Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
2
Replies

Access-Lists, Static Mappings and NAT question

williams.geoff
Level 1
Level 1

‎07-17-2002 02:07 AM - edited ‎03-08-2019 11:35 PM

Hi All

I have a small pool of public IPs. Some I use for static mappings and some for a NAT pool.

I want to be able to port filter incoming traffic on some of the static mappings.

Should I apply my filter to the private address or to thepublic address?

For example:

int faste0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface ATM0.3 point-to-point

description Internet Network

no ip directed-broadcast

no shutdown

pvc 1/34

ubr 640

encapsulation aal5mux ppp dialer

dialer pool-member 3

interface Dialer3

description Internet Network

ip address negotiated

ip access-group 101 out

ip access-group 102 in

no ip directed-broadcast

ip nat outside

ip nat pool bzmk 111.11.111.27 111.11.111.30 netmask 255.255.255.240

ip nat inside source list 1 pool bzmk overload

ip nat inside source static 192.168.0.1 111.11.111.17

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer3

access-list 1 remark Permit address space for NAT

access-list 1 permit 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

access-list 101 remark Deny private RFC reserved IP addresses.

access-list 101 deny ip any 10.0.0.0 0.255.255.255

access-list 101 deny ip any 127.0.0.0 0.255.255.255

access-list 101 deny ip any 172.16.0.0 0.15.255.255

access-list 101 deny ip any 192.168.0.0 0.0.255.255

access-list 101 permit ip any any

! Allow established connections

access-list 102 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established

! Deny SQL access to SQL server

access-list 102 deny tcp 0.0.0.0 255.255.255.255 111.11.111.17 255.255.255.240 eq 1433

! Deny finger access to everything

access-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 79

! now open everything remaining up

access-list 102 permit ip any any

Or should the references in access-list 102 be to the 192.168.0.x address of the host.

I tried it using the method above and the internal addresses in the pool could not get out across the WAN link.

Thanks - Geoff

Labels:
0 Helpful
2 Replies 2

wvaux
Level 1
Level 1

‎07-17-2002 08:12 AM

Access-list should be put on the internal interface and access-list 102 should be put on the external interface.

0 Helpful

williams.geoff
Level 1
Level 1
In response to wvaux

‎07-30-2002 03:13 PM

Can you be more specific regarding the above - when you say "Access-list should be" - do you mean access-list 101?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents