Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow external user access to internal without static NAT

Hi all

I can configure router to allow external access to internal server by static NAT. Are there any way to configure without static NAT, and we can use ACL to prevent them from some services?

Thanks for all your advise

Here is the example configuration:

Current Configuration:
! 
version 12.1
service timestamps debug uptime
service timestamps log uptime
!
!
ip subnet-zero
no ip domain-lookup
!
bridge irb
!
interface Ethernet0
ip address 192.168.0.254 255.255.255.0
ip nat inside!--- This is the inside local IP address and it is a private IP address. !
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
!
bundle-enable
dsl operating-mode auto 
bridge-group 1
!
interface BVI1
ip address 171.68.1.1 255.255.255.240
ip nat outside!--- This is the inside global IP address.
!--- This is your public IP address and it is provided to you by your ISP.!
ip nat inside source list 1 interface BVI1 overload!--- This statement makes the router perform PAT for all the 
!--- End Stations behind the Ethernet interface that  uses 
!--- private IP addresses defined in access list #1.ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable !--- This statement performs the static address translation for the Web server. 
!--- With this statement, users  that try to reach 171.68.1.1 port 80 (www)  are 
!--- automatically redirected to 192.168.0.5 port 80 (www). In this case 
!--- it is the Web server.ip classless
ip route 0.0.0.0 0.0.0.0 171.68.1.254
!--- IP address 171.68.1.254 is the next hop IP address, also
!--- called the default gateway.
!--- Your ISP can tell you what IP address to configure as the next hop address.!
access-list 1 permit 192.168.0.0 0.0.0.255!--- This access list defines the private network 
!--- that  is network address translated. bridge 1 protocol ieee 
bridge 1 route ip 
!
end
2 REPLIES

Re:Allow external user access to internal without static NAT

Hello

Nat provides ip.translation but its doesnt give.you any real security to.the server you still.need.to prohibit access via either ios fw features( cbac zbfw,extended acls etc) or via a designated fwl

To answer your question

Yes you can
You can position it in a dmz with a.public ip address and use port forwarding/filtering etc to.open up specifc ports to the server

Res
Paul


Sent from Cisco Technical Support Android App

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Allow external user access to internal without static NAT

Thanks for your reply

1/ I use router for accessing the internet

2/ I use IP PBX inside NAT router, therefore if I do not add static NAT pointing to IP PBX address, it cannot register with VoIP provider.

3/ Are there any way to access from internet to IP PBX without static NAT?

Please show me the example configuration

Thanks

186
Views
0
Helpful
2
Replies