securing static NAT

Unanswered Question
Mar 24th, 2009

How do I make sure that only one public address can use a one-to-one static NAT?

I want to make sure that only 63.xx.xx.0 block can reach my two servers.

Will this work?

ip nat inside source static 172.18.75.12 65.xx.xx.2 route-map trusted

ip nat inside source static 172.18.75.13 65.xx.xx.3 route-map trusted

ip access-list extended secure

permit ip host 172.18.75.12 63.xx.xx.0 0.0.0.255

permit ip host 172.18.75.13 63.xx.xx.0 0.0.0.255

route-map trusted permit 10

match ip address secure

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/24/2009 - 08:31

Jason

I think you may need to change the acl to

permit ip host 65.x.x.2 63.xx.xx.0 0.0.0.255

permit ip host 65.x.x.3 63.xx.xx.0 0.0.0.255

But i would say that NAT is not really used in this way. Far better to just setup the static NAT without a route-map and then tie down access with an acl on the interface.

Jon

jasonww04 Tue, 03/24/2009 - 12:23

I'll give it a shot. If it doesn't work then I will have to put the ACL on the interface.

jasonww04 Tue, 03/24/2009 - 16:34

So NAT with route map doesn't do what I want.

Now I have to figure out how to construct the ACL, which interface to put it on and which direction it needs to check traffic.

Any ideas?

Actions

This Discussion