1:1 NAT but limit inbound only from a list of IP addresses

  • I have 1:1 NAT working with as my internal NATed address.  I want to restrict only certain IP external ranges to be able to send me traffic to the NATed device.  My firewall rule for WAN is IPv4 * * * * none.  Everything works fine, but when I change the rule to include a source address of one of the external IPs i want to restrict, I see blocks in the firewall not allowing the traffic.  Doesn't make any sense to me.  I have Proxy ARP chosen for my VIP option for the external IP.  Do I need to create an alias with all list of IPs I want to allow and make that the source in the WAN firewall rule?  I refreshed my states, etc. when I changed the working rule.  I am on 2.1.4.  Couldn't get 2.2 to NAT at all.  Any help is appreciated.  There are lots of tutorials on NAT, but I couldn't find any that deal with only accepting NATed traffic from specific IP ranges.  I have five external statics at this location.