I am hoping someone can help with configuring a Cisco 881 which does NAT for the vlan and has a handful of port forwards from the WAN interface to hosts on the vlan.
I've created an extended access-list named 'outbound-filter' with the following rules:
ip access-list extended outbound-filter
permit icmp any any
permit tcp any any eq 20
permit tcp any any eq 21
permit tcp any any eq 22
permit tcp host 172.16.1.12 any eq smtp
permit tcp any any eq 43
permit tcp any any eq 53
permit udp any any eq 53
permit tcp any any eq 80
permit tcp any any eq 110
permit tcp any any eq 143
permit tcp any any eq 443
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq 3389
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 5242
permit udp any any eq 5243
permit tcp any any eq 4244
permit tcp any any eq 7071
permit udp any any eq 9785
This is all that we want to allow out to the Internet.
From the Internet, we have the following ip nat inside rules:
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 172.16.1.12 25 59.100.202.46 25 extendable
ip nat inside source static tcp 172.16.1.12 443 59.100.202.46 443 extendable
ip nat inside source static tcp 172.16.1.16 3389 59.100.202.46 3389 extendable
!
access-list 1 permit 172.16.0.0 0.0.255.255
The filter works fine if I apply it to int vlan1 as follows:
ip access-group outbound-filter in
But once applied, the port forwards no longer work unless I add 'permit ip any any' to the 'outbound-filter' ACL which essentially defeats the purpose.
Do I need a separate ACL 'inbound-filter' and 'outbound-filter' any apply them separating to the WAN and vlan interfaces?
Would appreciate anyone able to offer some guidance.
Many thanks,
Trent.
Best Answer
The reason why the port forwarding is not working with the access-list applied to the interface is quite simple.
Let's see what happens when the outside client requests the https webpage.
The destination port in the request packet is 443, while the source port is random. This request gets translated by nat at the router, then goes all the way to the server, server answers with the packet sourced from port 443 and destined to that client's random number port.
The packet in its journey back to the client gets to your router, but router wouldn't let the packet leave, because the destination port (that random port) is not specified in the access-list you have created.
And that would be the reason you are looking for.