12-03-2009 06:46 AM - edited 03-11-2019 09:45 AM
We have CISCO 877 ROUTER WITH A SINGLE EXTERNAL IP ADDRESS
INSIDE (VLAN1) = 192.168.0.0/24
OUTSIDE (DIALER1) = 195.149.45.229
We have clients on INSIDE who have full internet access.
We have NAT working – a one to many NAT.
ip nat inside source static tcp 192.168.0.8 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.0.8 5090 interface Dialer1 5090
ip nat inside source static udp 192.168.0.8 6000 interface Dialer1 6000
ip nat inside source static tcp 192.168.0.10 4899 interface Dialer1 4899
So now I can talk to these ports from an EXTERNAL IP so the NAT is working fine.
However….. I need to lock down access to these ports to specific IP address ranges.
I require INSIDE to still have full internet access to OUTSIDE but restricted access from OUTSIDE to TCP PORTS 4899, 5003, 5090 & UDP PORT 6000
What is the easiest way of applying this ACL? I am assuming on DIALER1 I apply an INBOUND ACL but am having issues with TCP & UDP replies on high port numbers. I don’t want to be blocking legitimate reply traffic which will also be INBOUND on a high port number…
12-03-2009 10:22 AM
nishit.patel wrote:
We have CISCO 877 ROUTER WITH A SINGLE EXTERNAL IP ADDRESS
INSIDE (VLAN1) = 192.168.0.0/24
OUTSIDE (DIALER1) = 195.149.45.229
We have clients on INSIDE who have full internet access.
We have NAT working – a one to many NAT.
ip nat inside source static tcp 192.168.0.8 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.0.8 5090 interface Dialer1 5090
ip nat inside source static udp 192.168.0.8 6000 interface Dialer1 6000
ip nat inside source static tcp 192.168.0.10 4899 interface Dialer1 4899
So now I can talk to these ports from an EXTERNAL IP so the NAT is working fine.
However….. I need to lock down access to these ports to specific IP address ranges.
I require INSIDE to still have full internet access to OUTSIDE but restricted access from OUTSIDE to TCP PORTS 4899, 5003, 5090 & UDP PORT 6000
What is the easiest way of applying this ACL? I am assuming on DIALER1 I apply an INBOUND ACL but am having issues with TCP & UDP replies on high port numbers. I don’t want to be blocking legitimate reply traffic which will also be INBOUND on a high port number…
If you don't have the IOS firewall running on you router then the next best thing would be to use reflexive access-lists. These allow return traffic back in if it has been allowed out but you can still control what traffic can be initiated from outside -
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide