Apparently you don't understand what I need.  I know you can do NAT like you said, but that doesn't make ALL of the internal traffic from the internal IP translate to a specific external IP, like what was in my first post.

I'll also need the ability to NAT a range of ports.

Please re-read my first post, and if you don't understand it, I'll try to explain it better.

Sorry about that. If you want to translate from one inside host to another just use this command.

ip nat inside source static 10.0.0.1 204.0.0.1

This only allows this host to be translated. Just remember to define your outside and inside interfaces and have a route to the next hop router you want to use.

Elton

That also lets ALL traffic from the internet to 204.0.0.1 pass to 10.0.0.1, not just the ports I need, and won't work for port ranges either.

So I need "ip nat inside source static 10.0.0.1 204.0.0.1" which handles the outbound traffic translation perfectly, but doesn't work for what I need as far as inbound traffic.

That doesn't let everything from the internet pass back into that host. Only ports that you have specified in your configuration to forward will be what will be allowed back in. I put those commands in the first post I made. I am specifying the TCP ports that need to be fowarded when they are sent to 204.0.0.1.

When I add:

ip nat inside source static 10.0.0.1 204.0.0.1

it correctly translates outbound traffic from 10.0.0.1 to make it be seen on the 'net as 204.0.0.1

BUT, it also forwards ALL ports reachable using 204.0.0.1 (one to one NAT) to 10.0.0.1 -- not what I need.

If I add:

ip nat inside source static tcp 10.0.0.1 80 204.0.0.1 80 extendable

ip nat inside source static 10.0.0.1 204.0.0.1

I can get to port 80, and also to port 443 -- but I should only be able to get to port 80, not 443 -- if what you're saying is correct.

Maybe you can post a quick topology of what your doing along with your config. Someone outside of the 10.0.0.0 network shouldn't be able to get in to that machine if they try coming in at 204.0.0.1:443.

Not really a topology to post, it's just (for now) a single host behind a Cisco 881 router.  I am getting this configured in my lab so that I can replace another, non Cisco, router that's in production.

So basically:

[internal box y.y.y.150]-----[router]----[internet]

Int fe4

     ip address x.x.x.35 255.255.255.240

     ip nat outside

     ip virtual-reassembly

int vlan1

     ip address y.y.y.1 255.255.255.0

     ip nat inside

     ip virtual-reassembly

ip nat pool mypool x.x.x.35 x.x.x.35 netmask 255.255.255.240

ip nat inside source list 100 pool mypool overload

ip nat inside source statuic y.y.y.150 x.x.x.44 extendable

ip route 0.0.0.0 0.0.0.0 fastethernet4

access-list 100 permit y.y.y.0 0.0.0.255 any

-----------------

When the "ip nat inside source statuic y.y.y.150 x.x.x.44 extendable" is NOT in the config, the internal host on y.y.y.150 is shown to the internet as x.x.x.35 (as expected, this is working fine).

When the "ip nat inside source statuic y.y.y.150 x.x.x.44 extendable" is put in the config, the internal host on y.y.y.150 is shown to the internet as x.x.x.44 (as expected, this is working fine) -- but also EVERYTHING on y.y.y.150 is accessable from the internet by going to x.x.x.44.  You mention this shouldn't happen, but it is.

I need y.y.y.150 to be shown to the internet as x.x.x.44, but only allow specfic ports to be open to the world on x.x.x.44.  I also need to be able to specify port ranges that are accessable.

This is just a single host example, eventually there will be about 20 of these types of NAT entries needed for this network, so I need some config that is managable... not one huge ACL that's prone to a fat finger that will affect everything.

Hope that helps.

John,

Excellent!  Is there a way to make that more manageable in the long run?  Ie: when I have 20+ hosts to NAT like that?  I can do ranges in those ACLs too, which is perfect.

I assume you can only have one access-group "in" per interface.

I'd rather not have one ACL for all 20+ hosts and a TON of ports to minimize something stupid happening to the ACL and breaking EVERYTHING.

Thanks!

Dan,

You'll just continue your run through this same acl. Do you have a block of addresses that you'll be natting out as? If so, you'll just do your static nat and then add them to the above list. Any additional servers that you need to add will still need to be added here, otherwise no one would be able to get to them.

You can edit acls by putting the number in front of them. For example, if you were to convert the 101 acl above to extended, you'd see lines 10, 20, 30:

10 access-list 101 permit tcp any host 204.0.0.1 eq 443

20 access-list 101 permit tcp any host 204.0.0.1 eq 80

30 access-list 101 permit tcp any any established

To edit this, you would do:

ip access-list ext 101

11 access-list 101 permit tcp any host 204.0.0.1 eq 8080

Then you'd see:

10 access-list 101 permit tcp any host 204.0.0.1 eq 443

11 access-list 101 permit tcp any host 204.0.0.1 eq 8080

20 access-list 101 permit tcp any host 204.0.0.1 eq 80

30 access-list 101 permit tcp any any established

You can change these to one line, depending on IOS version like:

access-list 101 permit tcp any host 204.0.0.1 eq 80 443 8080

These act as OR comparisons. If someone comes in on port 80, 443, or 8080, it will get sent to your natted host at 10.0.0.1.

John

Thanks John, that seems to be working  somewhat.

I'm fighting issues with not being able to do DNS lookups, or FTP transfers, but the inbound port forwarding is working as wanted now.

I expect the DNS and FTP issue is having to do with the ACL on the WAN interface "in" not letting the responses / ftp-data traffic come back properly (even though "permit tcp any any established" is in the ACL).  Probably a UDP ACL needs to be added for DNS traffic.

Have any ideas about that part while I keep trying to get it myself?

Thanks, John!

Thanks, that was it.  Needed to allow 53 udp back in.

Now just checking on other ports that may be needed as well.

Thanks for all the help!