I have Cisco 1841 that is providing NAT overload (PAT) for a LAN.
I have 2 LAN's using the same IP range. Basically one LAN has the servers and many users and the other LAN has just users.
What I have is the router doing NAT overload at this remote site, so all IP's are seen at one address and they can access servers etc successfully.
Problem I have now is we need to connect to some of these PC's that are remote, but we only see them as one IP, what options do I have?
You have a couple of options, some more secure than others.
If it is a secure method you are using to connect, (e.g. https / SSH / PPTP) then you can simply create a Static PAT (AKA Port Forwarding)
e.g. You can forward port 222 on the outside to port 22 on an internal server.
ip nat inside source list 1 interface ATM1 overload
ip nat inside source static tcp 192.168.0.5 22 18.104.22.168 222
Now if you ssh to the external IP on port 222, you will get access to the internal server 192.168.0.5 on port 22.
See here for more details:
Make sure that your access-lists lock access to the port down - you don't want the script-kiddies attacking your server.
If you aren't using secure methods, then I would strongly recommend using a VPN instead.
Please rate this post if you found it useful.
You can set specific remote PC's with a specific NAT address. It should be in the same network as your PAT, just not that same address.
ip nat inside source list 2 interface serial0/0 overload
ip nat inside source static 10.10.10.99 172.16.30.25 extendable
Hope that helps.
Couple of things, I have about 50-80 PC's would I need to create a static IP for each PC? Also what is the "extentable" command I have not used this before.
You mention these commands should be added on the side of the PAT, looking at my config would this be on the FE0/1:
Current configuration : 1752 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
logging buffered 8192 informational
no aaa new-model
no ip dhcp use vrf connected
ip dhcp pool scope
network 10.20.20.0 255.255.255.0
lease 0 2
ip domain name gb.vo.local
description WAN Link to Servers Port
ip address 192.168.60.245 255.255.255.0
ip nat outside
description LAN Port
ip address 10.20.20.1 255.255.255.0
ip nat inside
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.60.244
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Mypool 192.168.60.220 192.168.60.221 netmask 255.255.255.0
ip nat inside source list 100 pool Mypool overload
logging history informational
logging trap notifications
logging source-interface FastEthernet0/1
Your NAT pool is 192.168.60.220-221 so we'll use an address in the same IP scheme, but one that is not in the pool.
ip nat inside source static 10.20.20.75 192.168.60.100
So I just make the PC's have static IP's on the remote network like 10.20.20.75 and statically NAT this to say 192.168.60.100, 101, 102 etc and any PC not requiring a static IP will just use the pool?
So if the server side need to get to 192.168.60.100 they will via 10.20.20.75.
This is alot of work as there are a lot of PC's, but long term I guess changing there whole scope is the next step via DHCP maybe.
I had assumed in my previous solution that you only had 1 Public IP address with which to work.
If you have more IPs, then there's a much simpler method of doing this than setting up 50-80 Static NAT translations.
First, you need a DNS server on the inside of this network, that has entries for every device that you want to connect to.(If these are windows servers then it's highly likely you already have this)
Then you set up a Dynamic NAT pool (NOT overloaded)
Configure a Static NAT translation for your DNS server, so that you can perform DNS lookups against it from outside.
And that's it! All you have to do now is Connect to your devices by their FQDN. The DNS response will be automatically NATed and you will be able to connect.
DNS Server - 10.20.20.2
- A - servera.mysite.domain.com = 10.20.20.100
- A - serverb.mysite.domain.com = 10.20.20.101
ServerA - 10.20.20.100
ServerB - 10.20.20.101
ip nat pool Mypool 192.168.60.10 192.168.60.100 netmask 255.255.255.0
ip nat inside source list 100 pool Mypool
ip nat inside source static 10.20.20.2 192.168.60.2
ip nat translation timeout 32400
Now when you connect to servera.mysite.domain.com:
1) A DNS lookup runs against 192.168.60.2
2) The DNS Query hits the NAT router, and the destination IP is changed to 10.20.20.2
3) The DNS query hits your DNS server and a DNS response saying "servera.mysite.domain.com = 10.20.20.100" is sent back.
4) The DNS response hits the NAT router, and:
4a) The Source IP is changed to 192.168.60.2
4b) The DNS Response is changed from "servera.mysite.domain.com = 10.20.20.100" => "servera.mysite.domain.com = 192.168.60.11" (Where the 192 address has been chosen from the NAT pool)
5) The DNS response gets back to your PC, and your Client software then connects to servera by its NATed address of 192.168.60.11
The NAT translation will remain active until there has not been used for 9 Hours, then it will clear.