cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4401
Views
0
Helpful
5
Replies
Highlighted

ACL - block incoming WAN traffic to specified LAN address

Hi,

I would like to restrict incoming WAN traffic from a specified WAN IP to a specified LAN address.

Public WAN Ip 1.2.3.4 ---> Router outside address 5.6.7.8 ----> 192.168.0.5 port 16992

I previously had a NAT forwarding as per below but I would like to further secure the communication so only a certain WAN IP can have access.

ip nat inside source static tcp 192.168.0.5 16992 interface Dialer0 16992

I take it this is possible to do with ACL's or another syntax of the forward?

Any help\guidance would be much appreciated.

Thanks

5 REPLIES 5
Highlighted
VIP Mentor

Yes you could just use an extended access-list and apply it to the wan interface blocking that particular public ip from speaking with your specific lan ip or block it for the whole lan if you want

example

access-list 189 deny tcp host 68.238.14.29 host 10.0.1.99 eq 22

interface GigabitEthernet0/0/1
 description ....................
 bandwidth 10000
 ip address x.x.x.x  255.255.255.252
 ip access-group 189 in

Highlighted

Hi Mark,

Thanks for that.  Sorry I actually I meant I want to allow incoming traffic from a specified public WAN IP.  Do you replace the "deny" with "permit" as per below...

access-list 189 permit tcp host 68.238.14.29 host 10.0.1.99 eq 22

Will this automatically deny traffic from any other locations?

In my case I would apply this extended ACL on the outside interface interface Dialer0 or LAN interface Vlan1?

Thanks for your help!

Highlighted

ip nat inside source static tcp 192.168.0.5 16992 interface Dialer0 16992
!
int Dialer0
 ip add 5.6.7.8 255.255.255.252
 ip access-group 189 in
!
access-list 189 permit tcp host y.y.y.y host 5.6.7.8 eq 16992
access-list 189 deny tcp any host 5.6.7.8 eq 16992
access-list 189 permit ip any any
Highlighted

I think you have to use extended access-list on this.

Try this:

ip access-list extended 189 permit tcp host ip of source host ip of destination eq 16992

ip access-list extended 189 deny tcp any host ip address of destination eq 16992

ip access-list extended 189 permit ip any any

Highlighted

Yes that' was just an example you can deny it instead of permit but then permit everything else in your last statement as a.alekseev has done below as an example so everything else is still allowed