×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

NAT with extended ACL?

NAT with extended ACL?

NAT with extended ACL?

(OP)
Can someone please help me, I have a 2621 router that is being used for internet access. I also permit access to an internal web server with th following statment:
ip nat inside source static tcp 192.168.1.30 80 interface FastEthernet0/0 80. I want to set up an Access-List that only permits incoming access to this server and nothing else. I cannot figure out how to write a permit statment that duplicates the above nat statment, that works just fine. The following statment does not work.

ip access-list extended External_Acl
permit tcp any host 192.168.1.30 eq 80
deny ip any any

Here is my current configuration.

Current configuration : 5023 bytes                                  
!
version 12.3            
no service pad              
service tcp-keepalives-in                         
service tcp-keepalives-out                          
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
service password-encryption                           
no service dhcp               
!
hostname router                 
!
username xxxxxxxx privilege 15 secret 5 $1$.UWW$tuETisEwvnY9d5C8DaCvd0                                                                  
ip subnet-zero              
!
no ip domain lookup                   
ip domain name something.com                                    
!
no ip bootp server                  
ip inspect tcp idle-time 300                            
ip inspect name CBAC smtp                         
ip inspect name CBAC tftp                         
ip inspect name CBAC ftp                        
ip inspect name CBAC http                         
ip inspect name CBAC realaudio                              
ip inspect name CBAC tcp                        
ip inspect name CBAC icmp                         
ip inspect name CBAC udp                        
ip audit notify log                   
ip audit po max-events 100                          
!
no voice hpi capture buffer                           
no voice hpi capture destination                                
!
interface FastEthernet0/0                         
 ip address 65.xx.xx.xx 255.255.255.128                                         
 no ip redirects                
 no ip unreachables                   
 no ip proxy-arp                
 ip nat outside               
 ip inspect CBAC out                    
 duplex auto            
 speed auto           
 no cdp enable              
!
interface FastEthernet0/1                         
 ip address 192.168.1.1 255.255.255.0                                     
 no ip redirects                
 no ip unreachables                   
 no ip proxy-arp                
 ip nat inside              
 duplex auto            
 speed auto           
 no cdp enable              
!
ip nat inside source list 100 interface FastEthernet0/0 overload                                                                
ip nat inside source static tcp 192.168.1.30 80 interface FastEthernet0/0 80                                                                            
no ip http server                 
no ip http secure-server                        
ip classless            
ip route 0.0.0.0 0.0.0.0 65.114.xx.xx                                     
!                 
access-list 1 permit 192.168.1.11                                 
access-list 1 permit 192.168.1.10                                 
access-list 100 permit ip 192.168.1.0 0.0.0.255 any                                                   
no cdp run          
!
line con 0          
 login local            
line aux 0          
 exec-timeout 5 0                 
 login local            
line vty 0 4            
 access-class 1 in                  
 exec-timeout 5 0                 
 login local            
 transport input telnet ssh                           
 transport output ssh                      
!
end  
 

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

RE: NAT with extended ACL?

What I can't remember here is whether the NAT translation acts before an ACL is checked.

If it does, the ACL you have defined will work fine if you apply it inbound on your Internet-facing interface (presumably fa0/0)

If the ACL is checked first, you may have to apply that ACL outbound on the LAN-facing interface (presumably fa0/1)

Maybe try both approaches and see if any of them work. If not, let me know.

RE: NAT with extended ACL?

(OP)
I tried the statment inbound on the external interface and it did not work. I will try the other configuration next. Will applying this ACL outbound on the internal interface affect my current CBAC configuration. I have it set up to inspect out on the external interface.

Thanks for your reply.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close