Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Natting help on cisco 2911

hi all experts

we got a new router thats only used for VOIP.

Here i need to do natting. can any one please help me on how to achieve this on cisco 2911 router.

can anyone please show me a ssample config. for the below requirement.

1. ISP:

outisde

Lan Ips:

182.74.152.42

255.255.255.248

gateway: 187.74.152.41

WAN IP's: 182.72.XX.XXX  and 182.72.XX.XXY

2. Inside :

subnet: 10.10.45.0/24 -----------------------to be natted to single pUblic IP 182.72.XX.XXY      (here we use only VOIP phones)

aestrik server: 10.10.45.151 --------------------to be natted to public IP  182.72.XX.XXX with service running ex: udp 5060,5085   and  only  to allow access to

  77.XX.XX.0/255.255.255.0 and restrict access to all other IPs from internet to access aestrik server.

as 10.10.45.151< -----should be accessable with public ip on port 5060 etc. ----------------> 77.XX.XX.0/24   ,    rest all to denied.

so Whats the better way


Im really poor in understanding how this has to be done. so want to clear out the things.

How to proceed on with this.

thanks & regards

srikanth

6 REPLIES

Natting help on cisco 2911

Hi Srikanth,

See the simple example config.

interface GigabitEthernet0/0
ip address 182.74.152.42 255.255.255.248
ip nat outside
!
interface GigabitEthernet0/1
ip address 10.10.45.1 255.255.255.0
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 187.74.152.41

ip nat pool NAT-POOL 182.74.152.43 182.74.152.4. netmask 255.255.255.248
ip nat outside source list MATCH-DST pool NAT-POOL
!
ip access-list extended MATCH-DST
permit ip any 10.10.45.1 0.0.0.255
!
route-map NAT-TO-LO0 permit 10
match ip address MATCH-DST


Let us know still if you need any more.


Please rate the helpfull posts.
Regards,
Naidu.

Natting help on cisco 2911

Hi Srikanth,

You can also check the below link which explained step by step which required.
http://www.tech-recipes.com/rx/713/cisco_how_to_configure_nat_network_address_translation/


Please rate the helpfull posts.
Regards,
Naidu.

New Member

Natting help on cisco 2911

Hi naidu

thanks for the quick reply

but how about this

aestrik server: 10.10.45.151 --------------------to be natted to public IP  182.72.XX.XXX with service running ex: port 22

to be allowed to access with only 77.XX.XX.0/255.255.255.0 and restrict access to all other IPs from internet to

example:

source:77.xx.xx.o/24

destination: 182.72.xx.xxx  --------public IP of 10.10.14.151 aestrik server.

port:22

action: allowed

restrict all other IPS to access this IP from outside

Thanks

Natting help on cisco 2911

Hi Srikanth,

You can achieve that by applying the route-map to static nat statement like below config and this is what I have for one of my customer and working perfect.

ip nat inside source static tcp 10.15.1.10 22 182.72.xx.xxx 22 route-map WAN-OUT extendable


route-map WAN-OUT permit 10
match ip address wanaccess

ip access-list extended wanaccess
permit ip any 77.xx.xx.o 0.0.0.255
deny any any


Please rate the helpfull posts.
Regards,
Naidu.

New Member

Natting help on cisco 2911

Hi

thanks for ur time

ip nat pool NAT-POOL 182.74.152.43 182.74.152.4. netmask 255.255.255.248

ip nat outside source list MATCH-DST pool NAT-POOL

ip nat inside source static tcp 10.15.1.10 22 182.72.xx.xxx 22 route-map WAN-OUT extendable (as mentioned above)

1. can u give me what exactly the differnece betweeen inside and outside for (ip nat inside /outside source static) .

2. and if i have configured as like above 2 updates as stated by u for natting to an  aestrik server to 1 public ip and inside subnet to 1 public ip.

can i able to achieve the below requirement.

subnet: 10.10.45.0/24 -----------------------to be natted to single pUblic IP 182.72.55.57/30      (here we use only VOIP phones)

aestrik server: 10.10.45.151 --------------------to be natted to public IP  182.72.55.58/30 with service running ex: udp 5060,5085   and  only  to allow access to

  77.XX.XX.0/255.255.255.0 and restrict access to all other IPs from internet to access aestrik server.

thanks for helping me out. now i got an idea on this nat but need to clarify the things prior implementing it practically by tomorrow.

thanks srikanth

Natting help on cisco 2911

Hi Srikanth,

ip nat outside source list MATCH-DST pool NAT-POOL
It is a dynamic nat and the source list which can be nated and talk with internet with the NAT-POOL 182.74.152.43 182.74.152.4

ip nat inside source static tcp 10.15.1.10 22 182.72.xx.xxx 22 route-map WAN-OUT extendable
It is a static nat, means when it go to internet it will go with the specific nated ip only. It wont fall under the global dynamic nat.


aestrik server: 10.10.45.151 --------------------to be natted to public IP  182.72.55.58/30 with service running ex: udp 5060,5085   and  only  to allow access to
  77.XX.XX.0/255.255.255.0 and restrict access to all other IPs from internet to access aestrik server.
For this is what I suggested something like below in my previous post.


ip nat inside source static udp 10.10.45.151 5060 182.72.55.58 5060 route-map WAN-OUT extendable
ip nat inside source static udp 10.10.45.151 5085 182.72.55.58 5085 route-map WAN-OUT extendable


route-map WAN-OUT permit 10
match ip address wanaccess


ip access-list extended wanaccess
permit ip any 77.xx.xx.o 0.0.0.255
deny any any

Please rate the helpfull posts.
Regards,
Naidu.

557
Views
5
Helpful
6
Replies