Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT on a Cisco IOS router

Forum

i am working at a client site today.  The client has indicated that they need to have a server translated so that connections coming in from the public can access the server.  I told the client I would be able to use NAT for this on their 2911 G2 router.

The requirement is that connection attemtps be allowed to come into a public address, which I will call 1.2.3.4 for the purpose of this example. 

The inside (real address) for the server is 192.168.15.14/24. 

Here is the statement that I have placed on the router:

ip nat inside source static 192.168.15.14 1.2.3.4

and also have placed "ip nat inside" on the Ethernet that faces inside to the 192.168.15.0/24 network.  I have placed "ip nat outside" on the Ethernet that faces the Internet.

I also placed an ACL statement to allow the ports required which reads:

180 permit tcp any any eq 60000 64999

181 permit udp any any eq 60000 64999

My concern is whether I have written the NAT statement correctly or not.

here is what I see when I perform a "sho ip nat trans"

tbhroomsgw#sho ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

--- 1.2.3.4      192.168.15.14      ---                ---

icmp 1.2.3.5:1   192.168.15.28:1    192.168.1.102:1    192.168.1.102:1

tcp 1.2.3.5:50474 192.168.15.28:50474 64.236.18.17:5190 64.236.18.17:5190

tcp 1.2.3.5:50475 192.168.15.28:50475 205.188.1.5:5190 205.188.1.5:5190

tcp 1.2.3.5:50883 192.168.15.28:50883 204.14.233.95:443 204.14.233.95:443

tcp 1.2.3.5:50884 192.168.15.28:50884 204.14.232.33:443 204.14.232.33:443

tcp 1.2.3.5:50886 192.168.15.28:50886 204.14.233.95:443 204.14.233.95:443

tcp 1.2.3.5:50912 192.168.15.28:50912 64.12.115.25:5192 64.12.115.25:5192

tcp 1.2.3.5:50922 192.168.15.28:50922 64.12.115.25:5192 64.12.115.25:5192

--- 1.2.3.5      192.168.15.28      ---                ---

--- 1.2.3.6    192.168.15.29      ---                ---

Any help would be greatly appreciated.

2 REPLIES
New Member

NAT on a Cisco IOS router

Hi Kevin,

you need to make some changes here.  We'll assume your internal interface is fa0/0 and your external is fa0/1 for the sake of this reply.

ip access-list extended aclPortFrowardRange
 permit tcp any any range 60000 64999
 permit udp any any range 60000 64999
ip access-list standard aclNat
 permit 192.168.15.0 0.0.0.255
!
ip nat pool poolServer 192.168.15.14 192.168.15.14 netmask 255.255.255.0 type rotary
!
interface fa0/0 
 ip address 192.168.15.1 255.255.255.0 ! or whatever it is on this subnet.
 ip nat inside
interface fa0/1
 ip nat outside
!
ip nat inside source list aclNat interface fa0/1 overload
ip nat inside destination list aclPortForwardRange pool poolServer

You will also need to poke any holes in your inbound ACL on your external interface if there is one.  use a similar sytax to the aclPortForwardRange example above in this ACL if need be.

Let us know how this goes.

New Member

NAT on a Cisco IOS router

As it turns out, the configuration I had submitted on the post worked just fine.

Thanks for your response.

Kevin

266
Views
3
Helpful
2
Replies
CreatePlease login to create content