Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT question - straightforward?

I've got a couple of simple NAT questions for my 2821 ISR with IOS 12.4(13r)T Advanced IP Services:

1. I have two WAN interfaces, Dialer0 x.x.x.x and Dialer1 y.y.y.y.

I think I can NAT a single port through as follows:

ip nat inside source static udp 10.1.1.220 5060 x.x.x.x 5060 extendable

ip nat inside source static udp 10.1.1.220 5060 y.y.y.y 5060 extendable

Is there a better way of forwarding those ports to the inside server irrespective of which interface it comes through?

2. I also want to forward through the range of udp ports from 35000 to 45000 to the same server, no matter which external interface they come through.

How can I do that efficiently?

Thanks for your help - I'm happy to rate any and all posts that help.

7 REPLIES

Re: NAT question - straightforward?

1. Not that I know of, it looks good.

2. You can create a one-to-one NAT

ip nat inside source static 10.1.1.221 z.z.z.z

Then use your ACL to restrict the ports.

ip access-list extended YOUR_ACL

permit udp [source network/host] range 35000 45000 [destination network/host]

Hope that helps

New Member

Re: NAT question - straightforward?

Wow. Thanks for the quick response!

The issue with 2. is that I want all the OTHER ports to just go through to the inside network - I only want my specific range to be forwarded to that server (Actually, I've got all sorts of ports going to all sorts of internal servers for different purposes - VPN, servers various, etc).

How can I leave other ports alone?

Thanks!

Re: NAT question - straightforward?

With a one-to-one NAT all ports are translated. If you only want 35000-45000 to go to Server1 and ports 1500-9000 to Server2, then you have to create a NAT Port translation for each port! Yup, it sucks but that's they way it is. Is it easier to get more public IP's or create 10,000 NAT translations???

Re: NAT question - straightforward?

Hi,

For the first point of yours i would say i am not so sure of the resoultion may be route maps can help it. Never did.

the second one can be done as below:

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address dhcp

ip nat outside

ip nat pool POOL1 x.x.x.x x.x.x.x netmask 255.255.255.0 type rotary

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside destination list TEST pool POOL1

!

ip access-list extended TEST

permit udp any any range 35000 45000

Hope this helps,

Regards,

Pravin

New Member

Re: NAT question - straightforward?

Thanks, Pravin - I can't quite match up your post with my situation, though - please forgive me as I'm a lowly freshly-minted CCNA.

1. I've got TWO external dialer interfaces with static IPs. I've got them both as "nat outside". Do I do the following?

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 1 interface Dialer1 overload

I've found in earlier experimentation that I couldn't do this:

ip nat inside source static 10.1.1.220 5060 Dialer0 5060

ip nat inside source static 10.1.1.220 5060 Dialer1 5060

as the second would replace the first.

2. What should list 1 look like?

Thanks a lot for your response!

Re: NAT question - straightforward?

Hi,

did not get this: I've found in earlier experimentation that I couldn't do this:

anyways. I feel the config should be as below and shuld work.

ip route 172.16.1.0 255.255.255.0 Dialer1

ip route 172.16.2.0 255.255.255.0 Dialer2

ip nat inside source list 101 dialer1 overload

ip nat inside source list 102 dialer2 overload

access-list 101 permit ip any 172.16.1.0 0.0.0.255

access-list 102 permit ip any 172.16.2.0 0.0.0.255

refer the link below for more:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

For the first question the router map will help.

ip nat inside source static udp 10.1.1.1 5060 20.20.20.1 5060 route-map Int-Di-1 extendable

ip nat inside source static udp 10.1.1.1 5060 30.1.1.1 5060 route-map Int-Di-2 extendable

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 20.0.0.0 0.255.255.255

access-list 102 permit ip 10.1.1.0 0.0.0.255 30.0.0.0 0.255.255.255

route-map Int-Di-2 permit 10

match ip address 102

set ip next-hop 30.1.1.1

!

route-map Int-Di-1 permit 10

match ip address 101

set ip next-hop 20.20.20.1

Refer the link below:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

Hope this helps.

regards,

Pravin

New Member

Re: NAT question - straightforward?

Thanks, Pravin, I'll have to go and nut all this out, but I really appreciate the help.

163
Views
15
Helpful
7
Replies