cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5950
Views
0
Helpful
5
Replies

ACL - block incoming WAN traffic to specified LAN address

Hi,

I would like to restrict incoming WAN traffic from a specified WAN IP to a specified LAN address.

Public WAN Ip 1.2.3.4 ---> Router outside address 5.6.7.8 ----> 192.168.0.5 port 16992

I previously had a NAT forwarding as per below but I would like to further secure the communication so only a certain WAN IP can have access.

ip nat inside source static tcp 192.168.0.5 16992 interface Dialer0 16992

I take it this is possible to do with ACL's or another syntax of the forward?

Any help\guidance would be much appreciated.

Thanks

5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

Yes you could just use an extended access-list and apply it to the wan interface blocking that particular public ip from speaking with your specific lan ip or block it for the whole lan if you want

example

access-list 189 deny tcp host 68.238.14.29 host 10.0.1.99 eq 22

interface GigabitEthernet0/0/1
 description ....................
 bandwidth 10000
 ip address x.x.x.x  255.255.255.252
 ip access-group 189 in

Hi Mark,

Thanks for that.  Sorry I actually I meant I want to allow incoming traffic from a specified public WAN IP.  Do you replace the "deny" with "permit" as per below...

access-list 189 permit tcp host 68.238.14.29 host 10.0.1.99 eq 22

Will this automatically deny traffic from any other locations?

In my case I would apply this extended ACL on the outside interface interface Dialer0 or LAN interface Vlan1?

Thanks for your help!

ip nat inside source static tcp 192.168.0.5 16992 interface Dialer0 16992
!
int Dialer0
 ip add 5.6.7.8 255.255.255.252
 ip access-group 189 in
!
access-list 189 permit tcp host y.y.y.y host 5.6.7.8 eq 16992
access-list 189 deny tcp any host 5.6.7.8 eq 16992
access-list 189 permit ip any any

I think you have to use extended access-list on this.

Try this:

ip access-list extended 189 permit tcp host ip of source host ip of destination eq 16992

ip access-list extended 189 deny tcp any host ip address of destination eq 16992

ip access-list extended 189 permit ip any any

Yes that' was just an example you can deny it instead of permit but then permit everything else in your last statement as a.alekseev has done below as an example so everything else is still allowed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco