We have CISCO 877 ROUTER WITH A SINGLE EXTERNAL IP ADDRESS
INSIDE (VLAN1) = 192.168.0.0/24
OUTSIDE (DIALER1) = 126.96.36.199
We have clients on INSIDE who have full internet access.
We have NAT working – a one to many NAT.
ip nat inside source static tcp 192.168.0.8 5003 interface Dialer1 5003
ip nat inside source static tcp 192.168.0.8 5090 interface Dialer1 5090
ip nat inside source static udp 192.168.0.8 6000 interface Dialer1 6000
ip nat inside source static tcp 192.168.0.10 4899 interface Dialer1 4899
So now I can talk to these ports from an EXTERNAL IP so the NAT is working fine.
However….. I need to lock down access to these ports to specific IP address ranges.
I require INSIDE to still have full internet access to OUTSIDE but restricted access from OUTSIDE to TCP PORTS 4899, 5003, 5090 & UDP PORT 6000
What is the easiest way of applying this ACL? I am assuming on DIALER1 I apply an INBOUND ACL but am having issues with TCP & UDP replies on high port numbers. I don’t want to be blocking legitimate reply traffic which will also be INBOUND on a high port number…