Hello,

I’m not entirely sure as I am still very new at Cisco networking.

But what I am trying to do is this:

2 devices are trying to access my server from 2 different locations, lets call them d1 and d2

d1 WAN: 50.50.50.50

d2 WAN: 45.45.45.45

both devices are trying to access my server that I host, lets call it s1

s1 WAN: 40.40.40.40

s1 LAN: 192.168.0.200

Both devices are trying to access this server via https so port 443

when d1 tries to access s1 via WAN no routing should occur

when d2 tries to access s1 via WAN it should be routed to s1’s LAN IP

Does this make sense?

Would I have to make a default deny for everything inbound and then make permit allowances as needed?

I won't be able to test this until after hours today at the very earliest, so after I test this I will post again. Thank you for your help.

Sorry the reply has been so long coming, but here’s the update.

I want to accept this as the solution but any time that i try to assign either an outbound or an inbound access-list to my WAN interface ( in this case g8 ) I can no longer access the internet from devices inside the VLAN.

I want to allow access to my satellite offices and only my satellite offices to my servers based on their IP address

Hello @CorporateITGuy ,

the solution provided by @balaji.bandi  should work you need to apply the extended ACL 100 in direction in (inbound)  to the exit interface of your router gi0/0 or other  ( the interface connecting to the public Internet)

Be aware that depending on the type of internet service that is used at your satellite offices their public IP addresses can change over time or not.

If the satellite offices have static IP addresses the solution is correct and it does not need any change over time.

Hope to help

Giuseppe

I think his reply is correct as well but I am unable to test it because as soon as I assign the access-list to g8 I lose the ability to connect the internet from devices on the VLAN. Do I need another entry into the access-list to continue allowing VLAN devices to get to the web?

post the config for us to understand the issue.

Cisco#show run
Building configuration...

Current configuration : 2504 bytes
!
! Last configuration change at 22:38:05 UTC Thu Oct 7 2021
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C897VA-K9 sn FGL220992H6
!
!
username [username] privilege 15 password 0 [password]
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface Ethernet0
 no ip address
 shutdown
!
interface GigabitEthernet0
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet8
 description PrimaryWANDesc_
 ip address [WANip] [netMask]
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip route 0.0.0.0 0.0.0.0 [ModemIP]
!
ip access-list extended testOutbound
 permit 192 any any
ip access-list extended testInbound
 remark testing AGAIN if I understand ACLs
 permit tcp host [BranchWAN] eq [port#] host [HQWAN] eq [port#]
 remark above ip for [computer]
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
 transport input none
!
scheduler allocate 20000 1000
!
!
!
end

So I know for the access-list testInbound to take affect it has to be applied to g8, but when I apply the list it over-writes the access-list 1 which, to my understanding, is allowing traffic out of the VLAN right? I guess I'm just not sure where and how to add that same allowance to my testInbound list, or even my test outbound list. Please ask if there is anything I can clarify.

Again thanks for all the help and advice, I really appreciate it.

any ideas?

I am puzzled about your statement that the new access list overwrites access-list 1. The 2 access lists should be independent of each other.

Let us clear up something. You say "access-list 1 which, to my understanding, is allowing traffic out of the VLAN right?" Actually that is not right. acl 1 is controlling address translation. In a sense you are right that acl 1 is necessary for traffic to get out on g8 but technically it is controlling what traffic gets translated and not controlling what traffic gets in.

There is a flaw in acl testInbound as shown in your config. It would permit specific traffic in. But it does not permit anything else. In Cisco IOS at the bottom of an access list is an implied statement that denies everything. Look again at the suggestion from @balaji.bandi . St starts by permitting specific addresses to access 443. Then it denies anything else to 443. And then (very important) it permits everything else. You need the steps that deny other traffic to your server port and that permits every thing else.

I wonder why your configuration has 2 configured static default routes. I like the second one which points to the modem IP. The first one might work (or perhaps it might not work). But even if it does work it is much less efficient than the second one. When a static route points to the outbound interface but does not specify the next hop it makes the router work harder. I suggest removing the first static default route and keep the second one as the only static default route.

Thank you for taking the time to explain everything for me.

Does access-list 1 affect anything when it hasn't been applied to any interface?

I am aware of the implied deny all that comes at the end of the access list, and for inbound traffic that is what I want for the moment. At this point my problem isn't traffic I want getting in not being able to get in, its traffic can't get out of my network after I apply any access list. Whether inbound or outbound. Maybe the change to the static route will affect that? Not sure but seems like its worth a shot

I tried removing the ip route as you suggested and it seems to have helped a lot thank you!

Again thank you for taking the time to help me