12-06-2023 05:21 AM - last edited on 12-08-2023 01:09 AM by Translator
Hello all, I need some help regarding static NAT configuration.
I have setup the following NAT configuration that is working as expected.
interface GigabitEthernet0/0
description OUTSIDE
ip address xxx.xxx.xxx.190 255.255.255.192
ip access-group BLOCK_PRIVATE_ADDRESS_RANGES out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
duplex full
speed 1000
media-type rj45
negotiation auto
no keepalive
no cdp enable
no mop enabled
interface GigabitEthernet0/1
description INSIDE$ES_LAN$
ip address 172.19.128.54 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
duplex auto
speed auto
media-type rj45
negotiation auto
no keepalive
no mop enabled
ip nat inside source list IP_NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.19.128.65 22 xxx.xxx.xxx.190 1022 extendable
ip nat inside source static tcp 172.19.128.65 1521 xxx.xxx.xxx.190 1521 extendable
What I want to achieve with the two static entries is to limit / filter the Outside global / Local IP's to only one IP. I have tried to apply the following access list
ip access-list extended IP_NAT
permit ip 172.19.128.0 0.0.3.255 any
permit tcp host xxx.xxx.xxx.66 any eq 1022
deny tcp any any eq 1022
permit tcp host xxx.xxx.xxx.66 any eq 22
deny tcp any any eq 22
permit tcp host xxx.xxx.xxx.66 any eq 1521
When I run the following
show
command I do see any matches.
sh access-lists IP_NAT
Extended IP access list IP_NAT
10 permit ip 172.19.128.0 0.0.3.255 any (1897093 matches)
20 permit tcp host xxx.xxx.xxx.66 any eq 1022
30 deny tcp any any eq 1022
40 permit tcp host xxx.xxx.xxx.66 any eq 22
50 deny tcp any any eq 22 (8 matches)
60 permit tcp host xxx.xxx.xxx.66 any eq 1521
Can anyone help?
Solved! Go to Solution.
12-07-2023 06:16 AM
12-06-2023 06:48 AM
What I want to achieve with the two static entries is to limit / filter the Outside global / Local IP's to only one IP. I have tried to apply the following access list
what i understand from here is, you want to only ip Public IP to access that - is this correect ?
why not use another ACL and apply on outside ?
12-06-2023 06:55 AM
I want only one public IP address to access the internal statically NATed address.
I have tried creating an access list and applying it to the g0/0 interface inbound but it seems to stop all return traffic from the 172.19.128.0 0.0.3.255 network.
12-07-2023 06:09 AM
yes use ACL in on outside interface for that ports.
12-06-2023 06:56 AM - edited 12-06-2023 07:02 AM
Your acl of NAT is wrong
First deny real IP (real IP you use for static NAT) to any (use tcp protocol)
Then permit subnet to any (use IP)
Do that and your NATing will be fine
MHM
12-06-2023 07:12 AM - last edited on 12-08-2023 01:19 AM by Translator
What like this?
deny tcp host xxx.xxx.xxx.66 any
permit ip 172.19.128.0 0.0.3.255 any
12-06-2023 07:15 AM
Yes correct
But you use mapped IP not real IP.
The real IP is from submet of ip nat inside interface.
MHM
12-06-2023 07:37 AM - last edited on 12-08-2023 01:19 AM by Translator
Hope that this is what is needed, Ill give it a try.
deny tcp host 172.19.128.65 any
permit ip 172.19.128.0 0.0.3.255 any
12-06-2023 07:41 AM
Correct
Using the real IP and using tcp but you dont specify port in end of acl.
Note:-if there are more than one port use one acl for each port
After adding port check your NATing
Good luck
MHM
12-07-2023 06:16 AM
@murray.bown update me about this case'
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide