Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

ACL - block incoming WAN traffic to specified LAN address


I would like to restrict incoming WAN traffic from a specified WAN IP to a specified LAN address.

Public WAN Ip ---> Router outside address ----> port 16992

I previously had a NAT forwarding as per below but I would like to further secure the communication so only a certain WAN IP can have access.

ip nat inside source static tcp 16992 interface Dialer0 16992

I take it this is possible to do with ACL's or another syntax of the forward?

Any help\guidance would be much appreciated.


Mark Malone
VIP Mentor

Yes you could just use an extended access-list and apply it to the wan interface blocking that particular public ip from speaking with your specific lan ip or block it for the whole lan if you want


access-list 189 deny tcp host host eq 22

interface GigabitEthernet0/0/1
 description ....................
 bandwidth 10000
 ip address x.x.x.x
 ip access-group 189 in

Hi Mark,

Thanks for that.  Sorry I actually I meant I want to allow incoming traffic from a specified public WAN IP.  Do you replace the "deny" with "permit" as per below...

access-list 189 permit tcp host host eq 22

Will this automatically deny traffic from any other locations?

In my case I would apply this extended ACL on the outside interface interface Dialer0 or LAN interface Vlan1?

Thanks for your help!

ip nat inside source static tcp 16992 interface Dialer0 16992
int Dialer0
 ip add
 ip access-group 189 in
access-list 189 permit tcp host y.y.y.y host eq 16992
access-list 189 deny tcp any host eq 16992
access-list 189 permit ip any any

I think you have to use extended access-list on this.

Try this:

ip access-list extended 189 permit tcp host ip of source host ip of destination eq 16992

ip access-list extended 189 deny tcp any host ip address of destination eq 16992

ip access-list extended 189 permit ip any any

Yes that' was just an example you can deny it instead of permit but then permit everything else in your last statement as a.alekseev has done below as an example so everything else is still allowed