NAT with extended ACL?

[octavian10]

Can someone please help me, I have a 2621 router that is being used for internet access. I also permit access to an internal web server with th following statment:
ip nat inside source static tcp 192.168.1.30 80 interface FastEthernet0/0 80. I want to set up an Access-List that only permits incoming access to this server and nothing else. I cannot figure out how to write a permit statment that duplicates the above nat statment, that works just fine. The following statment does not work.

ip access-list extended External_Acl
permit tcp any host 192.168.1.30 eq 80
deny ip any any

Here is my current configuration.

Current configuration : 5023 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname router
!
username xxxxxxxx privilege 15 secret 5 $1$.UWW$tuETisEwvnY9d5C8DaCvd0
ip subnet-zero
!
no ip domain lookup
ip domain name something.com
!
no ip bootp server
ip inspect tcp idle-time 300
ip inspect name CBAC smtp
ip inspect name CBAC tftp
ip inspect name CBAC ftp
ip inspect name CBAC http
ip inspect name CBAC realaudio
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
ip audit notify log
ip audit po max-events 100
!
no voice hpi capture buffer
no voice hpi capture destination
!
interface FastEthernet0/0
ip address 65.xx.xx.xx 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CBAC out
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
duplex auto
speed auto
no cdp enable
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.30 80 interface FastEthernet0/0 80
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 65.114.xx.xx
!
access-list 1 permit 192.168.1.11
access-list 1 permit 192.168.1.10
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
line con 0
login local
line aux 0
exec-timeout 5 0
login local
line vty 0 4
access-class 1 in
exec-timeout 5 0
login local
transport input telnet ssh
transport output ssh
!
end


"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[KiscoKid]

What I can't remember here is whether the NAT translation acts before an ACL is checked.

If it does, the ACL you have defined will work fine if you apply it inbound on your Internet-facing interface (presumably fa0/0)

If the ACL is checked first, you may have to apply that ACL outbound on the LAN-facing interface (presumably fa0/1)

Maybe try both approaches and see if any of them work. If not, let me know.

 

[octavian10]

I tried the statment inbound on the external interface and it did not work. I will try the other configuration next. Will applying this ACL outbound on the internal interface affect my current CBAC configuration. I have it set up to inspect out on the external interface.

Thanks for your reply.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)