Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
4
Replies

One-to-one NAT and ACL

Paul Lawrie
Level 1
Level 1

‎05-18-2017 03:54 AM - edited ‎03-05-2019 08:33 AM

Hi, I have a Windows RRAS server running an IKEv2 VPN server that seems to work just fine internally. I have forwarded UDP ports 500, 4500 and 1701, as well as ESP through and I simply can't make it work. Here are my NAT rules:

ip nat inside source static udp 10.1.1.1 500 interface Dialer1 500
ip nat inside source static udp 10.1.1.1 4500 interface Dialer1 4500
ip nat inside source static udp 10.1.1.1 1701 interface Dialer1 1701
ip nat inside source static esp 10.1.1.1 interface Dialer1

Other than the IP I'm assigned from my ISP on Dialer1, I also have an additional IP block routed to me, and I happen to have some spare addresses.

I did a static NAT like this, where 10.1.1.1 in my inside server and 200.200.200.200 is part of the IP block assigned to me.

ip nat inside source static 10.1.1.1 200.200.200.200

This works perfectly and I'm okay with the VPN living on this IP address, however I want to apply an ACL so the entire Internet can't play with my server.

Feel like this is a dumb question... but I need a little nudge to help me formulate the ACL and know where to apply it. Is it correct to create a VLAN on the router and route that single IP inside so that I have an interface to apply the ACL to? That may be perverse to even suggest, I don't know :)

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎05-18-2017 04:11 AM

Not sure I follow what you are asking about the vlan on the router.

The router will have an interface that connects to your ISP and so that is where you would apply the acl in an inbound direction.

Have I misunderstood what you are asking ?

Jon

0 Helpful

Paul Lawrie
Level 1
Level 1
In response to Jon Marshall

‎05-18-2017 04:17 AM

Hi Jon,

I have a Dialer1 interface that is assigned a single static IP from the ISP. In addition the ISP has routed a /29 IP address block to me and I just do PAT to a couple of internal services.

As I understand it this IPs aren't actually on the Dialer1 interface.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Paul Lawrie

‎05-18-2017 04:28 AM

An acl filters traffic that goes through the router (usually) so it doesn't matter whether the public IP you are using for your VPN server is assigned to an interface or not.

Do you have any acls applied to any interfaces at the moment on your router ?

Do you have any firewalling anywhere ?

Jon

0 Helpful

nurbol555
Level 1
Level 1

‎05-19-2017 02:38 AM

Hi!

It's not a big deal, if you need create ACL for one address you just have to create ACL like that:

ip access-list extended EXAMPLE

permit udp any host 10.1.1.1 eq 500

permit udp any (or pool of public address) host 10.1.1.1 eq 4500

deny ip any host 10.1.1.1

permit ip any any

And put it on your internet interface like (access-group EXAMPLE out)

This ACL can block connect to your address 10.1.1.1, and open connect to other address, if you need block connect to other address you have to remove from ACL (permit ip any any). ACL works from up to down

Valuate if it's help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card