Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

NAT with extended ACL?

NAT with extended ACL?

NAT with extended ACL?

Can someone please help me, I have a 2621 router that is being used for internet access. I also permit access to an internal web server with th following statment:
ip nat inside source static tcp 80 interface FastEthernet0/0 80. I want to set up an Access-List that only permits incoming access to this server and nothing else. I cannot figure out how to write a permit statment that duplicates the above nat statment, that works just fine. The following statment does not work.

ip access-list extended External_Acl
permit tcp any host eq 80
deny ip any any

Here is my current configuration.

Current configuration : 5023 bytes                                  
version 12.3            
no service pad              
service tcp-keepalives-in                         
service tcp-keepalives-out                          
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
service password-encryption                           
no service dhcp               
hostname router                 
username xxxxxxxx privilege 15 secret 5 $1$.UWW$tuETisEwvnY9d5C8DaCvd0                                                                  
ip subnet-zero              
no ip domain lookup                   
ip domain name something.com                                    
no ip bootp server                  
ip inspect tcp idle-time 300                            
ip inspect name CBAC smtp                         
ip inspect name CBAC tftp                         
ip inspect name CBAC ftp                        
ip inspect name CBAC http                         
ip inspect name CBAC realaudio                              
ip inspect name CBAC tcp                        
ip inspect name CBAC icmp                         
ip inspect name CBAC udp                        
ip audit notify log                   
ip audit po max-events 100                          
no voice hpi capture buffer                           
no voice hpi capture destination                                
interface FastEthernet0/0                         
 ip address 65.xx.xx.xx                                         
 no ip redirects                
 no ip unreachables                   
 no ip proxy-arp                
 ip nat outside               
 ip inspect CBAC out                    
 duplex auto            
 speed auto           
 no cdp enable              
interface FastEthernet0/1                         
 ip address                                     
 no ip redirects                
 no ip unreachables                   
 no ip proxy-arp                
 ip nat inside              
 duplex auto            
 speed auto           
 no cdp enable              
ip nat inside source list 100 interface FastEthernet0/0 overload                                                                
ip nat inside source static tcp 80 interface FastEthernet0/0 80                                                                            
no ip http server                 
no ip http secure-server                        
ip classless            
ip route 65.114.xx.xx                                     
access-list 1 permit                                 
access-list 1 permit                                 
access-list 100 permit ip any                                                   
no cdp run          
line con 0          
 login local            
line aux 0          
 exec-timeout 5 0                 
 login local            
line vty 0 4            
 access-class 1 in                  
 exec-timeout 5 0                 
 login local            
 transport input telnet ssh                           
 transport output ssh                      

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

RE: NAT with extended ACL?

What I can't remember here is whether the NAT translation acts before an ACL is checked.

If it does, the ACL you have defined will work fine if you apply it inbound on your Internet-facing interface (presumably fa0/0)

If the ACL is checked first, you may have to apply that ACL outbound on the LAN-facing interface (presumably fa0/1)

Maybe try both approaches and see if any of them work. If not, let me know.

RE: NAT with extended ACL?

I tried the statment inbound on the external interface and it did not work. I will try the other configuration next. Will applying this ACL outbound on the internal interface affect my current CBAC configuration. I have it set up to inspect out on the external interface.

Thanks for your reply.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close