Solved: Static NAT and access lists filtering on source address

murray.bown · ‎12-06-2023

Hello all, I need some help regarding static NAT configuration.

I have setup the following NAT configuration that is working as expected.

interface GigabitEthernet0/0
description OUTSIDE
ip address xxx.xxx.xxx.190 255.255.255.192
ip access-group BLOCK_PRIVATE_ADDRESS_RANGES out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
duplex full
speed 1000
media-type rj45
negotiation auto
no keepalive
no cdp enable
no mop enabled

interface GigabitEthernet0/1
description INSIDE$ES_LAN$
ip address 172.19.128.54 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
duplex auto
speed auto
media-type rj45
negotiation auto
no keepalive
no mop enabled

ip nat inside source list IP_NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.19.128.65 22 xxx.xxx.xxx.190 1022 extendable
ip nat inside source static tcp 172.19.128.65 1521 xxx.xxx.xxx.190 1521 extendable

What I want to achieve with the two static entries is to limit / filter the Outside global / Local IP's to only one IP. I have tried to apply the following access list

ip access-list extended IP_NAT
permit ip 172.19.128.0 0.0.3.255 any
permit tcp host xxx.xxx.xxx.66 any eq 1022
deny tcp any any eq 1022
permit tcp host xxx.xxx.xxx.66 any eq 22
deny tcp any any eq 22
permit tcp host xxx.xxx.xxx.66 any eq 1521

When I run the following

show

command I do see any matches.

sh access-lists IP_NAT
Extended IP access list IP_NAT
10 permit ip 172.19.128.0 0.0.3.255 any (1897093 matches)
20 permit tcp host xxx.xxx.xxx.66 any eq 1022
30 deny tcp any any eq 1022
40 permit tcp host xxx.xxx.xxx.66 any eq 22
50 deny tcp any any eq 22 (8 matches)
60 permit tcp host xxx.xxx.xxx.66 any eq 1521

Can anyone help?

MHM Cisco World · ‎12-07-2023

@murray.bown update me about this case'

MHM

View solution in original post

balaji.bandi · ‎12-06-2023

What I want to achieve with the two static entries is to limit / filter the Outside global / Local IP's to only one IP. I have tried to apply the following access list

what i understand from here is, you want to only ip Public IP to access that - is this correect ?

why not use another ACL and apply on outside ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

murray.bown · ‎12-06-2023

I want only one public IP address to access the internal statically NATed address.

I have tried creating an access list and applying it to the g0/0 interface inbound but it seems to stop all return traffic from the 172.19.128.0 0.0.3.255 network.

balaji.bandi · ‎12-07-2023

yes use ACL in on outside interface for that ports.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-06-2023

Your acl of NAT is wrong

First deny real IP (real IP you use for static NAT) to any (use tcp protocol)

Then permit subnet to any (use IP)

Do that and your NATing will be fine

MHM

murray.bown · ‎12-06-2023

What like this?

deny tcp host xxx.xxx.xxx.66 any
permit ip 172.19.128.0 0.0.3.255 any

MHM Cisco World · ‎12-06-2023

Yes correct

But you use mapped IP not real IP.

The real IP is from submet of ip nat inside interface.

MHM

murray.bown · ‎12-06-2023

Hope that this is what is needed, Ill give it a try.

deny tcp host 172.19.128.65 any
permit ip 172.19.128.0 0.0.3.255 any

MHM Cisco World · ‎12-06-2023

Correct

Using the real IP and using tcp but you dont specify port in end of acl.

Note:-if there are more than one port use one acl for each port

After adding port check your NATing

Good luck

MHM

MHM Cisco World · ‎12-07-2023

@murray.bown update me about this case'

MHM