Here are a couple of points that may shed some light on your issue.
- the access list ends with deny ip any any so anything that is not specifically permitted will be denied. (I think it sometimes is helpful to explicitly code the deny any any as you have done since it may give some visibility about how much traffic is falling through and being denied.)
- one of your static translations is for tcp 21 which is the FTP control port. There is no permit in the access list for tcp 21. So it is fairly easy to see why this translation would not work since the access list will deny the traffic.
- it is a bit more subtle to see why the other two translations do not work since the access list does have permits for tcp 3389 and for tcp 80 (www). And this may be the most significant part of the discussion: the static translations are translating source ports. But the access list has permits for the destination ports. You may need to revise the access list and include some permits for traffic specifying source ports in addition to specifying destination ports.
i don't have the IOS feature set to allow for CBAC so i'm going to go about this differently (assuming that would be one way of doing this). i have two computers which i want to have locked down as much as possible (for learning purposes). i'm going to place both of them in different subnets. the server computer (10.10.10.11), will have an access-list that allows all traffic to go through the inbound direction of the inside interface. i will create another subnet for the other computer (10.10.11.11) and control it's traffic a lot more with a more restrictive access-list for 10.10.11.0 traffic.
As a learning exercise it sounds ok. Are you thinking of the access list to control interaction between the server and the other computer or are you thinking of controlling interaction between both of these and the outside world? Bear in mind that with both machines connected behind the inside interface of the router that the router interface can have only one access list inbound and one access list outbound.
Do you recommend a different path for this situation? Those were the best ideas I could come up with what I currently know. I understand that a www request will come in on port 80 and leave on a different port so I couldn't think of a way to let that packet out without opening almost everything for the server.
When I was thinking about using the differnet subnets, I was thinking about both ideas (controlling interacation to the Internet and between computers). However, I'd probably need another router to do that, wouldn't I? Or maybe I could with the correct access-list and subnetting?
I guess what I'm looking for is the general direction I should take to pursue locking this down. When you say the idea is "ok", do you mean that there are much better ideas? Thanks Rick.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...