IP specific port mapping

[samward]

This is sort of a repost - my first post slipped down the list too fast for me. Apologies.

Here's my problem: I have a single user outside my main office who needs to be able to access port 80 on my server over the internet. But just him - not the general public.

My office has a 827 ADSL router connected to the internet. The remote user has a standard ADSL modem/router.

Here's some IP info:
My servers internal IP: 10.0.0.1
main office public IP: 51.128.33.70
Remote user IP: 193.195.12.41

Here's a config snippet:
ip nat inside source static tcp 10.0.0.1 80 51.128.33.70 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 102 deny tcp any host 10.0.0.1 eq www
access-list 102 permit tcp host 193.195.12.41 host 10.0.0.1 eq www


Whatever I seem to do, I either end up granting the whole world port 80 access or nobody. And my head hurts.

Can anybody help?

Thanks in advance

Sam

 

[jimmyzz]

Sam,
Perhaps you should try to re-order your access-list 102 statements so that you permit the user first, then deny all other hosts. Example:
access-list 102 permit tcp host 193.195.12.41 host 10.0.0.1 eq www
access-list 102 deny tcp any host 10.0.0.1

JimmyZ

 

[routerman]

Sam,

The access list in the last post by JimmyZ is now in the correct order, but the destination address should be the outside NAT address, not the internal address.


access-list 102 permit tcp host 193.195.12.41 host 51.128.33.70 eq www

You dont need any other lines, the ACL will deny any addresses not expressly permitted.

Apply the list to the outside interface in the inwards direction.

A useful tip for debugging the ACL, apply the keyword log at the end, and any matches will be notified on the console port. If you stick in a deny any any log at the end of the ACL all the denied packets will be logged to the console as well.

Andy