NAT configuration

Unanswered Question
Mar 4th, 2009

Hello,

We are trying to configure a Cisco 1841 with basic NAT.

There is an inside pool,lets say 192.168.1.* which gets translated to and outside pool of 64 IP's. Lets assume outside range is 1.1.1.1-1.1.1.63

The outside Ip's must be distributed randomly to the inside ip's.

What I want to configure is NAT inside to outside. For now this works but the incoming connections from the outside pool get translated to inside, even when the connection originates from OUTSIDE.

I want to block incoming connections and allow only established.

How is this done?

Regards,

Nick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 03/04/2009 - 03:29

Nick

if you have setup dynamic NAT eg.

ip nat pool TEST 192.168.5.10-192.168.5.20

ip nat inside source list 101 pool TEST

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

then a connection cannot be initiated from the outside UNLESS there is already a translation for that address in the nat translation table ie.

192.168.1.20 is inside address. If 192.168.1.20 hasn't connected out thru the router then you can't connect to it by using one of the pool addresses. But obviously if it has connected out there will be a NAT translation and therefore the NAT will work coming back as well.

Solutions -

1) Assuming no firewalling capabilities on router you could use the "estasblished" keyword for TCP connections in an acl applied to the outside interface in an inbound direction.

2) Reflexive acl's - an improvement on 1)

2) Alternatively you could simply overload on the port numbers ie. instead of mapping one-to-one you map all your inside addresses to one single outside address. Still would allow connections to be initiated from outside but now you have to get the port details as well which is a lot less likely.

Jon

Actions

This Discussion