Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I limit "ip nat inside static route" external access

Hi,

This is probably a dumb question but...

I have the following statement in a Cisco 877:

ip nat inside source static tcp 192.168.0.203 3389 interface Dialer1 3389

I simply want to limit external access to this NAT route to a list of external IP address - that is only certain internet IP address can access this RDP port. How can I do this?

Regards, Brian

5 REPLIES
Purple

Hi,You can apply an inbound

Hi,

You can apply an inbound ACL on the Dialer interface like this one:

access-list 100 permit tcp host x.x.x.x host 192.168.0.203 eq 3389

access-list 100 permit tcp host y.yy.y host 192.168.0.203 eq 3389

access-list 100 deny tcp any any eq 3389

access-list 100 permit ip any any

 

You can also use an ACL permitting the RDP traffic for the desired hosts and match it in a route-map that you refer to in the static PAT statement.

 

Regards

 

Alain

 

Don't forget to rate helpful posts.
New Member

Thanks Alain,I tried the

Thanks Alain,

I tried the following:

access-list 101 permit tcp host 120.28.12.xxx host 192.168.0.203 eq 3389
access-list 101 deny   tcp any any eq 3389
access-list 101 permit ip any any

but when I add the following statement in the Dialer1 interface and try remote desktop from 120.28.12.xxx it fails to connect until I remove this statement again:

ip access-group 101 in

Any ideas?

Regards, Brian

Purple

Hi,ip access-list extended

Hi,

ip access-list extended 101

no 10

10 access-list 101 permit tcp host 120.28.12.xxx  any eq 3389

Don't forget to rate helpful posts.
Purple

no comment

no comment

Don't forget to rate helpful posts.
New Member

In the end I rang up Cisco

In the end I rang up Cisco TAC to get this resolved. The answer was:

interface Dialer1
 ip access-group 101 in
 ...
!

access-list 101 permit tcp host 120.28.12.xxx host 120.29.12.xxx eq 3389
access-list 101 deny   tcp any any eq 3389
access-list 101 permit ip any any

where: 120.28.12.xxx is the external internet address and 120.29.12.xxx is the Dialer1 interface internet address. My mistake was using an internal address (192.168.0.203) as the destination.

Brian

231
Views
0
Helpful
5
Replies