Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

access list for servers

If I am hosting a ftp and web server to the web, I have natted across the server with both ports to my external address, Can anyone tell me how I would set an access list to allow only say from the outside world to access these services ?

thanks a million

New Member

Re: access list for servers


Say if you wanted to configure in input acl to the WAN interface, the router will check the acl before performing NAT. Therefore you extended ACL should match the source address you have specified and destination the external address with the relevant ports. Something like

ip access-list ext EXTERNAL

permit tcp host host eq

Don't forget to allow return traffic originated from inside or any other type of traffic which needs to enter your network. Reflexive ACLs are very good for this.

FYI, if you were to do the ACL on the inside interface as an output acl, in this case NAT will be done before the acl is checked by the router. In which case the acl needs to match your host internal ip address.



New Member

Re: access list for servers


It would depend on how you NAT'd the FTP/HTTP servers. If you did a static NAT - e.g.

server -->

server -->

then applying an ACL on the WAN as an ingress interface would look something similar to

access-list 101 permit tcp any host eq www

access-list 101 permit tcp any host eq ftp

NOTE: There is a implicit deny any at the end of the ACL. If you added only those 2 lines in the ACL all other traffic would be denied.

You can use this in conjunction with CBAC for more granular control.

If you're using a dynamic NAT where the ports on the outside can change - you will not be able to nail down the ACL specifically.

Hope this helps.



New Member

Re: access list for servers

if you use the extendable keyword this is how it is done using the external interface public ip address.

int e0

ip address

ip nat inside

int s0

ip address

ip nat outside

ip nat inside source static tcp 80 80 extendable

ip nat inside source static tcp 25 25 extendable

where is your internal server.

You can also overload on s0 for other hosts for dynamic NAT.

Users from the outside can now access your internal host on port 80 and 25, assuming your acl allows them in. Traffic initiated from the outside will have destination ports either 80 or 25.

Traffic from your servers to the outside will maintain the source port as this is a static nat translation. In this scenario the return traffic will have a source port either 80 or 25 therefore you can design your acls as you wish as long as you get the direction correctly.



New Member

Re: access list for servers

what if I had 2 web servers, how would traffic coming in know where to go ?

New Member

Re: access list for servers

I don't think you can do this. If the session is initiated from the outside the router will not know which web server to forward the traffic to. I think this is the point where you will need another public address.

CreatePlease to create content