If I am hosting a ftp and web server to the web, I have natted across the server with both ports to my external address, Can anyone tell me how I would set an access list to allow only say 188.8.131.52 from the outside world to access these services ?
Say if you wanted to configure in input acl to the WAN interface, the router will check the acl before performing NAT. Therefore you extended ACL should match the source address you have specified and destination the external address with the relevant ports. Something like
ip access-list ext EXTERNAL
permit tcp host 184.108.40.206 host eq
Don't forget to allow return traffic originated from inside or any other type of traffic which needs to enter your network. Reflexive ACLs are very good for this.
FYI, if you were to do the ACL on the inside interface as an output acl, in this case NAT will be done before the acl is checked by the router. In which case the acl needs to match your host internal ip address.
if you use the extendable keyword this is how it is done using the external interface public ip address.
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat outside
ip nat inside source static tcp 192.168.1.100 80 80 extendable
ip nat inside source static tcp 192.168.1.100 25 25 extendable
where 192.168.1.100 is your internal server.
You can also overload on s0 for other hosts for dynamic NAT.
Users from the outside can now access your internal host on port 80 and 25, assuming your acl allows them in. Traffic initiated from the outside will have destination ports either 80 or 25.
Traffic from your servers to the outside will maintain the source port as this is a static nat translation. In this scenario the return traffic will have a source port either 80 or 25 therefore you can design your acls as you wish as long as you get the direction correctly.
I don't think you can do this. If the session is initiated from the outside the router will not know which web server to forward the traffic to. I think this is the point where you will need another public address.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...