03-12-2015 06:25 AM - edited 03-11-2019 10:37 PM
I applied an access list in internet interface to permit only the used ports and deny the others for our local users, but when I tried to add an exception for a host in the access list it didn't work it keeps treating him as before and when I check the access list I found that there is no hit in the host line , is that mean the packet sourced from the host change its source when leaving through the internet interface and that is why I didn't find a hit in the access list ?
please help me in this problem and how I can permit only this host to use any port
this is a sample of the configurations:
ip access-list extended internet-access
permit ip host 192.168.3.43 any
permit icmp any any
permit tcp any any eq 3344
permit tcp any any eq 3390
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq 22
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq telnet
permit tcp any any eq smtp
permit tcp any any eq 587
permit tcp any any eq 465
permit udp any any eq tftp
permit udp any any eq snmp
!
interface GigabitEthernet0/2.705
description $INTERNET_OUTSIDE$
encapsulation dot1Q 705
ip address XX.XX.XX.XX 255.255.255.240
ip access-group internet-access out
ip nat outside
ip virtual-reassembly in
REGARDS
Solved! Go to Solution.
03-15-2015 05:26 AM
Basically yes to what you say.
From inside to outside NAT happens before an outbound acl is checked so the private IP has already been translated.
If you wanted to control access this way you would need to move the acl to the inside interface and apply it inbound and then you would be able to control traffic for certain hosts.
Jon
03-15-2015 05:26 AM
Basically yes to what you say.
From inside to outside NAT happens before an outbound acl is checked so the private IP has already been translated.
If you wanted to control access this way you would need to move the acl to the inside interface and apply it inbound and then you would be able to control traffic for certain hosts.
Jon
03-15-2015 05:51 AM
thank you
I did what you said and it worked fine
thank you again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide