Best practices for NAT/PAT?

Unanswered Question


My setup is

Cisco 1811 serving as a router/firewall to several windows 2003 servers at an ISP. Ive configured NAT on the router to expose http, https, and smtp ports on each of the servers to a unique public ip address within my x.x.x.230/29 address space.

The WAN port on the 1811 is configured with x.x.x.230/29. On the ServerA I NAT ports 25, 80, and 443 on that same x.x.x.230 address, while managing the 1811 itself using SSH on that same address as well.

On server B (local ip, I NAT the x.x.x.231 for ports 25. 80, and 443. On server C (local ip, I NAT the x.x.x.232 address for the same ports.

Can anyone offer a critique of this configuration and offer some ideas of the best practices topology-wise for providing routing, vpn and firewall functionality for these servers?

My question arises because now I have a site to site VPN with Server B at the local end and I am unable to connect to the server B smtp port due to the following nat statements. I can confirm that this is the case since by removing the statement I am able to connect.

Here is the NAT section of the show run:

ip nat inside source static tcp 443 interface FastEthernet0 443

ip nat inside source static tcp 80 interface FastEthernet0 80

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside source static tcp 25 x.x.x.231 25 extendable

ip nat inside source static tcp 80 x.x.x.231 80 extendable

ip nat inside source static tcp 443 x.x.x.231 443 extendable

ip nat inside source static tcp 25 x.x.x.232 25 extendable

ip nat inside source static tcp 80 x.x.x.232 80 extendable

ip nat inside source static tcp 443 x.x.x.232 443 extendable

Would appreciate any and all comments on the way it is currently configured ass well as:

-How I might be able to change the config to follow a best-practice arrangement for the router/firewall and these servers.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
bjornarsb Thu, 05/03/2007 - 23:17


Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.

This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).

For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports

And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.




This Discussion