Hello -

I have tried the suggestions you mentioned but no suck luck. When I add Access-list 102 to the vlan13 int, it lost all connectiviy to the systems. Below is my latest config:

interface FastEthernet0/0

description Connection to Cedar Rapids Corporate Network

ip address 195.85.24.4 255.255.255.0

ip access-group 101 in

ip accounting output-packets

ip nat inside

duplex auto

speed auto

no cdp enable

interface Vlan13

description Fermenter network

ip address 10.13.1.1 255.255.0.0

ip accounting output-packets

ip nat outside

!

ip nat inside source list CRFementerNAT interface Vlan13 overload

ip nat inside source static tcp 10.13.2.3 3389 195.85.24.9 3389 extendable

ip nat inside source static tcp 10.13.10.5 3389 195.85.24.10 3389 extendable

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 195.85.24.1

ip route 195.85.24.9 255.255.255.255 Vlan13

ip route 195.85.24.10 255.255.255.255 Vlan13

!

!

!

ip access-list extended CRFementerNAT

deny ip 10.13.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

remark allow new Genencor / Danisco IP range

permit ip 195.85.0.0 0.0.255.255 any

access-list 101 permit 25 any any

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.2.3

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.10.5

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 102 permit tcp host 10.13.2.3 eq 3389 any eq 3389

access-list 102 permit tcp host 10.13.10.5 eq 3389 any eq 3389

no cdp run

I have a very similar setup where I have static mapped NAT with mapped ports to a specific service behind my firewall. The only difference that I see between your setup and mine, besides the completely different access lists, is that your static NAT entries are backwards. I know it seems like they should be the way they are, but they shouldn't. For hosts on outside networks to reach your 195.85.24 network, you want to do:

ip nat inside source static tcp 195.85.24.9 3389 10.13.2.3 3389

ip nat inside source static tcp 195.85.24.10 3389 10.13.10.5 3389

You shouldn't use the "extendable" keyword. The way I understand it, that's only used if you were going to have multiple global addresses all translate to a single local address or vise versa--to allow arbitrary resolution to multiple hosts.

Also, just to differentiate between issues with NAT and ACLs, remove your access-group statements temporarily and just get the NAT and PAT working.

Well -

I have tried the suggestions but when I take out the ACL and add your statements, I am unable to access the 2 IPs from the 195.x net or the 10.x net.

I have a very similar setup where I have static mapped NAT with mapped ports to a specific service behind my firewall. The only difference that I see between your setup and mine, besides the completely different access lists, is that your static NAT entries are backwards. I know it seems like they should be the way they are, but they shouldn't. For hosts on outside networks to reach your 195.85.24 network, you want to do:

ip nat inside source static tcp 195.85.24.9 3389 10.13.2.3 3389

ip nat inside source static tcp 195.85.24.10 3389 10.13.10.5 3389

You shouldn't use the "extendable" keyword. The way I understand it, that's only used if you were going to have multiple global addresses all translate to a single local address or vise versa--to allow arbitrary resolution to multiple hosts.

Also, just to differentiate between issues with NAT and ACLs, remove your access-group statements temporarily and just get the NAT and PAT working.

Hi

I maybe misunderstood something, and are a little confused about what you mean. You say in your first post “I want to limit access to only 2 specific IP addreses.” Does this means these two adresses belongs to two servers, if so, you can't at the same time NAT to these adresses. Then you got a ip conflict. You have to NAT to adresses that is not used.

The access-list should be changed to this one which permits ip to 2 hosts,

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.2.3

access-list 101 permit ip 195.85.24.0 0.0.0.255 host 10.13.10.5

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

or to this that's permitting tcp 3389 to two hosts

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389

access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

/Mikael

Hello Mikael -

With the ACLs, I have been able to limit access to the two servers. I was hoping to use two outside IPs to access the two inside servers, but this is not the case with static NAT. I do appreciate all the help on this.

Maybe a less configuration based question may be best.

My impression reading this and from the partial configurations are

User say at 195.85.?.100 needs to get to server 10.13.2.3 using port 3389.

From the 195.85 net you cannot route the 10.13 net so you need to have the 10.13.2.3 address represented by 195.85.24.9.

From the 10.13.2.3 machine it cannot see the 195.85 network so you want all traffic to appear to come from 10.13.1.1

So when the user send the packet it looks like

source 195.85.?.100 3389 dest 195.85.24.9 3389

When the server receive the packet you want

source 10.13.1.1 3389 dest 10.13.2.3 3389

If this is what you want your issue with the nat is you are translating both the source and destination addresses.

The nat pool you currently have will work correctly to do the 195.85.?.? to 10.13.1.1 but to modify the desination you must use a ip nat outside command

Or am I reading this all wrong?

No I am trying to do what you are saying. I want users in the 195.x to connect via 195.85.24.9 to 10.13.2.3 address and 195.85.24.10 to 10.13.10.5. Right now I have the ACL in place to restrict access to only the two 10.x IPs. So access right now works when you use the 10.x IPs.

Hi

I think there is something unclear here. The access-list is permitting traffic from 195.85.24.0/24 to host 10.13.2.3 and 10.13.10.5 That must be wrong, because that is the addresses that is used for nat. It should be as this.

access-list 101 permit tcp any host 195.85.24.4 eq telnet

access-list 101 permit tcp host 195.85.24.9 10.13.2.3 0.0.255.255 eq 3389

access-list 101 permit tcp host 195.85.24.10 10.13.10.5 0.0.255.255 eq 3389

access-list 101 permit tcp host 195.85.24.9 eq 3389 10.13.2.3 0.0.255.255

access-list 101 permit tcp host 195.85.24.10 eq 3389 10.13.10.5 0.0.255.255

access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

ip nat inside source static 195.85.24.9 10.13.2.3

ip nat inside source static 195.85.24.10 10.13.10.5

this way, if a source from outside , for example 10.13.1.100 connects to 10.13.2.3

it will show up on outside as source 10.13.1.100 destination 10.13.2.3,

on inside it will be source 10.13.1.100 destination 195.85.24.9

the return traffic on inside will be, source 195.85.24.9 destination 10.13.1.100

and on outside, source 10.13.2.3 destination 10.13.1.100

/Mikael

Forget this post. I was too slow on typing, Tim was quicker

I set this up in my lab and these are the configurations I used. R4 is used to simulate you local machine and I use a source of 195.85.100.100

R5 represents the nat router

r6 is used as a target.

I use telnet here rather than 3389 since I don't have pc's in the lab.

R4

interface Loopback0

ip address 195.85.100.100 255.255.255.255

!

interface FastEthernet0/0

ip address 195.85.24.1 255.255.255.0

R5

!

interface FastEthernet0/0

ip address 195.85.24.4 255.255.255.0

ip nat inside

interface FastEthernet0/1

ip address 10.13.1.1 255.255.0.0

ip nat outside

ip route 0.0.0.0 0.0.0.0 195.85.24.1

ip route 195.85.24.9 255.255.255.255 FastEthernet0/1

ip nat inside source list CRF interface FastEthernet0/1 overload

ip nat outside source static tcp 10.13.2.3 23 195.85.24.9 23 extendable

ip access-list extended CRF

permit ip 195.85.0.0 0.0.255.255 any

R6

interface FastEthernet0/1

ip address 10.13.2.3 255.255.0.0

duplex auto

+++++++++++++++

r4#telnet 195.85.24.9 /source-interface lo0

Trying 195.85.24.9 ... Open

Password required, but none set

[Connection to 195.85.24.9 closed by foreign host]

r4#

r5#sh ip nat translations

Pro Inside global'''''''Inside local'''''''Outside local''''''Outside global

tcp --- --- 195.85.24.9:23 10.13.2.3:23

tcp 10.13.1.1:11179''''195.85.100.100:11179''''195.85.24.9:23'''10.13.2.3:23

+++++++++++++++

So after all this it works sorta. You will notice the source port is 11179 but lets assume I could force this to be 3389.

Now the global and local only match because noone else was using 11179. If the port is in use it will make up a new port for the inside glonal.

I can't see how you are going to heep the ports for all the different session at 3389 when you use overload.

Only one session can use 3389 at a time. You will need to have a pool of addresses for the outside port.