Solved: ACL - how to permit

luumanioro · ‎05-12-2011

Hi,

I'm trying to permit sepcific external IP address to access my internal webserver on port 8080. The problem I've been facing is that I have more than one public IP addresses and I am not really sure how to use our secondary IP address for this service.

I would like to permit traffic for i.e 11.22.33.44 (my client IP) to 55.66.77.88 on port 8080, but IP 55.66.77.88 (external IP) is not my main ip address for the router.

My main IP address for the router is 55.66.77.87, but I don't want to give client access on this IP. Client should access webpage via: http://55.66.77.88:8080, this website is hosted on our internal server with IP i.e. 192.168.1.10

I have create following ACL, which is not working for me when I try to test it from network with 11.22.33.44 IP address.

Extended IP access list 103

10 permit ip host 11.22.33.44 host 55.66.77.88

20 permit udp host 11.22.33.44 host 55.66.77.88 eq 8080

30 permit ip any any (194766 matches).

I would appreciate for any help or advice.

Luu Manio

milan.kulik · ‎06-01-2011

Hi,

IMHO, after the NAT fixed, you just need to tune your original ACL applied inbound on your router external interface:

Extended IP access list 103
20 permit udp host 11.22.33.44 host 55.66.77.88 eq 8080
25 deny ip any host 55.66.77.88
30 permit ip any any

I'm just not sure regarding the port used in line 20 - I'd expect a standard TCP port 80 to be used for a webserver?

So maybe using your original line 10 instead of 20 would be a good first step?

HTH,

Milan

View solution in original post

Calin C. · ‎05-12-2011

Hello!

Since you are using private IP addressing in the LAN, you cannot solve this issue with just an ACL. You need to do NAT to allowed external devices (from Internet) to access your internal servers. This is called sometimes DNAT (e.g. on Linux environment). I assume that you are already allowing your inside devices to access Internet hosts.

Below you have an excellent example on how to solve your issue. Please read it, and if you don't understand something come back for clarification:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic6

Good luck,

Calin

luumanioro · ‎05-12-2011

Hi Calin,

Thank you for your advice

I have set up a NAT to allow externall devices to access my internal webserver 192.168.1.10, but how to grant access to only one, specific external device?

Now with NAT everyone can access my webserver.

Kind regards,

Luu Manio.

luumanioro · ‎06-01-2011

So is it possible at all to permit (whitelist IP) trafic from specific external IP to my webserver located on my network? I have been trying to find solution for the last two weeks and no one seems to have an answer to my question.

Luu Manio

milan.kulik · ‎06-01-2011

Hi,

IMHO, after the NAT fixed, you just need to tune your original ACL applied inbound on your router external interface:

Extended IP access list 103
20 permit udp host 11.22.33.44 host 55.66.77.88 eq 8080
25 deny ip any host 55.66.77.88
30 permit ip any any

I'm just not sure regarding the port used in line 20 - I'd expect a standard TCP port 80 to be used for a webserver?

So maybe using your original line 10 instead of 20 would be a good first step?

HTH,

Milan

luumanioro · ‎06-01-2011

Thanks Milan for a prompt reply.

Following your comments I have created following record in NAT:

ip nat inside soruce static tcp 192.168.1.10 8080 55.66.77.88 8080 extendable

ip nat inside soruce static udp 192.168.1.10 8080 55.66.77.88 8080 extendable

I have also created extande ACL 103, inbound traffic applied on interface FA04

20 permit udp host 11.22.33.44 host 55.66.77.88 eq 8080
25 deny ip any host 55.66.77.88
30 permit ip any any

Do you think above configuration is correct?

Luu Manio