Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question about Static nat and ACL's

Hello to all,

I want to map port 3389 from my WAN interface to a LAN host, but i only want that a unique IP can connect with this device; this is the configuration that i was made:

imagine that 2.2.2.2 is the public IP of the machine that i want to acces to my LAN.

the LAN IP address is 1.1.1.1 and the public IP of my LAN is  10.10.10.10. ok first i have to configure the static NAT:

ip nat inside source static tcp 1.1.1.1 3389 10.10.10.10 3389 extendable

and then i have created and ACL and apply it to my WAN interface, in this case dialer 0;

access-list 101 permit tcp host 2,2,2,2 eq 3389 any eq 3389

access-list 101 deny   tcp any eq 3389 any eq 3389

access-list 101 permit ip any any

once the access-list is generated i have applied it in, dialer 0 interface IN:
ip access-group 101 in
but i still can connect to my LAN from any IP what's wrong?

thanks in advance

regards

1 REPLY
Cisco Employee

Re: Question about Static nat and ACL's

The ACL deny statement should just say the following:

access-list 101 deny   tcp any any eq 3389

Because the source port will never be 3389, therefore, you do not need to specify the source port of 3389 in the deny statement.

Same for the first line of ACL, it should just be as follows:

access-list 101 permit tcp host 2.2.2.2 any eq 3389

Overall, the ACL should say as follows:

access-list 101 permit tcp host 2.2.2.2 any eq 3389

access-list  101 deny   tcp any any eq 3389

access-list 101 permit ip  any any

134
Views
0
Helpful
1
Replies
CreatePlease to create content