securing static NAT

Unanswered Question
Mar 24th, 2009
User Badges:

How do I make sure that only one public address can use a one-to-one static NAT?

I want to make sure that only 63.xx.xx.0 block can reach my two servers.

Will this work?

ip nat inside source static 65.xx.xx.2 route-map trusted

ip nat inside source static 65.xx.xx.3 route-map trusted

ip access-list extended secure

permit ip host 63.xx.xx.0

permit ip host 63.xx.xx.0

route-map trusted permit 10

match ip address secure

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 03/24/2009 - 08:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I think you may need to change the acl to

permit ip host 65.x.x.2 63.xx.xx.0

permit ip host 65.x.x.3 63.xx.xx.0

But i would say that NAT is not really used in this way. Far better to just setup the static NAT without a route-map and then tie down access with an acl on the interface.


jasonww04 Tue, 03/24/2009 - 12:23
User Badges:

I'll give it a shot. If it doesn't work then I will have to put the ACL on the interface.

jasonww04 Tue, 03/24/2009 - 16:34
User Badges:

So NAT with route map doesn't do what I want.

Now I have to figure out how to construct the ACL, which interface to put it on and which direction it needs to check traffic.

Any ideas?


This Discussion