securing static NAT

jasonww04 · ‎03-24-2009

How do I make sure that only one public address can use a one-to-one static NAT?

I want to make sure that only 63.xx.xx.0 block can reach my two servers.

Will this work?

ip nat inside source static 172.18.75.12 65.xx.xx.2 route-map trusted

ip nat inside source static 172.18.75.13 65.xx.xx.3 route-map trusted

ip access-list extended secure

permit ip host 172.18.75.12 63.xx.xx.0 0.0.0.255

permit ip host 172.18.75.13 63.xx.xx.0 0.0.0.255

route-map trusted permit 10

match ip address secure

Jon Marshall · ‎03-24-2009

Jason

I think you may need to change the acl to

permit ip host 65.x.x.2 63.xx.xx.0 0.0.0.255

permit ip host 65.x.x.3 63.xx.xx.0 0.0.0.255

But i would say that NAT is not really used in this way. Far better to just setup the static NAT without a route-map and then tie down access with an acl on the interface.

Jon

jasonww04 · ‎03-24-2009

I'll give it a shot. If it doesn't work then I will have to put the ACL on the interface.

jasonww04 · ‎03-24-2009

So NAT with route map doesn't do what I want.

Now I have to figure out how to construct the ACL, which interface to put it on and which direction it needs to check traffic.

Any ideas?