• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1041
  • Last Modified:

Cisco 2911 Access list

Hi I am putting the entry for NAS cisco 324 (ip 10.10.10.80)  in the router 2911:

what's up with the routers ACL:
I put
ip nat inside source static 10.10.10.80 X.X.X.X  <<<.......Even if I put only this entry it opens up ports 8080,8081, 80 etc

and then under my access-list 101 I put:
permit tcp any host X.X.X.X eq 8080

How to manipulate the entry so that only port 8080 is allowed
NOte: since NAS 324 has its own web server, multimedia server its doing something of its on.

Help
forEEpuposesAccesslistNewFeb2011.txt
0
amanzoor
Asked:
amanzoor
  • 2
  • 2
2 Solutions
 
evil_hitmanCommented:
2 options
change your nat statement to only be for the one port. eg.
ip nat inside source static tcp 10.10.10.80 8080 X.X.X.X 8080

or

to use your access list you need to apply it to an interface.
Based on the way you have written the rules i would put it inbound on the internet interface so.....

interface GigabitEthernet0/1.92
ip access-group 101 in

make sure you aren't connected via this interface when you add the rule in case you lose connectivity.
0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
evil hitman:
through which command I can actually see if my applied settings for this particular ip have been applied and working?  I have just applied your first suggested option.  I need to find out if it actually is working on the router .
Help
0
 
evil_hitmanCommented:
for the first option, you check it is in the config (and make sure you have removed the other nat config line relating to that ip) then see if you can do anything other than 8080

you can do the following command

show ip nat translations

but this will give you massive output and will probably not be of much use in a live environment, There are some other options you can add to that command but i don't remember them off the top of my head. type ? to get a list of options as you are typing the command

0
 
alexjfisherCommented:
Your 101 access list isn't applied to any interface.

You must choose the most appropriate interface and direction to apply the access-list to.
Perhaps inbound on your internet facing interface or possibly outbound on the interface closest to the NAS.

Also remember that access-lists are evaluated in order.  The first match found wins.  If no access-list statement is matched by the end of the list there's an implicit deny all.

0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
THanks guys for the suggestions, I really appreciate your time.
I opted for option 2: and it worked falwless.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now