07-17-2002 02:07 AM - edited 03-08-2019 11:35 PM
Hi All
I have a small pool of public IPs. Some I use for static mappings and some for a NAT pool.
I want to be able to port filter incoming traffic on some of the static mappings.
Should I apply my filter to the private address or to thepublic address?
For example:
int faste0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
interface ATM0.3 point-to-point
description Internet Network
no ip directed-broadcast
no shutdown
pvc 1/34
ubr 640
encapsulation aal5mux ppp dialer
dialer pool-member 3
interface Dialer3
description Internet Network
ip address negotiated
ip access-group 101 out
ip access-group 102 in
no ip directed-broadcast
ip nat outside
ip nat pool bzmk 111.11.111.27 111.11.111.30 netmask 255.255.255.240
ip nat inside source list 1 pool bzmk overload
ip nat inside source static 192.168.0.1 111.11.111.17
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer3
access-list 1 remark Permit address space for NAT
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
access-list 101 remark Deny private RFC reserved IP addresses.
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 deny ip any 127.0.0.0 0.255.255.255
access-list 101 deny ip any 172.16.0.0 0.15.255.255
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
! Allow established connections
access-list 102 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established
! Deny SQL access to SQL server
access-list 102 deny tcp 0.0.0.0 255.255.255.255 111.11.111.17 255.255.255.240 eq 1433
! Deny finger access to everything
access-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 79
! now open everything remaining up
access-list 102 permit ip any any
Or should the references in access-list 102 be to the 192.168.0.x address of the host.
I tried it using the method above and the internal addresses in the pool could not get out across the WAN link.
Thanks - Geoff
07-17-2002 08:12 AM
Access-list should be put on the internal interface and access-list 102 should be put on the external interface.
07-30-2002 03:13 PM
Can you be more specific regarding the above - when you say "Access-list should be" - do you mean access-list 101?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: