Skip to Content

Limiting access to forwarded ports in Cisco iOS

Posted on    2 mins read

The following should probably be obvious, but I had a surprisingly hard time figuring out the official Cisco documentation.

The scenario is as follows: a gateway Cisco router provides internet access via NAT for, say, your office. It therefore has an external interface (called Dialer0, for example) which is connected to the uplink (this could e.g. be a DSL line), and an internal ethernet interface connected to the internal office network:

                                                
                                                
               ^                                
               |                                
               | Dialer0: 87.224.25.11          
               |                                
       +-------+-------+                        
       |               |                        
       |     Cisco     |                        
       |               |                        
       +-------+-------+                        
               |                                
               | GigabitEthernet0/0: 192.168.1.1
               |                                
               v                                
                                                
                                                

If you would like to make machines that are part of the internal 192.168.1 network accessible from the outside, then this can be easily achieved by forwarding ports on the Cisco:

cisco# conf t
cisco(config)# ip nat inside source static tcp 192.168.1.55 80 interface Dialer0 8080

Now, accessing your uplink DSL IP 87.224.25.11 at port 8080 will connect you with your internal server 192.168.1.55 at port 80. However, this access is not restricted – the forwarded port ist accessible from anywhere. If this is not what you want, then here is how to restrict access to a certain IP (in our example, that’s 59.234.56.111).

First, reconfigure your Dialer0 interface to respect the rules of the yet-to-create access list outside-in:

cisco# conf t
cisco(config)# interface Dialer0
cisco(config-if)# ip access-group outside-in in

Then, create this access list as follows:

cisco# conf t
cisco(config)# ip access-list extended outside-in
cisco(config-ext-nacl)# permit tcp host 59.234.56.111 any eq 8080
cisco(config-ext-nacl)# deny tcp any any eq 2201
cisco(config-ext-nacl)# permit ip any any

And that’s it. Now the following access is possible:

                                                           
                                                           
       +---------------+                                   
       |               |                                   
       | Server        |  "Access 87.224.25.11 Port 8080"  
       | 59.234.56.111 |                                   
       |               |                                   
       +-------+-------+                                   
               |                                           
               | Dialer0: 87.224.25.11                     
               |                                           
       +-------v-------+                                   
       |               |                                   
       |     Cisco     |  "Forward to 192.168.1.55 Port 80"
       |               |                                   
       +-------+-------+                                   
               |                                           
               | GigabitEthernet0/0: 192.168.1.1           
               |                                           
               |                                           
       +-------v-------+                                   
       |               |                                   
       | Server        |                                   
       | 192.168.1.55  |                                   
       |               |                                   
       +---------------+                                   
                                                           
                                                           

If the same access is initiated by a different external IP, then this access will be denied.