NAT question - straightforward?

Unanswered Question
Jun 30th, 2008
User Badges:

I've got a couple of simple NAT questions for my 2821 ISR with IOS 12.4(13r)T Advanced IP Services:


1. I have two WAN interfaces, Dialer0 x.x.x.x and Dialer1 y.y.y.y.

I think I can NAT a single port through as follows:

ip nat inside source static udp 10.1.1.220 5060 x.x.x.x 5060 extendable

ip nat inside source static udp 10.1.1.220 5060 y.y.y.y 5060 extendable


Is there a better way of forwarding those ports to the inside server irrespective of which interface it comes through?


2. I also want to forward through the range of udp ports from 35000 to 45000 to the same server, no matter which external interface they come through.


How can I do that efficiently?


Thanks for your help - I'm happy to rate any and all posts that help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (4 ratings)
Loading.
Collin Clark Mon, 06/30/2008 - 07:03
User Badges:
  • Purple, 4500 points or more

1. Not that I know of, it looks good.


2. You can create a one-to-one NAT


<font size="2">ip nat inside source static 10.1.1.221 z.z.z.z</font>


Then use your ACL to restrict the ports.


<font size="2">ip access-list extended YOUR_ACL</p><p>  permit udp [source network/host] range 35000 45000 [destination network/host] </font>


Hope that helps

andrew.campbell... Mon, 06/30/2008 - 07:07
User Badges:

Wow. Thanks for the quick response!


The issue with 2. is that I want all the OTHER ports to just go through to the inside network - I only want my specific range to be forwarded to that server (Actually, I've got all sorts of ports going to all sorts of internal servers for different purposes - VPN, servers various, etc).


How can I leave other ports alone?


Thanks!

Collin Clark Mon, 06/30/2008 - 07:12
User Badges:
  • Purple, 4500 points or more

With a one-to-one NAT all ports are translated. If you only want 35000-45000 to go to Server1 and ports 1500-9000 to Server2, then you have to create a NAT Port translation for each port! Yup, it sucks but that's they way it is. Is it easier to get more public IP's or create 10,000 NAT translations???

Pravin Phadte Mon, 06/30/2008 - 07:17
User Badges:
  • Silver, 250 points or more

Hi,


For the first point of yours i would say i am not so sure of the resoultion may be route maps can help it. Never did.


the second one can be done as below:


interface FastEthernet0/0

ip address x.x.x.x 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address dhcp

ip nat outside


ip nat pool POOL1 x.x.x.x x.x.x.x netmask 255.255.255.0 type rotary

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside destination list TEST pool POOL1

!

ip access-list extended TEST

permit udp any any range 35000 45000


Hope this helps,


Regards,


Pravin

andrew.campbell... Mon, 06/30/2008 - 07:45
User Badges:

Thanks, Pravin - I can't quite match up your post with my situation, though - please forgive me as I'm a lowly freshly-minted CCNA.


1. I've got TWO external dialer interfaces with static IPs. I've got them both as "nat outside". Do I do the following?


ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 1 interface Dialer1 overload


I've found in earlier experimentation that I couldn't do this:


ip nat inside source static 10.1.1.220 5060 Dialer0 5060

ip nat inside source static 10.1.1.220 5060 Dialer1 5060


as the second would replace the first.


2. What should list 1 look like?


Thanks a lot for your response!




Pravin Phadte Mon, 06/30/2008 - 08:13
User Badges:
  • Silver, 250 points or more

Hi,


did not get this: I've found in earlier experimentation that I couldn't do this:


anyways. I feel the config should be as below and shuld work.


ip route 172.16.1.0 255.255.255.0 Dialer1

ip route 172.16.2.0 255.255.255.0 Dialer2


ip nat inside source list 101 dialer1 overload

ip nat inside source list 102 dialer2 overload


access-list 101 permit ip any 172.16.1.0 0.0.0.255

access-list 102 permit ip any 172.16.2.0 0.0.0.255



refer the link below for more:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml


For the first question the router map will help.


ip nat inside source static udp 10.1.1.1 5060 20.20.20.1 5060 route-map Int-Di-1 extendable

ip nat inside source static udp 10.1.1.1 5060 30.1.1.1 5060 route-map Int-Di-2 extendable

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 20.0.0.0 0.255.255.255

access-list 102 permit ip 10.1.1.0 0.0.0.255 30.0.0.0 0.255.255.255



route-map Int-Di-2 permit 10

match ip address 102

set ip next-hop 30.1.1.1

!

route-map Int-Di-1 permit 10

match ip address 101

set ip next-hop 20.20.20.1



Refer the link below:


http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html


Hope this helps.


regards,


Pravin

andrew.campbell... Mon, 06/30/2008 - 08:18
User Badges:

Thanks, Pravin, I'll have to go and nut all this out, but I really appreciate the help.

Actions

This Discussion