06-30-2008 06:35 AM - edited 03-03-2019 10:32 PM
I've got a couple of simple NAT questions for my 2821 ISR with IOS 12.4(13r)T Advanced IP Services:
1. I have two WAN interfaces, Dialer0 x.x.x.x and Dialer1 y.y.y.y.
I think I can NAT a single port through as follows:
ip nat inside source static udp 10.1.1.220 5060 x.x.x.x 5060 extendable
ip nat inside source static udp 10.1.1.220 5060 y.y.y.y 5060 extendable
Is there a better way of forwarding those ports to the inside server irrespective of which interface it comes through?
2. I also want to forward through the range of udp ports from 35000 to 45000 to the same server, no matter which external interface they come through.
How can I do that efficiently?
Thanks for your help - I'm happy to rate any and all posts that help.
06-30-2008 07:03 AM
1. Not that I know of, it looks good.
2. You can create a one-to-one NAT
ip nat inside source static 10.1.1.221 z.z.z.z
Then use your ACL to restrict the ports.
ip access-list extended YOUR_ACL
permit udp [source network/host] range 35000 45000 [destination network/host]
Hope that helps
06-30-2008 07:07 AM
Wow. Thanks for the quick response!
The issue with 2. is that I want all the OTHER ports to just go through to the inside network - I only want my specific range to be forwarded to that server (Actually, I've got all sorts of ports going to all sorts of internal servers for different purposes - VPN, servers various, etc).
How can I leave other ports alone?
Thanks!
06-30-2008 07:12 AM
With a one-to-one NAT all ports are translated. If you only want 35000-45000 to go to Server1 and ports 1500-9000 to Server2, then you have to create a NAT Port translation for each port! Yup, it sucks but that's they way it is. Is it easier to get more public IP's or create 10,000 NAT translations???
06-30-2008 07:17 AM
Hi,
For the first point of yours i would say i am not so sure of the resoultion may be route maps can help it. Never did.
the second one can be done as below:
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip nat pool POOL1 x.x.x.x x.x.x.x netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside destination list TEST pool POOL1
!
ip access-list extended TEST
permit udp any any range 35000 45000
Hope this helps,
Regards,
Pravin
06-30-2008 07:45 AM
Thanks, Pravin - I can't quite match up your post with my situation, though - please forgive me as I'm a lowly freshly-minted CCNA.
1. I've got TWO external dialer interfaces with static IPs. I've got them both as "nat outside". Do I do the following?
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 1 interface Dialer1 overload
I've found in earlier experimentation that I couldn't do this:
ip nat inside source static 10.1.1.220 5060 Dialer0 5060
ip nat inside source static 10.1.1.220 5060 Dialer1 5060
as the second would replace the first.
2. What should list 1 look like?
Thanks a lot for your response!
06-30-2008 08:13 AM
Hi,
did not get this: I've found in earlier experimentation that I couldn't do this:
anyways. I feel the config should be as below and shuld work.
ip route 172.16.1.0 255.255.255.0 Dialer1
ip route 172.16.2.0 255.255.255.0 Dialer2
ip nat inside source list 101 dialer1 overload
ip nat inside source list 102 dialer2 overload
access-list 101 permit ip any 172.16.1.0 0.0.0.255
access-list 102 permit ip any 172.16.2.0 0.0.0.255
refer the link below for more:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
For the first question the router map will help.
ip nat inside source static udp 10.1.1.1 5060 20.20.20.1 5060 route-map Int-Di-1 extendable
ip nat inside source static udp 10.1.1.1 5060 30.1.1.1 5060 route-map Int-Di-2 extendable
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 20.0.0.0 0.255.255.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 30.0.0.0 0.255.255.255
route-map Int-Di-2 permit 10
match ip address 102
set ip next-hop 30.1.1.1
!
route-map Int-Di-1 permit 10
match ip address 101
set ip next-hop 20.20.20.1
Refer the link below:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
Hope this helps.
regards,
Pravin
06-30-2008 08:18 AM
Thanks, Pravin, I'll have to go and nut all this out, but I really appreciate the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide