Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 3800 Static one to one NAT

Hello all,

I would like to set up a one to one static NAT, but I want to secure or only permit some traffic in bound and allow all out on myselcted hosts

my config looks like this

nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static 10.1.20.39 x.x.x.57


access-list 100 remark NATinsideOut
access-list 100 permit ip 10.0.0.0 0.31.255.255 any
access-list 103 remark Inbound NAT Traffic
access-list 103 permit ip any host x.x.x.227 log
access-list 103 remark Postini to Escort
access-list 103 permit tcp any host x.x.x.57 eq 443 log
access-list 103 remark Postini to Escort
access-list 103 permit udp any host x.x.x.57 eq 443 log
access-list 103 deny ip any any log

With the 103 Rule is in place I lose all out bound traffic, but the external service is able connect on port 443 as I wanted.

When the rule is removed all traffic is allowed out and in out.

1 REPLY
Cisco Employee

Re: Cisco 3800 Static one to one NAT

Hi John,

That is because most of the communication are bidirectional, you have deny ip any any on the inbound direction; your outgoing traffic can leave the interface but return traffic will be blocked by the ACL deny ip any any rule.

You can use reflexive acl to do that. The idea is when traffic leave the interface, it will create a temporary acl to allow the return traffic, and that acl will be added in your existing inbound acl 103. The configuration will look something like this

ip access ex OUTBOUND

permit ip any any ref temp

ip access ex INBOUND

permit ip any host x.x.x.227 log
permit tcp any host x.x.x.57 eq 443 log
permit udp any host x.x.x.57 eq 443 log
evaluate temp
deny ip any any log

HTH,

Lei Tian

1077
Views
0
Helpful
1
Replies