cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
489
Views
0
Helpful
3
Replies

IP access-list question

mjsully
Level 1
Level 1

Let's say I have a router, who's serial interface is configured for inside NAT, and the Ethernet interface is set for outside NAT. So I'll refer to the Serial interface as the inside, and the Ethernet interface as the outside. Currently, I have a NAT access-list that PAT's incoming traffic to the inside interface against any matches on the NAT access-list. The config is as follows:

interface Serial0/0

ip nat inside

interface FastEthernet0/0

ip nat outside

ip nat pool PAT_pool 35.0.30.30 35.0.30.30 prefix-length 24

ip nat inside source list 50 pool PAT_pool overload

Standard IP access list 50

permit 10.10.1.250

permit 10.8.3.100

permit 10.10.3.4

permit 10.5.6.6

As you can see, if any of the 4 ip addresses in the access-list initiate a connection into the inside interface they get PAT'd to 35.0.30.30. However, there is also a need for a host off the Outside to initiate a connection to one of those ip addresses defined in the NAT acl, and that host is 10.10.1.250. Is it possible to configure this so that an Outside host can connect to the same PAT address, 35.0.30.30, and have it translate to only the 10.10.1.250 address? Obviously I dont' want to break the NAT coming into the serial interface (Inside NAT). What is happening is that one of the servers on the outside (Ethernet) needs to initiate keepalives back to the 10.10.1.250 address, but only that address. They were hoping to aim it at the PAT address 35.0.30.30. How do I go about doing this? I don't want to break anything with the current NAT as it relates to inside to outside.

3 Replies 3

mheusinger
Level 10
Level 10

Hello, you would need the specific protocol and port number and use static PAT. Something like:

ip nat inside source static tcp 10.10.1.250 1234 35.30.30 4321

Adjust your protocol (TCP/UDP) and Port numbers (1234, 4321) according to your requirements.

Hope this helps! PLease rate all posts.

Regards, Martin

ok, so you are saying that I can leave the PAT access-list for traffic coming to the inside interface (including the source ip of 10.10.1.250) alone, but servers on the outside interface can send their keep alives to the PAT address 35.0.30.30 (10.10.1.250) as long as I assign the static NAT with the particular port number of the keepalive? And this won't conflict with each other?

Hello,

it is static PAT that you are applying thus it is only interfering with this specific ports used in the "static" command. Whether this is possible or not in combination depends on the specific application and ports used. As I am not aware of your application, I can not give a definite statement for your case.

You can try the above config (adjusted to your requirements) and check, if everything works just fine.

Hope this helps! Please rate all posts.

Regards, Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: