How to configure source IP restricted NAT on 1921ISR

Michael Overholser · ‎03-20-2019

I would think this should be a pretty easy one for the gurus on here. I need to figure out how to restrict a NAT rule to a specific set of external IP addresses (say for example 8.8.8.0/24).

I currently have the following NAT configuration set up to access a server, how would I go about limiting who can access it from the outside world to the above example?

ip nat inside source static tcp 10.0.0.25 443 *PUBLIC IP OF RTR* 443 extendable
ip nat inside source static udp 10.0.0.25 443 *PUBLIC IP OF RTR* 443 extendable

Here is my full (redacted) configuration of the router in case you need to see something about it:

Current configuration : 4770 bytes
!
! Last configuration change at 09:49:54 UTC Fri Feb 22 2019 by ***REDACTED*** 
! NVRAM config last updated at 10:00:35 UTC Fri Feb 22 2019 by ***REDACTED*** 
! NVRAM config last updated at 10:00:35 UTC Fri Feb 22 2019 by ***REDACTED*** 
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ***REDACTED*** 
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.100
!
ip dhcp pool 10.0.0.x-ccp-pool
 import all
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.1
 dns-server 8.8.8.8 4.2.2.2
 lease 0 2
!
!
!
ip domain name ***REDACTED*** 
ip name-server 8.8.8.8
ip name-server 8.8.4.4
login block-for 120 attempts 3 within 120
login quiet-mode access-class RTR_MGMT
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn ***REDACTED*** 
!
!
vtp mode transparent
!
redundancy
!
!
!
!
!
vlan 10
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0
ip ssh version 2
!
crypto keyring newkeyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key ***REDACTED*** 
!
!
crypto ipsec transform-set ***REDACTED***  esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile ***REDACTED*** 
 set transform-set ***REDACTED*** 
!
!
!
!
!
!
!
interface Tunnel0
 bandwidth 10000
 ip address 10.255.255.254 255.255.255.0
 no ip redirects
 ip mtu 1408
 ip nhrp authentication ***REDACTED*** 
 ip nhrp map multicast dynamic
 ip nhrp network-id ***REDACTED*** 
 ip nhrp holdtime 300
 ip virtual-reassembly in
 ip tcp adjust-mss 574
 ip ospf network broadcast
 ip ospf priority 255
 delay 1000
 qos pre-classify
 tunnel source GigabitEthernet0/1/0
 tunnel mode gre multipoint
 tunnel key ***REDACTED*** 
 tunnel path-mtu-discovery
 tunnel protection ipsec profile ***REDACTED*** shared
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1/0
 ip address ***REDACTED*** 255.255.255.0 secondary
 ip address ***REDACTED*** 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 media-type sfp
!
interface GigabitEthernet0/0/0
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet0/0/1
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet0/0/2
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet0/0/3
 switchport access vlan 10
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.7.1 255.255.255.0 secondary
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no mop enabled
!
router ospf 10
 router-id 10.255.255.254
 redistribute connected
 redistribute static subnets
 network 10.0.0.0 0.0.0.255 area 0
 network 10.0.7.0 0.0.0.255 area 0
 network 10.255.255.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NATout-Acl interface GigabitEthernet0/1/0 overload
ip nat inside source static tcp 10.0.0.25 80 ***REDACTED*** 80 extendable
ip nat inside source static udp 10.0.0.25 80 ***REDACTED*** 80 extendable
ip nat inside source static tcp 10.0.0.25 443 ***REDACTED*** 443 extendable
ip nat inside source static udp 10.0.0.25 443 ***REDACTED*** 443 extendable
ip nat inside source static tcp 10.0.0.25 3389 ***REDACTED*** 3389 extendable
ip nat inside source static udp 10.0.0.25 3389 ***REDACTED***
3389 extendable
ip route 0.0.0.0 0.0.0.0 ***REDACTED***
!
ip access-list standard RTR_MGMT
 permit ***REDACTED***
 permit ***REDACTED***
 permit 10.0.0.0 0.255.255.255
 permit 192.168.0.0 0.0.0.255
!
ip access-list extended NATout-Acl
 permit ip 10.0.0.0 0.0.0.255 any
!
no cdp run
!
!
snmp-server community ***REDACTED*** RO
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
!
line con 0
 login local
line aux 0
 access-class RTR_MGMT in
 login local
line 2
 access-class RTR_MGMT in
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class RTR_MGMT in
 logging synchronous
 login local
 transport input telnet ssh
line vty 5 15
 access-class RTR_MGMT in
 logging synchronous
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp peer 204.2.134.163
ntp peer 208.79.16.124
ntp peer 69.65.40.29
ntp peer 50.116.38.157
!
end

Jon Marshall · ‎03-20-2019

You should use an acl to do this, so use your NAT statements as is and then apply an inbound acl.

Jon

Deepak Kumar · ‎03-20-2019

Hi,

Configure a Standard access-list and define on the WAN interface on INBOUND direction as

IP access-list standard 99

1 deny host 8.8.8.8

100 permit any

!

interface fastethernet 0/1

description "Connected-to-WAN"

ip access-group 99 in

Don't forget to add Permit ANy at the end of access-list.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Michael Overholser · ‎03-20-2019

@Deepak Kumar wrote:
Hi,
Configure a Standard access-list and define on the WAN interface on INBOUND direction as

IP access-list standard 99
1 deny host 8.8.8.8
100 permit any
!
interface fastethernet 0/1
description "Connected-to-WAN"
ip access-group 99 in

Don't forget to add Permit ANy at the end of access-list.

Regards,
Deepak Kumar

Deepak,

Thanks for your response, maybe I'm missing something, but since I want only 8.8.8.0/24 to be able to access it in this example, shouldn't the ACL be this:

IP access-list standard 99
1 permit 8.8.8.0 0.0.0.255
100 deny any

But, after creating the ACL when I go to apply the ACL on the WAN interface, won't that apply to all of the ip nat inside source entries, not just the port 443 ones?

Jon Marshall · ‎03-20-2019

access-list 101 permit tcp 8.8.8.0 0.0.0.255 host <public IP> eq 443
access-list 101 deny tcp any host <public IP> eq 443
access-list 101 permit ip any any

and apply the acl inbound on your WAN interface.

By the way you only need TCP not UDP for port 443.

Jon

iHearU · ‎05-14-2019

Posted on wrong account, will repost on correct account shortly.

Michael Overholser · ‎05-14-2019

Ok, so I have built out the ACL and applied it, but it still allows access from anywhere, even though it is set to only allow access from a single IP for now (testing purposes). I have tried applying the access group on the WAN interface in both inbound and outbound, no change. Below is the redacted config. Am I missing something (probably something stupid that I overlooked)?

Also, to clarify, the port needed is 8080, not the 443 as originally posted.

Thanks in advance for everyone's help!

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ***REDACTED***
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.100
!
ip dhcp pool 10.0.0.x-ccp-pool
 import all
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.1
 dns-server 8.8.8.8 4.2.2.2
 lease 0 2
!
!
!
ip domain name ***REDACTED***
ip name-server 8.8.8.8
ip name-server 8.8.4.4
login block-for 120 attempts 3 within 120
login quiet-mode access-class RTR_MGMT
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn ***REDACTED***
!
!
vtp mode transparent
username ***REDACTED*** privilege 15 secret 5 ***REDACTED***
!
redundancy
!
!
!
!
!
vlan 10
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0
ip ssh version 2
!
crypto keyring newkeyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key ***REDACTED***
!
!
crypto ipsec transform-set ***REDACTED*** esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile ***REDACTED***
 set transform-set ***REDACTED***
!
!
!
!
!
!
!
interface Tunnel0
 bandwidth 10000
 ip address 10.255.255.254 255.255.255.0
 no ip redirects
 ip mtu 1408
 ip nhrp authentication ***REDACTED***
 ip nhrp map multicast dynamic
 ip nhrp network-id 1772778
 ip nhrp holdtime 300
 ip virtual-reassembly in
 ip tcp adjust-mss 574
 ip ospf network broadcast
 ip ospf priority 255
 delay 1000
 qos pre-classify
 tunnel source GigabitEthernet0/1/0
 tunnel mode gre multipoint
 tunnel key 1772778
 tunnel path-mtu-discovery
 tunnel protection ipsec profile ***REDACTED*** shared
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1/0
 ip address ***REDACTED C*** 255.255.255.248 secondary
 ip address ***REDACTED B*** 255.255.255.248 secondary
 ip address ***REDACTED A*** 255.255.255.248
 ip access-group Inbound in
 ip nat outside
 ip virtual-reassembly in
 media-type sfp
!
interface GigabitEthernet0/0/0
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet0/0/1
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet0/0/2
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet0/0/3
 switchport access vlan 10
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.7.1 255.255.255.0 secondary
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no mop enabled
!
router ospf 10
 router-id 10.255.255.254
 redistribute connected
 redistribute static subnets
 network 10.0.0.0 0.0.0.255 area 0
 network 10.0.7.0 0.0.0.255 area 0
 network 10.255.255.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NATout-Acl interface GigabitEthernet0/1/0 overload
ip nat inside source static tcp 10.0.0.25 80 ***REDACTED A*** 80 extendable
ip nat inside source static tcp 10.0.0.25 443 ***REDACTED A*** 443 extendable
ip nat inside source static tcp 10.0.0.25 3389 ***REDACTED A*** 3389 extendable
ip nat inside source static udp 10.0.0.25 3389 ***REDACTED A*** 3389 extendable
ip nat inside source static tcp 10.0.1.11 8080 ***REDACTED B*** 8080 extendable
ip nat inside source static tcp 10.0.7.11 8080 ***REDACTED C*** 8080 extendable
ip route 0.0.0.0 0.0.0.0 89.187.120.89
!
ip access-list standard RTR_MGMT
 permit ***REDACTED - MY REMOTE IP***
 permit 10.0.0.0 0.255.255.255
 permit 192.168.0.0 0.0.0.255
!
ip access-list extended Inbound
 permit tcp host ***REDACTED - MY REMOTE IP*** eq 8080 host 10.0.1.11 eq 8080
 permit tcp host ***REDACTED - MY REMOTE IP*** eq 8080 host 10.0.7.11 eq 8080
 deny   tcp any eq 8080 any eq 8080
 permit ip any any
ip access-list extended NATout-Acl
 permit ip 10.0.0.0 0.0.0.255 any
!
no cdp run
!
!
snmp-server community ***REDACTED*** RO
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
!
line con 0
 login local
line aux 0
 access-class RTR_MGMT in
 login local
line 2
 access-class RTR_MGMT in
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class RTR_MGMT in
 logging synchronous
 login local
 transport input telnet ssh
line vty 5 15
 access-class RTR_MGMT in
 logging synchronous
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp peer 204.2.134.163
ntp peer 208.79.16.124
ntp peer 50.116.38.157
ntp peer 69.65.40.29
!
end

Georg Pauwen · ‎05-14-2019

Hello,

as far as I can see, you need to replace the inside addresses in the ACL with the outside addresses they are actually NATted to (remote IP addresses will try and connect with the public IP address, not the private):

ip access-list extended Inbound
permit tcp host ***REDACTED - MY REMOTE IP*** eq 8080 host REDACTED B eq 8080
permit tcp host ***REDACTED - MY REMOTE IP*** eq 8080 host REDACTED C eq 8080
deny tcp any eq 8080 any eq 8080
permit ip any any

Giuseppe Larosa · ‎05-14-2019

Hello Michael,

your inbound ACL is wrong

>>

ip access-list extended Inbound
 permit tcp host ***REDACTED - MY REMOTE IP*** eq 8080 host 10.0.1.11 eq 8080
 permit tcp host ***REDACTED - MY REMOTE IP*** eq 8080 host 10.0.7.11 eq 8080
 deny   tcp any eq 8080 any eq 8080
 permit ip any any


1) you don't need to specify the source TCP port, when a TCP socket is created the well known port is used
on the server side (8080 in your case) and a dynamic port > 1024 is used on the client side.
So follow the suggestions by Jon about how to write the ACL just change server port 443 with 8080

2) The inbound ACL is checked before NAT is performed so your destination address should be a public 
address that of the router on the WAN interface if I have correctly understood your NAT config

Hope to help
Giuseppe

iHearU · ‎05-15-2019

Ok, I think I understand, so my ACL should read:

ip access-list extended Inbound
permit tcp host ***REDACTED - MY REMOTE IP*** host REDACTED B eq 8080
permit tcp host ***REDACTED - MY REMOTE IP*** host REDACTED C eq 8080
deny tcp any any eq 8080
permit ip any any

Does that look right to you guys?

Georg Pauwen · ‎03-20-2019

Hello,

I guess you could use an extended access lists to just permit tcp/udp 443:

access-list 101 permit tcp host 8.8.8.8 host 10.0.0.25 eq 443
access-list 101 permit udp host 8.8.8.8 host 10.0.0.25 eq 443
access-list 101 deny ip host 8.8.8.8 host 10.0.0.25
access-list 101 permit ip any any