cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1351
Views
0
Helpful
10
Replies

Help with NAT outside in ADSL on 887

mmoulson1
Level 4
Level 4

Hi all,

I’ve had a good search and can’t find an example of what I was thinking would be quite a common configuration!

So far my config is as below so basic NAT to allow inside devices access to the internet.

What I need to do is allow static NAT from the outside to an inside host but only from specific sources on the internet.

I’ve seen some configuration using route maps but the examples I have seen appear to control how to NAT out via different interfaces based on destination address, whereas I want to NAT in based on source address.

Many thanks in advance.
Matty

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Dialer0

ip nat outside

!

access-list 101 permit ip 192.168.1.0 0.0.255.255 any

ip nat inside source list 101 interface dialer 0 overload

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Matty

I am not sure i fully understand. Do you want to present an internal host to the outside but only allow certain hosts to it or do you want to NAT the internet client IPs as they come in, or something else entirely.

Could you perhaps clarify with an example using the IPs of the device internally and how you want it to be seen on the internet and what you want to do with internet client IPs ?

Jon

Hi Jon,

Ok for example I have a web server on the internal network with an IP address 192.168.1.10. I want to allow access to TCP port 80 from the internet but only from host 8.8.8.8.

Thanks

Matty

Hi Matty

Can i ask why you don't just an acl to controll the access. Using 175.10.10.1 as the public IP in this example  you present the web server on why can you not just do -

ip nat inside source static tcp 192.168.1.10 80 175.10.10.1 80

and then use an acl on your outside interface to only allow the specific IPs you want.

I suspect you may be able to do some policy NAT but i don't have anything to test with so it would be trial and error eg.

ip nat inside source static tcp 192.168.1.10 80 175.10.10.1 80 route-map WEB

access-list 101 permit tcp host 192.168.1.10 eq 80 host 8.8.8.8

route-map WEB permit 10

match ip address 101

Note with the above config i am not sure whether the nat statement supports using TCP ports number ie. a normal static translation does but this is conditional NAT so it may not.

Jon

Hi Jon,

I wanted to use a route map to forward a range of ports rather than just a single. (sorry I was trying to keep my example above simple!)

As these appear to be based on ACL I thought could also control the source address as well the ports if that makes sense?

Thanks

Matty

Matty

As i say i don't have anything to test with so these are just suggestions but you could try changing the NAT statement to -

ip nat inside source static 192.168.10.1 175.10.10.1 route-map WEB

but it think that would just create a static entry in the translation table ie. without any ports so you may as well just use -

ip nat inside source static 192.168.10.1 175.10.10.1

and then control the access via an acl. Of course if you need to translate 192.168.10.1 to another public IP for different connections then you could use the route map NAT statement with the "extendable" keyword.

Apologies for not being able to give defintive answers but i just don't the equipment and this is definitely something that needs testing.

There are a lot of other people on these forums though so hopefully someone else may join who may be able to give a more definitive answer.

Jon

Thanks Jon,

I gave up after looking into it further! There appeared to be some bug around creating route maps for UDP ranges.

My config now has 2000+ lines that look like this:

ip nat inside source static udp 192.168.1.64  7036 interface Dialer0 7036

However when testing it appears we are still having issues! Does the above config look ok?

Thanks


Matty

Matty

From what you have posted it looks fine. Be aware that if there were already dynamic entries for 192.168.1.64 in the translation table before setting up the statics this may have caused a problem.

What sort of issues are you facing ?

Jon

Hi Jon,

Yeah I tried to clear the translations but got the same behaviour.

I’m trying to NAT a SIP trunk through to a PBX. The issue appears to be the call will establish but there is no audio once the call is connected.

Previously I had NAT entries for media ports but was told by the ITSP that only 5060 is required as the media ports are opened dynamically.

When I do a ‘show ip nat translations’ I can see it is opening things dynamically but we still get no audio on the call.

I read on other posts about the ‘ip nat service sip udp 5060’ command, which as I understand it will turn sip ALG on or off if negated. However this appears to not make any difference!

Any ideas?

Thanks for all your help.

Matty

Matty

Are all the NAT translations mean to be for SIP or are they for something else ie. if SIP dynamically opens ports back then you wouldn't need static NAT translations so i am assuming they are for something else ?

Apart from checking any acls etc. which may be applied to the interfaces i suspect i will be of limited help as i have no experience with SIP.

You may want to either post into the VoIP forums or move this thread there if the main issue is SIP as i am sure there must be people in there who have done this sort of thing before

Sorry i can't be more help, just don't have any experience with it.

Jon

Jon,

NAT'int SIP is a tricky beast, completely different from "regular" NAT. SIP is picky.

Try to issue a "no ip nat service sip udp port 5060". If that doesn't do the trick, maybe you need then to make your router act as a SBC. More details at http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htnatsbc.html

HTH.

(Edit: there are some why's at this link

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/prod_white_paper0900aecd80537d0b.html)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: