I am trying to achieve the following scenario. I would like the below IP NAT rules to only be usable on an external basis from a handful of hosts then implcitly deny all other traffic Inbound.
The IP NAT rules are for portforwarding to an internal server, these rules all work fine I can access them from any host but as said I would like to lock this down to only a couple of hosts on the internet and then to deny the rest.
I'm rusty reagards the NAT/ACL configurations on routers/L3 switches.
It seems in the configurations that you havent attached the access-list to the interface yet. I think you still need to add some statements/ACEs to the ACL you have there. As were dealing with a router, you will have to take into consideration the return traffic to your connections from the LAN.
The above ACL would to my understanding block all return traffic for normal web browsing etc.
I think the ACE that you needed to add to the top of the ACL was "access-list 101 permit tcp any any established" so it permits return traffic for already established TCP connections.
Also if the ACL is meant to be an access-list attached to the outside interface for traffic entering the interface I think you could specify the service ports in the permit statements instead of permitting the whole port range.
All this would be much easier though if you handled the firewall/NAT with an actual firewall appliance.
I will leave the more specific answer and suggestions to someone who has more expirience with routers as I probably have missed something.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :