ip nat outside on zone-based FW (877)

Unanswered Question
Mar 11th, 2010

Hi,

If I look through many web-pages on the subject, it should be possible to combine NAT outside and NAT inside.  However, which way I try it, it doesn't work...

There are various reasons which can cause this:

* The router really doesn't support it (it's a cisco 877 with IOS C870 Version 12.4(15)T7)

* I didn't configure it correctly...which is the most likely case, because I have difficulties really understanding the zone-based firewall it's using... Maybe the fact it's using zone-based FW, doesn't work correct for the translation...(the zone based FW was started by the web-access to the router)

I give the snippets of the config which I think are important:

...

ip port-map user-pm-udp6565 port udp 6565

...

class-map type inspect match-all sdm-nat-user-protocol--6-2

  match access-group 199

...

policy-map type inspect sdm-pol-NATOutsideToInside-2

...

  class type inspect sdm-nat-user-protocol--6-2

    pass log

...

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

   service-policy type inspect sdm-pol-NATOutsideToInside-2

...

ip nat pool poolExt 192.168.100.200 192.168.100.220 netmask 255.255.255.0

ip nat inside source static tcp 192.168.100.254 6565 interface Dialer1 6565

ip nat inside source static udp 192.168.100.254 6565 interface Dialer1 6565

ip nat outside source list 199 pool poolExt add-route

...

access-list 199 permit tcp any host 192.168.100.254 eq 6565

access-list 199 permit udp any host 192.168.100.254 eq 6565

...

In this Dialer1 is defined as "ip nat outside" and Vlan1 as "ip nat inside".

The port translation works correct, it makes the connection to 192.168.100.254, but with the outside address, which I wanted to be translated to some address in the range 192.168.100.200 - 220...

Can someone see why the external address (on port 6565) isn't translated by this code ?  It is using access-list 199 because when it doesn't pass the router when I remove the lines

Thanks,

Alain

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content