NAT on Router

bapatsubodh · ‎10-13-2007

Hi,

We are having 1841 router for service provider connetivity. ISP has asigned us a pool of 14 public address. One IP we want to dedicate for our e-mail server. And remaining we plan to be used by internal users to for internet browsing.

we have inside mail server as 172.30.1.1 mapped with first address in the pool service provider gave us. comamnd used is

ip nat inside source static 172.30.1.1 First_Address_ISP_Pool.

select fa0/0 ( connected to internal switch )

ip nat inside

select serial 0/1/0 ( connected to ISP router )

ip nat outside

so far so good !

next, if we put access list ( incoming directin ) on serial 0/1/0 that allows only 110 port on the First_Address_ISP_Pool. I think it will block anything else except this traffic.

then how do we allow other internal users to use the internet by remaining free public ip address. Or does router works like PIX which allows return connections which were initiated from inside. And for connections initiated from outside we use static comand to allow access to internal servers. (in PIX).In a nutshell we want internal users to access internet with free ip address and fix up one ip address for e-mail server which will be accessed on 110 port from outside world mail servers how do achieve this ? any link on cisco is highly appreciable !

Thanx in advance

Subodh

Edison Ortiz · ‎10-14-2007

Let's pretend your email server external address is 1.1.1.1, here is the ACL for the external interface

ip access-list extended Subodh

permit tcp any host 1.1.1.1 eq pop3

deny ip any host 1.1.1.1

permit ip any any

interface s0/1/0

ip access-group Subodh in

JORGE RODRIGUEZ · ‎10-14-2007

Hi Bapat,

Will you be using the router for this requirements or is there a pix in this equation? If you have a PIX you could use pix and have fw do this process.

You could also use ip nat ouside interface to PAT outbound internet traffic and use the remaining free public IP addresses for spare that you may need for later nats,but will throw couple of examples.

Assume you have 10 public IP addresses,one outside interface facing ISP and one inside

interfaces facing users just as your discription.

Public Ip block: 20.20.20.1 to 20.20.20.10

IP NAT outside interface: 20.20.20.1(SE0/1/0 )

IP NAT Inside interface subnet: 172.30.1.0/24 (FE0/0 )

Inside Mail server IP:172.30.1.1

for your mail server since it will have a static nat(its pub ip is not part of the pool)

when you apply ip access group to se0/1/0 101 in acl will know static nat is not part of pool and therefore allow inbound traffic for static nat on port 110

using complete pub IP block pool and one static for mail server:

ip nat pool mypool 20.20.20.3-20.20.20.10 netmask 255.255.255.0

ip nat inside source list 101 pool mypool overload

ip nat inside source static 172.30.1.1 20.20.20.2

access-list 101 permit 172.30.1.0 0.0.0.255 log

access-list 101 permit tcp any host 172.30.1.1 eq 110 log

int se0/1/0

ip access-group 101 in

or using se0/1/0 interface IP to PAT outbound internet traffic, and save remaining pub ip for spare and later use:

ip nat pool mypool 20.20.20.1 20.20.20.1 netmask 255.255.255.0