08-10-2017 10:28 AM - last edited on 03-08-2019 11:41 AM by NikolaIvanov
Hello all,
I am tired of trial and error and not being able to get this to work, so all help is greatly appreciated. Self taught so be nice ;)
this is what I've done:
!
ip nat inside source static tcp <local_global> 443 <outside_global> 443 route-map RANGER_ACCESS extendable
!
ip access-list extended RANGER_ACCESS_ONLY
permit ip host <internet address public> any log
deny ip any any log
!
route-map RANGER_ACCESS permit 10
match ip address RANGER_ACCESS
!
What I'm trying to accomplish is:
<internet address public> --> <my router> -->dvr_cams>
where <internet address public> = a specific address, not any.
translation works fine, but the ACL to only allow the specific <internet address public> defined in ip access-list extended RANGER_ACCESS_ONLY is not working, I can see a bunch of deny matches, I can reach the device from any public ip address, so therefore nat is ok..., but ACL is not being applied; not the deny, permit or anything I have tried to see where the fault is at.
What I am doing is not blocking traffic from any..., therefore ACL not working..., hope I don't confuse anyone.
Thanks in advance
08-10-2017 03:51 PM
You really don't need a route-map for this. You simply need to create an inbound access list and apply it to the Internet interface. Something like this will work:
This is the NAT translation to the DVR:
ip nat inside source static tcp 10.24.36.17 443 156.156.156.156 443 extendable
This is the access list that controls traffic to the WAN interface:
access-list 101 permit tcp host 123.123.123.123 any eq 443
access-list 101 deny tcp host any any eq 443
access-list 101 permit ip any any
GigabitEthernet0/1 <-- WAN interface
ip address 156.156.156.156 255.255.255.248
ip access-group 101 in
This NAT translation will send any traffic inbound on port 443 to 10.24.36.17. The access list will control the traffic coming into the WAN port. The ip access-group 101 in command on the WAN interface will apply access-list 101 to all inbound traffic. Don't forget the permit ip any any statement at the end, without this all traffic will be stopped.
Regards,
Sam
08-10-2017 03:51 PM
Hello
Just like to add_
What I am doing is not blocking traffic from any..., therefore ACL not working.
Not a deny ACE inside an ACL applied to NAT doesn't negate from that ip being reachable, it just allows that ip to be seen un-natted. ( if that's a word !)
res
Paul
08-15-2017 02:25 PM
Thanks also for your input. Much appreciated.
08-15-2017 02:24 PM
Thank you very much for the detailed explanation and tutorial ;)
much appreciated
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: