Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6548
Views
0
Helpful
4
Replies

Allow only specific ip address to specific LAN device ip via NAT, block all else.

Not applicable

‎08-10-2017 10:28 AM - last edited on ‎03-08-2019 11:41 AM by

Hello all,

            I am tired of trial and error and not being able to get this to work, so all help is greatly appreciated. Self taught so be nice ;)

this is what I've done:

!

ip nat inside source static tcp <local_global> 443 <outside_global> 443 route-map RANGER_ACCESS extendable

!
ip access-list extended RANGER_ACCESS_ONLY
 permit ip host <internet address public> any  log
 deny   ip any any log
!
route-map RANGER_ACCESS permit 10
 match ip address RANGER_ACCESS
!

What I'm trying to accomplish is:

<internet address public> --> <my router> -->dvr_cams>

where <internet address public> = a specific address, not any.

translation works fine, but the ACL to only allow the specific <internet address public> defined in ip access-list extended RANGER_ACCESS_ONLY is not working, I can see a bunch of deny matches, I can reach the device from any public ip address, so therefore nat is ok..., but ACL is not being applied; not the deny, permit or anything I have tried to see where the fault is at.

What I am doing is not blocking traffic from any..., therefore ACL not working..., hope I don't confuse anyone.

Thanks in advance

Labels:
0 Helpful
4 Replies 4

Sam Smiley
Level 3
Level 3

‎08-10-2017 03:51 PM

You really don't need a route-map for this. You simply need to create an inbound access list and apply it to the Internet interface. Something like this will work:

This is the NAT translation to the DVR:
ip nat inside source static tcp 10.24.36.17 443 156.156.156.156 443 extendable

This is the access list that controls traffic to the WAN interface:
access-list 101 permit  tcp host 123.123.123.123 any eq 443
access-list 101 deny  tcp host any any eq 443
access-list 101 permit ip any any

GigabitEthernet0/1 <-- WAN interface
ip address 156.156.156.156 255.255.255.248
ip access-group 101 in

This NAT translation will send any traffic inbound on port 443 to 10.24.36.17. The access list will control the traffic coming into the WAN port. The ip access-group 101 in command on the WAN interface will apply access-list 101 to all inbound traffic. Don't forget the permit ip any any statement at the end, without this all traffic will be stopped.

Regards,
Sam

0 Helpful

paul driver
VIP
VIP
In response to Sam Smiley

‎08-10-2017 03:51 PM

Hello

Just like to add_


What I am doing is not blocking traffic from any..., therefore ACL not working.


Not a deny ACE inside an ACL applied to NAT doesn't negate from that ip being reachable, it just allows that ip to be seen un-natted. ( if that's a word !)

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Not applicable
In response to paul driver

‎08-15-2017 02:25 PM

Thanks also for your input. Much appreciated.

0 Helpful

Not applicable
In response to Sam Smiley

‎08-15-2017 02:24 PM

Thank you very much for the detailed explanation and tutorial ;)

much appreciated

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card