Thanks Alain,

My existing access-lists look like this:

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 10 permit 60.60.60.60

access-list 10 permit 80.80.80.80

access-list 10 permit 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

The access-list 10 is then used in 2 places. For the https access:

ip http access-class 10

and for the SSH access.

line vty 0 4

access-class 10 in

First of all - where does the NAT statement go? Anywhere specific in the config?

Then the ACL - I think I'd best create a new one?

Would it just be:

ip access-list extended 100

permit tcp host 60.60.60.60 50.50.60.61 eq 443 (This command didn't seem to enter correclty for me have i missed something?).

Then for an additional source IP i'd do:

permit tcp host 80.80.80.80 50.50.60.61 eq 443

I'd rather not edit my original ACLs if possible.

Thanks.

Hi,

ok if your only ACL is used in access-class then indeed you need a newer ACL to apply inbound on the WAN interface.

access-list 100 permit tcp host 60.60.60.60 host 50.50.50.61 eq 443

access-list 100 deny tcp any host 50.50.50.61 eq 443

access-list 100 permit ip any any

int x/x <<<<< your WAN interface

ip access-group 100 in

For the static  PAT you enter it in global config

Regards

Alain

Don't forget to rate helpful posts.

Thank you. I have added the ip access-group 100 in under my interface Dialer0 (ADSL connection).

I will test and let you know. Is there any troubleshooting I can do to see why it is not hitting an ACL, if the router is listening correctly on the IP, etc?

Thank you.

Hi,

you could enable logging on the ACL while testing it and for NAT you can look at sh ip nat translation.

this is not the securest config but as you asked not to use any firewalling feature, now we could edit the ACL to make it less permissive if you want to  like this:

ip access-list extended 100

10 permit icmp any any echo-reply

11 permit udp any eq domain  any

31 deny ip any any log

in ACE 11 replace the first any by host x.x.x.x where x.x.x.x is your  external DNS server

Regards

Alain

Don't forget to rate helpful posts.

Thanks Alain,

Can I just check this looks right:

What I want to achieve.

Keep my Management acces (SSH) with access-list 10. Deny anything else other than a remote IP of 70.70.70.70 for SSH access. It should only have ssh and no other ports.

Allow one remote IP (60.60.60.60) through to my web server (192.168.1.10 via the ext IP of 50.50.50.61).

Nothing else should be allowed access to the web server on 443.

Nothing else should be allowed access to anything from external.

Interface Dialer0

ip access-group 100 in

ip nat inside source static tcp 192.168.1.10 443 50.50.50.61 443 extendable

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 10 permit 70.70.70.70

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 100 permit tcp host 60.60.60.60 host 50.50.50.61 eq 443

access-list 100 deny   tcp any host 50.50.50.61 eq 443

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

line vty 0 4

access-class 10 in

Hi,

Given the fact that you don't want to use firewall or reflexive ACL, I would say that it pretty does the job you are asking for, except that everyone will be able to ping or traceroute to your external IP.

Regards

Alain

Don't forget to rate helpful posts.