AMtek
asked on
Cisco ACL and NAT
Need to allow one static external IP SSH access to a couple of internal servers behind a cisco router.
external static IP: 1.1.1.1
internal static IPs: 10.10.10.2 and 10.10.10.3
would this be a NAT plus ACL?
external static IP: 1.1.1.1
internal static IPs: 10.10.10.2 and 10.10.10.3
would this be a NAT plus ACL?
ASKER
thank you for helping -
sry i meant 1.1.1.1 would be the only allowed IP address from the internet.
so assume:
1.1.1.1 is the external IP (and only IP) needing access
2.2.2.2 would be the current WAN IP address on the router
sry i meant 1.1.1.1 would be the only allowed IP address from the internet.
so assume:
1.1.1.1 is the external IP (and only IP) needing access
2.2.2.2 would be the current WAN IP address on the router
replace 1.1.1.1 with the 2.2.2.2 in above port forward
Filtering on WAN port (Gi0/0):
interface Gi0/0
ip access-group SSH_FILTER in
ip access-list extended SSH_FILTER
permit ip 1.1.1.1 any <-- permit full access to host 1.1.1.1 (you can be more specific to allow specific ports etc, but I guess there is no need for that)
deny ip any any 40 <-- deny any other host access to tcp & udp port 40 - there is no need to care for source and destination in this case except to block port 40 as destination
deny ip any any 26 <-- The same as previous - just different destination port - 26
permit ip any any <-- permit any other traffic
You can use different ports, ip addresses, but basic principle is the same...
Filtering on WAN port (Gi0/0):
interface Gi0/0
ip access-group SSH_FILTER in
ip access-list extended SSH_FILTER
permit ip 1.1.1.1 any <-- permit full access to host 1.1.1.1 (you can be more specific to allow specific ports etc, but I guess there is no need for that)
deny ip any any 40 <-- deny any other host access to tcp & udp port 40 - there is no need to care for source and destination in this case except to block port 40 as destination
deny ip any any 26 <-- The same as previous - just different destination port - 26
permit ip any any <-- permit any other traffic
You can use different ports, ip addresses, but basic principle is the same...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Static nat assignment is all you need in scenario above:
ip nat inside source static tcp 10.10.10.2 22 1.1.1.1 40 extendable <-- request from port 40 on WAN interface will be forwarded to device 10.10.10.2 port 22
ip nat inside source static tcp 10.10.10.3 22 1.1.1.1 26 extendable <-- request from port 26 on WAN interface will be forwarded to device 10.10.10.3 port 22