Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

check Nat and ACL on router

Hi all

Below i have attached the config file. of ROUTER 2911

1. the inside interface 10.10.47.0 should only given access to the 77.77.X.X and deny rest all IPs outside/in the internet.

2. The Outside interface shouldnt be pinged/reached to any IP from internet/outisde network except 77.77.X.X . For this, should i have to creat a seperate access list and assign it to the interface.

can you please check the config file and say this works or i need to add some more for natting (1st) as well as the 2nd requirement.

Thanks in advance

sreek

6 REPLIES
Purple

check Nat and ACL on router

Hi,

let me see if I understand you well: you want your  inside interface to reachable(telnet, ssh, http,https, ping) from  77.77.x.x and you want your outside interface not to be reachable by any  outside IP ?

But your inside IP is a private address and so it is not reachable by any IP on the outside except the outside interface

On  the other end your outside IP is what is representing on the internet  your inside range so if you deny reachability to this IP you are denying  reachability to your inside network and so you won't be able to go out  the internet.

ip access-list extended wanaccess

  deny   tcp 10.10.47.3 0.0.0.255 77.77.X.X  0.0.0.255 eq 22 23 24  what do you want to achieve ?

permit ip any 77.77.X.X  0.0.0.255

deny   ip any any

route-map WAN-OUT permit 10

match ip address wanaccess

ip nat inside source route-map WAN-OUT interface GigabitEthernet0/1 overload

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: check Nat and ACL on router

ALL right

that makes sense..

ip access-list extended wanaccess

permit ip any 77.77.X.X  0.0.0.255

deny   ip any any

route-map WAN-OUT permit 10

match ip address wanaccess

ip nat inside source route-map WAN-OUT interface GigabitEthernet0/1 overload

so this is enough.. For the above two requirements.1 and 2 right ??????

and one more.. the above (( wanaccess )) ACL list is for inside packet to reach outside.... what about outside to inside where i want to allow 77.77.X.X to reach the outside IP of my router (182.72.X.X) ...deny at port 24 and allow all other ports like say 5060.


source : 77.77.X.X

destination: 182.72.X.X

allow on port: example 5060 or allow all ports

deny on port :24

Regards

srikanth

Purple

check Nat and ACL on router

Hi,

what this is doing is only natting inside subnet when communicating with 77.77.x.x network.

Is this what you want ?

For second stuff just put an ACL inbound on outside interface denying access to port 24 for the interface IP and permitting anything else but what is the goal ? deny telnet and ssh  on regular ports on outside IP  but permit on some other ?

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: check Nat and ACL on router

HI

This is Fine natting inside subnet to communicate with 77.77.X.X  as i dont want my inside subnet to access internet.

but what is the goal ? deny telnet and ssh  on regular ports on outside IP  but permit on some other ?

For the above Im using this router For VOIP traffic specifically. so all the VOIP traffic is coming from the IP 77.77.X.X so i want to allow connectivity between 77.77.X.X and my only Public IP i have , which i have used up for the interface as 182.72.X.X . so i wnat to allow on all ports and deny at port 22 or 24 . as the remote end may telnet to my  PuBlic IP and access the router right. so i dont want that....where an  aestrik server (10.10.47.5) resides in the inside network.

only public ip i have and i used that IP for an interface of outisde router say 182.72.X.X ----->182.72.150.150

thanks

srikanth

New Member

Re: check Nat and ACL on router

interface GigabitEthernet0/1

ip address 182.72.X.X 255.255.255.252    -----------1. only one Public IP I have to be natted.  2. shouldnt be accessed in any way to outside network.

ip nat outside

ip access-group 101 in

access-lists 101 deny tcp 77.77.X.X  0.0.0.255 host 182.72.X.X eq 22 24

access-lists 101 permit ip 77.77.X.X 0.0.0.255  host 182.72.X.X

access-lists 101 deny ip any any

so for the above acl 101 77.77.X.X can be allowed on any port except 22 and 24 port and rest all other IPs will not be accessable to my PUBlic ip.

if any mistake correct me

thanks

srikanth

Purple

check Nat and ACL on router

Hi,

that's correct.

Regards.

Alain

Don't forget to rate helpful posts.
375
Views
0
Helpful
6
Replies