07-21-2008 11:59 AM - edited 03-03-2019 10:49 PM
help,
My nat rule doesnt work properly, Im not sure if Im using the correct commands.
If would like forward port 5900 from any host externally to an internal server running VNC. Here are my nat rules and access lists, can someone help ?
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source list 102 interface Dialer0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp any host 192.168.0.2 eq 5900
access-list 102 permit tcp any host 192.168.0.5 eq 2000
access-list 102 permit udp any host 192.168.0.5 eq 2000
access-list 102 permit tcp any host 192.168.0.5 eq 2002
access-list 102 permit udp any host 192.168.0.5 eq 2002
access-list 102 permit tcp any host 192.168.0.5 eq 2003
access-list 102 permit udp any host 192.168.0.5 eq 2003
access-list 102 permit tcp any host 192.168.0.5 eq 2006
access-list 102 permit udp any host 192.168.0.5 eq 2006
access-list 102 permit tcp any host 192.168.0.5 eq 3001
access-list 102 permit udp any host 192.168.0.5 eq 3001
access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
07-21-2008 01:58 PM
Try this static NAT configuration and test your VNC connection from outside.
ip nat inside source static tcp 192.168.0.2 5900 interface Dialer0 5900
07-21-2008 02:26 PM
thanks, would I do the same for all other ports? create an ip nat inside source static for all tcp/udp ports that need forwarding to 192.168.0.5 as created in the access list? Would all other incoming traffic be denied?
07-21-2008 03:05 PM
For port level forwarding of traffic to other hosts use the same method of static NAT configuration. If there's no match then traffic from outside would be dropped. However, for your inside users to access the outside configure PAT using dialer interface with overload option.
HTH
Sundar
07-22-2008 03:06 AM
Ive configured this however its not working properly, its like the ports arent forwarded properly, here's the config
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900
ip nat inside source list 2 interface Dialer0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 10.0.5.0 0.0.0.255
access-list 101 permit tcp any host 192.168.0.5 eq 5900
access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 104 permit tcp any host 192.168.0.5 eq 2000
access-list 104 permit udp any host 192.168.0.5 eq 2000
access-list 105 permit tcp any host 192.168.0.5 eq 2002
access-list 105 permit udp any host 192.168.0.5 eq 2002
access-list 106 permit udp any host 192.168.0.5 eq 2003
access-list 106 permit tcp any host 192.168.0.5 eq 2003
access-list 107 permit tcp any host 192.168.0.5 eq 2006
access-list 107 permit udp any host 192.168.0.5 eq 2006
access-list 108 permit udp any host 192.168.0.5 eq 3001
access-list 108 permit tcp any host 192.168.0.5 eq 3001
any ideas?
07-22-2008 11:22 AM
Can you overload the using a source-list that has network that overlap you static NAT?
07-22-2008 01:18 PM
Thanks. How do i do that? not sure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide