Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT difficulties

I need to setup the following:

ALL traffic FROM internal IP of 10.0.0.1 needs to be seen on the internet as the public IP of 204.0.0.1

ONLY ports 80 and 443 FROM 204.0.0.1 need to be sent to the internal IP of 10.0.0.1

I've tried NAT with route maps, but no matter what I attempt, ALL traffic to 204.0.0.1 gets sent to 10.0.0.1, when I only need ports 80 and 443.

Also, I need a way to have the same as above, but to translate a port.  For example: external 204.0.0.1:555 goes to 10.0.0.1:22

This is one example, I have about 10 public IPs that I need to do the same thing to.

So basically I need to know how to NAT specific inbound ports on a specific public IP to specific internal ports on a specific internal IP, but at the same time, ALL outbound traffic from the internal IP will be shown to the world as a specific public IP.

Hope this makes sense.

2 ACCEPTED SOLUTIONS

Accepted Solutions

NAT difficulties

Dan,

It will open all ports if you don't have an acl blocking the traffic. You'll need to create one and allowing only the traffic that you want through the interface:

access-list 101 permit tcp any host 204.0.0.1 eq 443

access-list 101 permit tcp any host 204.0.0.1 eq 80

access-list 101 permit tcp any any established

int

ip access-group 101 in

HTH,

John

HTH, John *** Please rate all useful posts ***

Re: NAT difficulties

You'll also need to allow DNS queries back in, so yes, your acl will need to have:

access-list 101 permit udp any any eq 53

You'll need to put this BEFORE the "permit tcp any any established" line.

HTH, John *** Please rate all useful posts ***
15 REPLIES
New Member

NAT difficulties

For this simple configuration you don't need to use route maps. You can use static NAT to forward the inbound ports to the certain hosts.

For example for your first requirement you would use:

ip nat inside source static tcp 10.0.0.1 80 204.0.0.1 80

ip nat inside source static tcp 10.0.0.1 443 204.0.0.1 443

If you need to use a different port on the outside than on the inside go with something like:

ip nat inside source static tcp 10.0.0.1 22 204.0.0.1 555

Hope this helps!!!

New Member

NAT difficulties

Apparently you don't understand what I need.  I know you can do NAT like you said, but that doesn't make ALL of the internal traffic from the internal IP translate to a specific external IP, like what was in my first post.

I'll also need the ability to NAT a range of ports.

Please re-read my first post, and if you don't understand it, I'll try to explain it better.

New Member

NAT difficulties

Sorry about that. If you want to translate from one inside host to another just use this command.

ip nat inside source static 10.0.0.1 204.0.0.1

This only allows this host to be translated. Just remember to define your outside and inside interfaces and have a route to the next hop router you want to use.

Elton

New Member

NAT difficulties

That also lets ALL traffic from the internet to 204.0.0.1 pass to 10.0.0.1, not just the ports I need, and won't work for port ranges either.

So I need "ip nat inside source static 10.0.0.1 204.0.0.1" which handles the outbound traffic translation perfectly, but doesn't work for what I need as far as inbound traffic.

New Member

NAT difficulties

That doesn't let everything from the internet pass back into that host. Only ports that you have specified in your configuration to forward will be what will be allowed back in. I put those commands in the first post I made. I am specifying the TCP ports that need to be fowarded when they are sent to 204.0.0.1.

New Member

NAT difficulties

When I add:

ip nat inside source static 10.0.0.1 204.0.0.1

it correctly translates outbound traffic from 10.0.0.1 to make it be seen on the 'net as 204.0.0.1

BUT, it also forwards ALL ports reachable using 204.0.0.1 (one to one NAT) to 10.0.0.1 -- not what I need.

If I add:

ip nat inside source static tcp 10.0.0.1 80 204.0.0.1 80 extendable

ip nat inside source static 10.0.0.1 204.0.0.1

I can get to port 80, and also to port 443 -- but I should only be able to get to port 80, not 443 -- if what you're saying is correct.

New Member

NAT difficulties

Maybe you can post a quick topology of what your doing along with your config. Someone outside of the 10.0.0.0 network shouldn't be able to get in to that machine if they try coming in at 204.0.0.1:443.

New Member

Re: NAT difficulties

Not really a topology to post, it's just (for now) a single host behind a Cisco 881 router.  I am getting this configured in my lab so that I can replace another, non Cisco, router that's in production.

So basically:

[internal box y.y.y.150]-----[router]----[internet]

Int fe4

     ip address x.x.x.35 255.255.255.240

     ip nat outside

     ip virtual-reassembly

int vlan1

     ip address y.y.y.1 255.255.255.0

     ip nat inside

     ip virtual-reassembly

ip nat pool mypool x.x.x.35 x.x.x.35 netmask 255.255.255.240

ip nat inside source list 100 pool mypool overload

ip nat inside source statuic y.y.y.150 x.x.x.44 extendable

ip route 0.0.0.0 0.0.0.0 fastethernet4

access-list 100 permit y.y.y.0 0.0.0.255 any

-----------------

When the "ip nat inside source statuic y.y.y.150 x.x.x.44 extendable" is NOT in the config, the internal host on y.y.y.150 is shown to the internet as x.x.x.35 (as expected, this is working fine).

When the "ip nat inside source statuic y.y.y.150 x.x.x.44 extendable" is put in the config, the internal host on y.y.y.150 is shown to the internet as x.x.x.44 (as expected, this is working fine) -- but also EVERYTHING on y.y.y.150 is accessable from the internet by going to x.x.x.44.  You mention this shouldn't happen, but it is.

I need y.y.y.150 to be shown to the internet as x.x.x.44, but only allow specfic ports to be open to the world on x.x.x.44.  I also need to be able to specify port ranges that are accessable.

This is just a single host example, eventually there will be about 20 of these types of NAT entries needed for this network, so I need some config that is managable... not one huge ACL that's prone to a fat finger that will affect everything.

Hope that helps.

NAT difficulties

Dan,

It will open all ports if you don't have an acl blocking the traffic. You'll need to create one and allowing only the traffic that you want through the interface:

access-list 101 permit tcp any host 204.0.0.1 eq 443

access-list 101 permit tcp any host 204.0.0.1 eq 80

access-list 101 permit tcp any any established

int

ip access-group 101 in

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT difficulties

John,

Excellent!  Is there a way to make that more manageable in the long run?  Ie: when I have 20+ hosts to NAT like that?  I can do ranges in those ACLs too, which is perfect.

I assume you can only have one access-group "in" per interface.

I'd rather not have one ACL for all 20+ hosts and a TON of ports to minimize something stupid happening to the ACL and breaking EVERYTHING.

Thanks!

Re: NAT difficulties

Dan,

You'll just continue your run through this same acl. Do you have a block of addresses that you'll be natting out as? If so, you'll just do your static nat and then add them to the above list. Any additional servers that you need to add will still need to be added here, otherwise no one would be able to get to them.

You can edit acls by putting the number in front of them. For example, if you were to convert the 101 acl above to extended, you'd see lines 10, 20, 30:

10 access-list 101 permit tcp any host 204.0.0.1 eq 443

20 access-list 101 permit tcp any host 204.0.0.1 eq 80

30 access-list 101 permit tcp any any established

To edit this, you would do:

ip access-list ext 101

11 access-list 101 permit tcp any host 204.0.0.1 eq 8080

Then you'd see:

10 access-list 101 permit tcp any host 204.0.0.1 eq 443

11 access-list 101 permit tcp any host 204.0.0.1 eq 8080

20 access-list 101 permit tcp any host 204.0.0.1 eq 80

30 access-list 101 permit tcp any any established

You can change these to one line, depending on IOS version like:

access-list 101 permit tcp any host 204.0.0.1 eq 80 443 8080

These act as OR comparisons. If someone comes in on port 80, 443, or 8080, it will get sent to your natted host at 10.0.0.1.

John

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT difficulties

Thanks John, that seems to be working  somewhat.

I'm fighting issues with not being able to do DNS lookups, or FTP transfers, but the inbound port forwarding is working as wanted now.

I expect the DNS and FTP issue is having to do with the ACL on the WAN interface "in" not letting the responses / ftp-data traffic come back properly (even though "permit tcp any any established" is in the ACL).  Probably a UDP ACL needs to be added for DNS traffic.

Have any ideas about that part while I keep trying to get it myself?

Thanks, John!

Re: NAT difficulties

You'll also need to allow DNS queries back in, so yes, your acl will need to have:

access-list 101 permit udp any any eq 53

You'll need to put this BEFORE the "permit tcp any any established" line.

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT difficulties

Thanks, that was it.  Needed to allow 53 udp back in.

Now just checking on other ports that may be needed as well.

Thanks for all the help!

Re: NAT difficulties

You're very welcome. If you don't want to allow anything back in on 53, you can also tighten the acl down to allow just the host that you're expecting your replies to come back from. For example, if you use 4.2.2.1 and 4.2.2.2 for dns servers on your hosts, you can put those in your acl:

permit udp host 4.2.2.1 any eq 53

permit udp host 4.2.2.2 any eq 53

And you should be able to remove "permit udp any any 53". A good way to test this would be to put these 2 lines above your "permit udp any any" line and then look at your counters. If you're getting hits on the new lines, then you're safe to remove the "any any" line. Substitute your real dns servers for the ones that I put in my post above though.

John

HTH, John *** Please rate all useful posts ***
413
Views
0
Helpful
15
Replies
CreatePlease login to create content