08-07-2008 05:39 AM - edited 03-03-2019 11:03 PM
Hello -
I have a private network behind a Cisco 2611XM router that I want to limit access to only 2 specific IP addreses. Currently I have ACLs setup to do this but I would now like to NAT to those two IPs.
I would like to do this:
outside IP: 10.1.1.2 to Inside IP: 172.0.16.1
Outside IP: 10.1.1.3 to Inside IP: 172.0.16.2
When I try to enable NAT, I lose connectivity completely.
08-07-2008 07:40 AM
Do you want these two private devices to be able to reach other networks, or do you want devices on other networks to be able to reach these two devices?
08-07-2008 07:42 AM
I would like these systems to be reached by outside networks.
08-07-2008 07:49 AM
Assuming you want the two private devices to reach outside networks, do the following. I'll assume outside interface is serial0 and inside interface is ethernet0, that you've assigned appropriate IPs to those interfaces, and that the interfaces are administratively enabled.
==============
In global configuration mode:
ip nat inside source static 172.0.16.1 10.1.1.2
ip nat inside source static 172.0.16.2 10.1.1.3
In interface config mode for outside interface serial 0:
ip nat outside
In interface config mode for inside interface ethernet 0:
ip nat inside
===========
08-07-2008 07:53 AM
Yes the interfaces are administratively enabled. My question how do i set an outside IP to match to the inside IP?
I commands you submitted will work, but how do I assign an external IP to NAT to one of the internal IPs?
08-08-2008 09:04 AM
Actually, after I thought about it, I realized that the method I gave you maps the addresses in both directions when you use static address translation. So, the config I described will do exactly what you need.
08-12-2008 10:58 AM
I am still having problems getting the NAT to work. Below is my router config for NAT / ACL:
interface FastEthernet0/0
description Connection to XXXXXX Corporate Network
ip address 195.85.24.4 255.255.255.0
ip access-group 101 in
ip accounting output-packets
ip nat inside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address dhcp
shutdown
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description Do Not Use - Security Risk
no ip address
shutdown
!
interface Vlan13
description Fermenter network
ip address 10.13.1.1 255.255.0.0
ip accounting output-packets
ip nat outside
!
ip nat inside source list CRFementerNAT interface Vlan13 overload
ip nat inside source static tcp 195.85.24.9 3389 10.13.2.3 3389 extendable
ip nat inside source static tcp 195.85.24.10 3389 10.13.10.5 3389 extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 195.85.24.1
!
!
!
ip access-list extended CRFementerNAT
deny ip 10.13.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
remark allow new XXXXX / ZZZZZZ IP range
permit ip 195.85.0.0 0.0.255.255 any
access-list 101 permit 23 any any
access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.2.3
access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.10.5
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389
no cdp run
08-12-2008 11:27 AM
First I would try to remove access list 101 to see if you have a nat issue or a access list issue.
You may have a larger issue if the access list is implying that you wish to have internal machines access these 2 servers via their outside address.
the deny statement for 198.85.0.0 will in effect block all traffic going out the vlan interface since it must be 10.13.0.0/16.
A key point to remember when using nat and access lists is that the access list is done before any nat is done.
08-12-2008 11:45 AM
Hello -
I only want users on the 195.85.24.x net to access the 2 server 10.13.2.3 and 10.13.10.5 via port 3389. The only other traffic I am (want) to allow is telnet to int fa0/0. I am ACL 101 to block all traffic except for telnet and RDP. What would be the best config to accomplish this? I have removed ACL 101 and still cannot NAT through the 195.85.24.9 / .10 IP to the outside IPs.
08-12-2008 11:32 AM
Hi,
If the int f0/0 is connecting the Outside/Internet , then you should put "ip nat outside" under int f0/0
and "ip nat inside" on the VLAN 13 interface.
=================================
Here is an example of what you need.
Suppose,
Outside s0/0: IP 100.0.0.1 /24
inside - f0/0: IP 10.0.0.1 /24
You have internal mail server IP: 10.0.0.2
Now u need to redirect port 25 requests on outside 100.0.0.2 towards inside IP 10.0.0.2
int S0/0
ip address 100.0.0.1 255.255.255.0
ip nat outside
int f0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
R1(config)# ip nat inside source static tcp 100.0.0.2 25 20.0.0.2 25
08-12-2008 11:59 AM
Hello - When I make the switch with the IP nat inside / outside commands on the int, I get locked out from the 195.x net. I can telnet into the 10.x net, but it still does not fix the nat issue
08-12-2008 12:10 PM
Not sure exactly where to start here. You may have the nat backwards but if you run real networks "195.85.24.0/24" in your corp network and 10.13.x.x in some lab or something it is correct. I run this way but the normal internet has the private on the inside and the public on the outside.
What you have configured deos if I ignore the access list.
Traffic comes from the 195.85.24.9 will get translated to 10.13.2.3 as it passes out into the 10.13.0.0/16 network.
This means that first 10.13.2.3 must be somehow routed 10.13.1.1 from the outside.
You really can't have a machine say 195.85.24.111 talk to 198.85.24.9 using the 10.12.2.3 address.
The access list again depends on which way the traffic is going but to allow telent traffic you use permit tcp any any 23. Wasn't sure why you were permitting protocol 23
08-12-2008 12:23 PM
I have inherited the router. It had been sitting for 3 years untouched. I was asked to work with in and allow access from the 195.85.x to those two IPs. Then was asked to NAT the two 195.85.x IPs to the those two IPs. I want to block all traffic expect for RDP (3389) to those 2 IPs and telnet to the router 195.85.24.4 IP. I know the router isn't setup correctly, but I am not on site where the router and have to get it working until I can go out and re-configure it correctly.
08-12-2008 01:29 PM
So it works without the nat going from the 195.85 net to the 10.13 net but now they do not want to use the 10.13 addresses anymore.
So you now want thee 195.85 net to use 195.85.24.9 as a example.
... hmm had a big post here and then remembered you cannot do port translation on a destination address. There is also a issue that the address you want to translate to is not actually sent to the router.
Have a pressing issue but will look again tomorrow unless someone else solves this.
08-13-2008 04:35 AM
Maybe this will work. When you look at it from the viewpoint of the inside interface. You want to change the destination addresses which is done with a outside source command. The limitations are that you cannot do port translations on a outside source.
Lucky we are not tring to map it to the inside interface. So a one to one outside nat should work but you now allow more traffic than just 3389 to be natted and reach you inside network, To prevent this I used a inbound access list on the outside interface that only allows traffic on port 3389. If you know your real inside addresses it is best to change ANY to match. Note you should be able to telnet to the router from the inside network. If yo need to telnet to the router from the outside network to the inside interface another rule will need to be added.
The next issue is the routing. To make the nat work we must somehow assume the packet gets to the router. Then I put in a static route to vlan13. This is because NAT will attempt to do the routing before the nat. Without the static it will send it out the ethernet prot both because it is in that subnet and the default route points that way.
There is a second routing issue that this may not solve. Somehow these 2 addresses must get the data to the router. If you are lucky proxy arp will solve this. When any device in
195.85.24.0/24 arps one of these 2 address this router will respond since it has a route. So in theory when 195.85.24.1 arps for this address it should send the traffic to this router. It would be best if you put static /32 routes in for these 2 addresses on 195.85.24.1 pointing to 195.85.24.4. You may still have issues with other devices on the 195.85.24.0 network.
If this does not work these is a newer nat configuration in 12.4 that doesn't use the concept of inside and outside we can try. This is still kinda new so I have not used it a lot.
interface FastEthernet0/0
description Connection to XXXXXX Corporate Network
ip address 195.85.24.4 255.255.255.0
ip nat inside
interface Vlan13
description Fermenter network
ip address 10.13.1.1 255.255.0.0
ip acccess-group 102
ip nat outside
!
ip nat outside source static 10.13.2.3 195.85.24.9
ip nat outside source static 10.13.10.5 195.85.24.10
!
ip route 195.85.24.9 255.255.255.255. vlan13
ip route 195.85.24.10 255.255.255.255. vlan13
ip route 0.0.0.0 0.0.0.0 195.85.24.1
!
access-list 102 permit tcp host 10.13.2.3 eq 3389 any eq 3389
access-list 102 permit tcp host 10.13.10.5 eq 3389 any eq 3389
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: