05-08-2017 04:09 AM - edited 03-05-2019 08:29 AM
Hi,
I would like to restrict incoming WAN traffic from a specified WAN IP to a specified LAN address.
Public WAN Ip 1.2.3.4 ---> Router outside address 5.6.7.8 ----> 192.168.0.5 port 16992
I previously had a NAT forwarding as per below but I would like to further secure the communication so only a certain WAN IP can have access.
ip nat inside source static tcp 192.168.0.5 16992 interface Dialer0 16992
I take it this is possible to do with ACL's or another syntax of the forward?
Any help\guidance would be much appreciated.
Thanks
05-08-2017 04:40 AM
Yes you could just use an extended access-list and apply it to the wan interface blocking that particular public ip from speaking with your specific lan ip or block it for the whole lan if you want
example
access-list 189 deny tcp host 68.238.14.29 host 10.0.1.99 eq 22
interface GigabitEthernet0/0/1
description ....................
bandwidth 10000
ip address x.x.x.x 255.255.255.252
ip access-group 189 in
05-08-2017 04:50 AM
Hi Mark,
Thanks for that. Sorry I actually I meant I want to allow incoming traffic from a specified public WAN IP. Do you replace the "deny" with "permit" as per below...
access-list 189 permit tcp host 68.238.14.29 host 10.0.1.99 eq 22
Will this automatically deny traffic from any other locations?
In my case I would apply this extended ACL on the outside interface interface Dialer0 or LAN interface Vlan1?
Thanks for your help!
05-08-2017 05:12 AM
ip nat inside source static tcp 192.168.0.5 16992 interface Dialer0 16992 ! int Dialer0 ip add 5.6.7.8 255.255.255.252 ip access-group 189 in ! access-list 189 permit tcp host y.y.y.y host 5.6.7.8 eq 16992 access-list 189 deny tcp any host 5.6.7.8 eq 16992 access-list 189 permit ip any any
05-11-2017 01:55 PM
I think you have to use extended access-list on this.
Try this:
ip access-list extended 189 permit tcp host ip of source host ip of destination eq 16992
ip access-list extended 189 deny tcp any host ip address of destination eq 16992
ip access-list extended 189 permit ip any any
05-08-2017 05:22 AM
Yes that' was just an example you can deny it instead of permit but then permit everything else in your last statement as a.alekseev has done below as an example so everything else is still allowed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: