Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
10
Helpful
5
Replies

How do I limit "ip nat inside static route" external access

Brian Taylor
Level 1
Level 1

‎05-06-2014 07:28 AM - edited ‎03-04-2019 10:55 PM

Hi,

This is probably a dumb question but...

I have the following statement in a Cisco 877:

ip nat inside source static tcp 192.168.0.203 3389 interface Dialer1 3389

I simply want to limit external access to this NAT route to a list of external IP address - that is only certain internet IP address can access this RDP port. How can I do this?

Regards, Brian

Labels:
0 Helpful
5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

‎05-06-2014 09:54 AM

Hi,

You can apply an inbound ACL on the Dialer interface like this one:

access-list 100 permit tcp host x.x.x.x host 192.168.0.203 eq 3389

access-list 100 permit tcp host y.yy.y host 192.168.0.203 eq 3389

access-list 100 deny tcp any any eq 3389

access-list 100 permit ip any any

 

You can also use an ACL permitting the RDP traffic for the desired hosts and match it in a route-map that you refer to in the static PAT statement.

 

Regards

 

Alain

 

Don't forget to rate helpful posts.
0 Helpful

Brian Taylor
Level 1
Level 1
In response to cadet alain

‎05-09-2014 06:34 AM

Thanks Alain,

I tried the following:

access-list 101 permit tcp host 120.28.12.xxx host 192.168.0.203 eq 3389
access-list 101 deny   tcp any any eq 3389
access-list 101 permit ip any any

but when I add the following statement in the Dialer1 interface and try remote desktop from 120.28.12.xxx it fails to connect until I remove this statement again:

ip access-group 101 in

Any ideas?

Regards, Brian

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Brian Taylor

‎05-09-2014 07:55 AM

Hi,

ip access-list extended 101

no 10

10 access-list 101 permit tcp host 120.28.12.xxx  any eq 3389

Don't forget to rate helpful posts.
0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎05-09-2014 07:53 AM

no comment

Don't forget to rate helpful posts.
0 Helpful

Brian Taylor
Level 1
Level 1

‎07-21-2014 11:57 PM

In the end I rang up Cisco TAC to get this resolved. The answer was:

interface Dialer1
 ip access-group 101 in
 ...
!

access-list 101 permit tcp host 120.28.12.xxx host 120.29.12.xxx eq 3389
access-list 101 deny   tcp any any eq 3389
access-list 101 permit ip any any

where: 120.28.12.xxx is the external internet address and 120.29.12.xxx is the Dialer1 interface internet address. My mistake was using an internal address (192.168.0.203) as the destination.

Brian

Customers Also Viewed These Support Documents