Solved: Re: IP Map in router

biplobkhan · ‎11-18-2011

HI

I have connect a router in my network . I have a webserver in my network. I have done nat for connect internet from Webserver,

my webserver ip 172.20.121.10 now i am want from internet anyone can access my webserver. as example ISP give me real ip 202.10.11.5

now i am want IP map 202.10.11.5 to 172.20.121.10.

so what i do for access internet to my webserver ? pls example with configure.

Regards

Biplob

Craig_Baum_2 · ‎11-19-2011

OK depending on your setup this can be simple through to slightly complicated.

In a simple ideal world:

On inside interface you put ip nat inside on your outside interface facing ISP you put ip nat outside

And then you put:

Ip nat inside source static 172.20.121.10. 202.10.11.5

HOWEVER!!!

Is this the only device on your local network? Is this a unique IP or the one used on the interface of the router facing the ISP.

If not unique you can't simply nat as any other packets destined for that address or items on your local network will be affected. Instead you would have to do it on port number.

Secondly what firewall setup do you have? Classic or zone-based iOS. As at min you would need some acl to restrict access to eq http https to prevent anyone else having an attack on your server. Even then you need to consider rate-limiting these requests..

So questions:

1) Other devices on local network?

2) Is ISP address unique or that applied to your router port?

3) Are you using Classic firewall iOS or zone based?

Hope that helps..

Sent from Cisco Technical Support iPad App

View solution in original post

Craig_Baum_2 · ‎11-19-2011

OK depending on your setup this can be simple through to slightly complicated.

In a simple ideal world:

On inside interface you put ip nat inside on your outside interface facing ISP you put ip nat outside

And then you put:

Ip nat inside source static 172.20.121.10. 202.10.11.5

HOWEVER!!!

Is this the only device on your local network? Is this a unique IP or the one used on the interface of the router facing the ISP.

If not unique you can't simply nat as any other packets destined for that address or items on your local network will be affected. Instead you would have to do it on port number.

Secondly what firewall setup do you have? Classic or zone-based iOS. As at min you would need some acl to restrict access to eq http https to prevent anyone else having an attack on your server. Even then you need to consider rate-limiting these requests..

So questions:

1) Other devices on local network?

2) Is ISP address unique or that applied to your router port?

3) Are you using Classic firewall iOS or zone based?

Hope that helps..

Sent from Cisco Technical Support iPad App

biplobkhan · ‎11-19-2011

Hi

I appriciate you response.

Webserver: 172.16.131.10 and ISP give another IPaddress for client 10.10.10.2

interface ethernet0
172.16.131.5
ip nat inside

interface ethernet1
10.10.10.1
ip nat outside

ip nat inside source static 172.16.131.10 10.10.10.2

I think this is simple by you advise to work done.

1. no other device

2. ISP give some real IP

many time ISP is unique IP then I put : ip nat inside source static ?

Regards

Biplob

Craig_Baum_2 · ‎11-20-2011

Sounds good. If that web server is only used to serve http and https then you can also put an access list just to restrict traffic with your destination (public address) from any source to only equal tcp ports http and https.

I.e. access-list allowwww permit tcp any host 202.10.11.5 eq 80

If the IP is required to be routable the ISP will provide a unique public address, in your example the 10.xx.xx.xx is obviously not routable as a private address but can be used in a lab setup to test how it woks.

Sent from Cisco Technical Support iPad App