Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ACL configuration Help

We have CISCO 877 ROUTER WITH A SINGLE EXTERNAL IP ADDRESS

INSIDE (VLAN1)  = 192.168.0.0/24

OUTSIDE (DIALER1) = 195.149.45.229

We have clients on INSIDE who have full internet access.

We have NAT working – a one to many NAT.

ip nat inside source static tcp 192.168.0.8 5003 interface Dialer1 5003

ip nat inside source static tcp 192.168.0.8 5090 interface Dialer1 5090

ip nat inside source static udp 192.168.0.8 6000 interface Dialer1 6000

ip nat inside source static tcp 192.168.0.10 4899 interface Dialer1 4899

So now I can talk to these ports from an EXTERNAL IP so the NAT is working fine.

However….. I need to lock down access to these ports to specific IP address ranges.

I require INSIDE to still have full internet access to OUTSIDE but restricted access from OUTSIDE to TCP PORTS 4899, 5003, 5090 & UDP PORT 6000

What is the easiest way of applying this ACL? I am assuming on DIALER1 I apply an INBOUND ACL but am having issues with TCP & UDP replies on high port numbers. I don’t want to be blocking legitimate reply traffic which will also be INBOUND on a high port number…

1 REPLY
Hall of Fame Super Blue

Re: ACL configuration Help

nishit.patel wrote:

We have CISCO 877 ROUTER WITH A SINGLE EXTERNAL IP ADDRESS

INSIDE (VLAN1)  = 192.168.0.0/24

OUTSIDE (DIALER1) = 195.149.45.229

We have clients on INSIDE who have full internet access.

We have NAT working – a one to many NAT.

ip nat inside source static tcp 192.168.0.8 5003 interface Dialer1 5003

ip nat inside source static tcp 192.168.0.8 5090 interface Dialer1 5090

ip nat inside source static udp 192.168.0.8 6000 interface Dialer1 6000

ip nat inside source static tcp 192.168.0.10 4899 interface Dialer1 4899

So now I can talk to these ports from an EXTERNAL IP so the NAT is working fine.

However….. I need to lock down access to these ports to specific IP address ranges.

I require INSIDE to still have full internet access to OUTSIDE but restricted access from OUTSIDE to TCP PORTS 4899, 5003, 5090 & UDP PORT 6000

What is the easiest way of applying this ACL? I am assuming on DIALER1 I apply an INBOUND ACL but am having issues with TCP & UDP replies on high port numbers. I don’t want to be blocking legitimate reply traffic which will also be INBOUND on a high port number…

If you don't have the IOS firewall running on you router then the next best thing would be to use reflexive access-lists. These allow return traffic back in if it has been allowed out but you can still control what traffic can be initiated from outside -

RACL configuration

Jon

215
Views
0
Helpful
1
Replies
CreatePlease to create content