Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nat rule - access list

help,

My nat rule doesnt work properly, Im not sure if Im using the correct commands.

If would like forward port 5900 from any host externally to an internal server running VNC. Here are my nat rules and access lists, can someone help ?

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source list 102 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 101 permit tcp any host 192.168.0.2 eq 5900

access-list 102 permit tcp any host 192.168.0.5 eq 2000

access-list 102 permit udp any host 192.168.0.5 eq 2000

access-list 102 permit tcp any host 192.168.0.5 eq 2002

access-list 102 permit udp any host 192.168.0.5 eq 2002

access-list 102 permit tcp any host 192.168.0.5 eq 2003

access-list 102 permit udp any host 192.168.0.5 eq 2003

access-list 102 permit tcp any host 192.168.0.5 eq 2006

access-list 102 permit udp any host 192.168.0.5 eq 2006

access-list 102 permit tcp any host 192.168.0.5 eq 3001

access-list 102 permit udp any host 192.168.0.5 eq 3001

access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

6 REPLIES

Re: Nat rule - access list

Try this static NAT configuration and test your VNC connection from outside.

ip nat inside source static tcp 192.168.0.2 5900 interface Dialer0 5900

New Member

Re: Nat rule - access list

thanks, would I do the same for all other ports? create an ip nat inside source static for all tcp/udp ports that need forwarding to 192.168.0.5 as created in the access list? Would all other incoming traffic be denied?

Re: Nat rule - access list

For port level forwarding of traffic to other hosts use the same method of static NAT configuration. If there's no match then traffic from outside would be dropped. However, for your inside users to access the outside configure PAT using dialer interface with overload option.

HTH

Sundar

New Member

Re: Nat rule - access list

Ive configured this however its not working properly, its like the ports arent forwarded properly, here's the config

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900

ip nat inside source list 2 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 10.0.5.0 0.0.0.255

access-list 101 permit tcp any host 192.168.0.5 eq 5900

access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 104 permit tcp any host 192.168.0.5 eq 2000

access-list 104 permit udp any host 192.168.0.5 eq 2000

access-list 105 permit tcp any host 192.168.0.5 eq 2002

access-list 105 permit udp any host 192.168.0.5 eq 2002

access-list 106 permit udp any host 192.168.0.5 eq 2003

access-list 106 permit tcp any host 192.168.0.5 eq 2003

access-list 107 permit tcp any host 192.168.0.5 eq 2006

access-list 107 permit udp any host 192.168.0.5 eq 2006

access-list 108 permit udp any host 192.168.0.5 eq 3001

access-list 108 permit tcp any host 192.168.0.5 eq 3001

any ideas?

Bronze

Re: Nat rule - access list

Can you overload the using a source-list that has network that overlap you static NAT?

New Member

Re: Nat rule - access list

Thanks. How do i do that? not sure.

440
Views
0
Helpful
6
Replies
CreatePlease to create content