Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Converting NAT Statment to Permit Statment in a ACL? 1

Status
Not open for further replies.
octavian10

octavian10

MIS
Joined
Apr 3, 2003
Messages
180
Location
US
Ok here goes again with my same problem, hope I can explain it better. How can I write the following NAT statment, as a permit statment in an ACL to allow outside access to an internal web server using a private address (192.168.1.30)? I have 2621 router with INT FA0/0 connected to the internet and INT FA0/1 to my inside network.

This is the NAT statment I am using and need to either make it work with an Access-List or convert to a permit statment within an Access-List
ip nat inside source static tcp 192.168.1.30 80 interface FastEthernet0/0 80e

As a side note this Access-List will need to work with CBAC that I will implament as soon as I get past this little problem.

Thanks to all for your time.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)
 
Sort by date Sort by votes
acess-list 101 permit tcp any host 192.168.1.30 eq www
 
Upvote 0 Downvote
I wish it were that easy, or maybee it is, here is the last ACL that I tried on my external (internet) interface that did not work:

ip access-list extended External_Acl
permit tcp any host 192.168.1.30 eq 80
deny ip any any
!
ip inspect tcp idle-time 300
ip inspect name CBAC smtp
ip inspect name CBAC tftp
ip inspect name CBAC ftp
ip inspect name CBAC http
ip inspect name CBAC realaudio
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
!
!
interface FastEthernet0/0
ip address 65.xx.xx.xx 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CBAC out
ip access-group External_ACL in
duplex auto
speed auto
no cdp enable

Do you think it might be the CBAC that is screwing me up, or maybee it is the way the CBAC and ACL are applied to the external interface?

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)
 
Upvote 0 Downvote
do you still have NAT in used because i see ip nat ouside on your interface? if u do that acl will not work because the outside dont know about 192.168.1.30
 
Upvote 0 Downvote
Yes I still use NAT to allow internet access to internal users that use private address here is my current configuration regarding that:

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname router
!
username xxxxxxxx privilege 15 secret 5 $1$.UWW$tuETisEwvnY9d5C8DaCvd0
ip subnet-zero
!
no ip domain lookup
ip domain name something.com
!
no ip bootp server
ip inspect tcp idle-time 300
ip inspect name CBAC smtp
ip inspect name CBAC tftp
ip inspect name CBAC ftp
ip inspect name CBAC http
ip inspect name CBAC realaudio
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
ip audit notify log
ip audit po max-events 100
!
no voice hpi capture buffer
no voice hpi capture destination

interface FastEthernet0/0
ip address 65.xx.xx.xx 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CBAC out
ip access-group External_ACL in
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
duplex auto
speed auto
no cdp enable

ip nat inside source list 100 interface FastEthernet0/0 overload

access-list 100 permit ip 192.168.1.0 0.0.0.255 any
so what you are saying is that this nat access is whats causing my acl not work? why?

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)
 
Upvote 0 Downvote
we in that case you have to do it like this :

acess-list 101 permit tcp any host 65.xx.xx.xx eq www

because that all people on the internet sees the ip of your outside NAT interface.
 
Upvote 0 Downvote
So what you are saying is I should leave everything alone including the NAT ststment:
ip nat inside source static tcp 192.168.1.30 80 interface FastEthernet0/0 80

and make my access-list
ip access-list extended External_ACL
permit tcp any host 65.xx.xx.xx eq 80
deny ip any any

65.xx.xx.xx.being my public address that is staticly assigned to my external interface?

This way tcp access on port 80 will be permitted by the ACL and allow the NAT statment to be ran?

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)
 
Upvote 0 Downvote
Thanks for all your time I appreciate it!

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
525
DavetheChef
DavetheChef
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
403
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
559
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
576
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
798
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top