Static NAT except for traffic from a certain subnet

pmccloud · ‎09-03-2008

I have a router that has a public IP address on it's serial interface. I have a device on the private side that needs to have connections to the public IP address translated to it for port 1720 (H323) traffic.

However, I need to have traffic to port 1720 from a specific subnet not be translated so that the router can handling incoming H323 calls from our Callmanager system.

Is there a way to do this? The current NAT configuration is below:

ip nat inside source static tcp 10.40.0.49 1720 interface Serial0/0 1720

ip nat inside source route-map nonat interface Serial0/0 overload

!

access-list 102 deny ip 10.40.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 102 deny ip 10.20.0.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 102 permit ip 10.40.0.0 0.0.0.255 any

access-list 102 permit ip 10.20.0.0 0.0.0.255 any

!

route-map nonat permit 102

match ip address 102

Marwan ALshawi · ‎09-03-2008

ur config looks ok whats the problem with it ?

also, u might use nromal ACL blocking traffic based on source distenation and port number !! just idea if u can block try ACL and apply it on the right interface with the right direction as well

keep in mind u need permit ip any any at the end of the ACL becasue evry ACL contain implicit deny

good luck

if helpful Rate

pmccloud · ‎09-04-2008

The connections, even from our Callmanager subnet, are still being NAT'd to the inside address for port 1720.

garsmi · ‎09-04-2008

do you have any other public addresses available for use instead of just the serial interface? Usually the provider will give you a small block to use. You can then have a sttaic nat dedicated to the system you want to have natted. Then no other traffic would be affected.