cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
0
Helpful
5
Replies

Block all incoming trafic on a NAT

dbrajort1
Level 1
Level 1

Hi,

 

I have the following problem on an ISR 2911 :

 

I have a dynamic NAT for all the inside users :

ip nat inside source route-map My_Lans interface GigabitEthernet0/0 overload

 

Where My_Lans deny all traffic to my VPN connected sites and permit everything else.

 

Of course, this works fine.

 

Now I want to add another nat for an outgoing email server (it will only forward to the outside and never receive).

I want this server to use a different IP that I already have.

 

If I add :

ip nat inside source static 192.168.2.25 A.B.C.D extendable

Then the server is seen on with the right address but anyone can connect to the server from the outside.

 

How can I easily block all the incoming traffic ?

 

Thanks,

5 Replies 5

Hi, you can apply an ACL to your outside interface.

 

Regards.

Hi,
You would need to create an ACL and apply this ACL inbound on your outside interface, deny from any IP to the destination A.B.C.D (your new nat public ip address) then permit all other ip traffic (if so desired).

HTH

This doesn't work,

 

It effectively block all incoming trafic but it also block all answers to my server.

 

So I can initiate a connection (I can see it with sh ip nat translation) but the server doesn't get its answer.

Yeah true. Use ZBFW then, it's stateful and would allow return traffic?

The configuration is already very complex with lots of ACL.

 

Actually, I already have an ACL on my outside interface.

 

I sought about a route-map on the nat but I can't figure out how to make it works.

 

I also tried to use a dynamic nat with a pool of one address but IOS requires a minimum of 4 to define a pool.

 

That's why I asking for help.