Nat rule - access list

crmljc1976 · ‎07-21-2008

help,

My nat rule doesnt work properly, Im not sure if Im using the correct commands.

If would like forward port 5900 from any host externally to an internal server running VNC. Here are my nat rules and access lists, can someone help ?

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source list 102 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 101 permit tcp any host 192.168.0.2 eq 5900

access-list 102 permit tcp any host 192.168.0.5 eq 2000

access-list 102 permit udp any host 192.168.0.5 eq 2000

access-list 102 permit tcp any host 192.168.0.5 eq 2002

access-list 102 permit udp any host 192.168.0.5 eq 2002

access-list 102 permit tcp any host 192.168.0.5 eq 2003

access-list 102 permit udp any host 192.168.0.5 eq 2003

access-list 102 permit tcp any host 192.168.0.5 eq 2006

access-list 102 permit udp any host 192.168.0.5 eq 2006

access-list 102 permit tcp any host 192.168.0.5 eq 3001

access-list 102 permit udp any host 192.168.0.5 eq 3001

access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

sundar.palaniappan · ‎07-21-2008

Try this static NAT configuration and test your VNC connection from outside.

ip nat inside source static tcp 192.168.0.2 5900 interface Dialer0 5900

crmljc1976 · ‎07-21-2008

thanks, would I do the same for all other ports? create an ip nat inside source static for all tcp/udp ports that need forwarding to 192.168.0.5 as created in the access list? Would all other incoming traffic be denied?

sundar.palaniappan · ‎07-21-2008

For port level forwarding of traffic to other hosts use the same method of static NAT configuration. If there's no match then traffic from outside would be dropped. However, for your inside users to access the outside configure PAT using dialer interface with overload option.

HTH

Sundar

crmljc1976 · ‎07-22-2008

Ive configured this however its not working properly, its like the ports arent forwarded properly, here's the config

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900

ip nat inside source list 2 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 10.0.5.0 0.0.0.255

access-list 101 permit tcp any host 192.168.0.5 eq 5900

access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 104 permit tcp any host 192.168.0.5 eq 2000

access-list 104 permit udp any host 192.168.0.5 eq 2000

access-list 105 permit tcp any host 192.168.0.5 eq 2002

access-list 105 permit udp any host 192.168.0.5 eq 2002

access-list 106 permit udp any host 192.168.0.5 eq 2003

access-list 106 permit tcp any host 192.168.0.5 eq 2003

access-list 107 permit tcp any host 192.168.0.5 eq 2006

access-list 107 permit udp any host 192.168.0.5 eq 2006

access-list 108 permit udp any host 192.168.0.5 eq 3001

access-list 108 permit tcp any host 192.168.0.5 eq 3001

any ideas?

gojericho0 · ‎07-22-2008

Can you overload the using a source-list that has network that overlap you static NAT?

crmljc1976 · ‎07-22-2008

Thanks. How do i do that? not sure.