Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6414
Views
0
Helpful
4
Replies

NAT with ACL

greenplague
Level 1
Level 1

‎09-02-2016 02:26 PM - edited ‎03-05-2019 04:37 AM

HI

How can I do a NAT and protect this with a acl?

for example, i have this rule

ip nat inside source static tcp 192.168.1.1 80 1.1.1.1 80

But I want that only IP 2.2.2.2 can access to the port 80, I can do this in the router?

Regards,

Green

Labels:
0 Helpful
4 Replies 4

dmuinoorallo
Level 1
Level 1

‎09-02-2016 08:17 PM

Hello Greenplague,

I will need more information( could you put a network schema?), where is 2.2.2.2 in the same lan that 1.1.1.1? or in the same lan than 192.162.1.1?

this is the order of Nat-inside in cisco:

  • If IPSec then check input access list
  • decryption - for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing

if you want filter only 2.2.2.2 ip address you could check to put your ACL inside or outaside depending on your device (2.2.2.2) is

0 Helpful

greenplague
Level 1
Level 1
In response to dmuinoorallo

‎09-03-2016 04:24 AM

Hi dmuinoorallo,

The topology is simple, I attached an image

I have something like this:

ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.1 80 interface FastEthernet4 80

But I want that only IP 2.2.2.2 can access to the port 80, with no acl applied in the interface fastethernet4.

Thanks for the reply

Green

Preview file
12 KB
0 Helpful

dmuinoorallo
Level 1
Level 1
In response to greenplague

‎09-03-2016 10:16 PM

I think this will be your configuration:

interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.252
ip nat inside
interface GigabitEthernet0/1
ip address 192.168.1.254 255.255.255.0 ===> "I don't know what is your ip in the router if your printer has 192.168.1.1"
ip nat outside

ip nat inside source list 100 interface Gi0/1 overload
access-list 100 remark Allowed IP NAT HOSTS
access-list 10 permit ip host 2.2.2.2 any eq 80 log
access-list 10 deny ip any any log

It will be working fine

0 Helpful

Matt Wilson
Level 1
Level 1
In response to dmuinoorallo

‎09-03-2016 10:16 PM

Shouldn't that be:

interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.252
ip nat outside

Since that interface is facing the cloud?

0 Helpful
Customers Also Viewed These Support Documents