securing static NAT

Unanswered Question
Mar 24th, 2009
User Badges:

How do I make sure that only one public address can use a one-to-one static NAT?

I want to make sure that only 63.xx.xx.0 block can reach my two servers.


Will this work?

ip nat inside source static 172.18.75.12 65.xx.xx.2 route-map trusted

ip nat inside source static 172.18.75.13 65.xx.xx.3 route-map trusted



ip access-list extended secure

permit ip host 172.18.75.12 63.xx.xx.0 0.0.0.255

permit ip host 172.18.75.13 63.xx.xx.0 0.0.0.255



route-map trusted permit 10

match ip address secure



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 03/24/2009 - 08:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


I think you may need to change the acl to


permit ip host 65.x.x.2 63.xx.xx.0 0.0.0.255

permit ip host 65.x.x.3 63.xx.xx.0 0.0.0.255


But i would say that NAT is not really used in this way. Far better to just setup the static NAT without a route-map and then tie down access with an acl on the interface.


Jon

jasonww04 Tue, 03/24/2009 - 12:23
User Badges:

I'll give it a shot. If it doesn't work then I will have to put the ACL on the interface.

jasonww04 Tue, 03/24/2009 - 16:34
User Badges:

So NAT with route map doesn't do what I want.


Now I have to figure out how to construct the ACL, which interface to put it on and which direction it needs to check traffic.


Any ideas?

Actions

This Discussion