Cisco Support Community
Community Member

securing static NAT

How do I make sure that only one public address can use a one-to-one static NAT?

I want to make sure that only 63.xx.xx.0 block can reach my two servers.

Will this work?

ip nat inside source static 65.xx.xx.2 route-map trusted

ip nat inside source static 65.xx.xx.3 route-map trusted

ip access-list extended secure

permit ip host 63.xx.xx.0

permit ip host 63.xx.xx.0

route-map trusted permit 10

match ip address secure

Hall of Fame Super Blue

Re: securing static NAT


I think you may need to change the acl to

permit ip host 65.x.x.2 63.xx.xx.0

permit ip host 65.x.x.3 63.xx.xx.0

But i would say that NAT is not really used in this way. Far better to just setup the static NAT without a route-map and then tie down access with an acl on the interface.


Community Member

Re: securing static NAT

I'll give it a shot. If it doesn't work then I will have to put the ACL on the interface.

Community Member

Re: securing static NAT

So NAT with route map doesn't do what I want.

Now I have to figure out how to construct the ACL, which interface to put it on and which direction it needs to check traffic.

Any ideas?

CreatePlease to create content