2022 03:32 PM

replace my example 101 with 1 - that should work as expected.

access-list 1 deny TCP x.x.x.x eq 80 any

access-list 1 deny TCP x.x.x.x eq 443 any

 

still an issue, post complete show run (removing passwords and any confidential information - not need to remove RFC 1918 address)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-27-2022 03:23 PM - edited ‎12-27-2022 03:44 PM

ip nat inside source list 1 interface GigabitEthernet0/0 overload 
the above nat must be 

ip nat inside source list 101 interface GigabitEthernet0/0 overload  <<- if you use ACL 101 in other place please make it 110

!
ip access-list extended 101

 deny TCP x.x.x.x eq 80 any

deny TCP x.x.x.x eq 443 any

permit ip any any <<- instead of source any you can specify your local LAN

 

0 Helpful

Go to solution
DAVID RICHWALSKI
Level 1
Level 1
In response to MHM Cisco World

‎12-27-2022 03:29 PM

 

Like----perrmit ip any MY LAN

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to DAVID RICHWALSKI

‎12-27-2022 03:31 PM - edited ‎12-27-2022 03:43 PM

no 
permit ip <your LAN need to NAT> any 

also can I ask, are you apply access-group 101 in WAN interface ? if YES then you also need 
access-list 101 permit tcp any any eq 31000 log
access-list 101 permit udp any any eq 32000 log

in simple words:- you need DENY for ACL for NAT and need PERMIT for ACL apply to interface. 

0 Helpful
Customers Also Viewed These Support Documents