Solved: Static NAT help

marianares0001 · ‎01-25-2012

I need to permit the conexion from outside to inside in a 2911 Cisco router, only from an Public IP Address (supose 1.1.1.1) to some local private IPs.

I have one question:

Using the command:

ip nat inside source static tcp <local ip> <port> <global ip> <port>

The "global IP" can be the Public IP from where the connection starts (in this case 1.1.1.1)? or it must be the Public IP assigned the the Router interface connected to the Public Network.

Thanks

davidjknapp · ‎01-25-2012

The Global Ip is for the front of the router, the access list applied to the interface would be what should be applied to secure the communications.

View solution in original post

acampbell · ‎01-25-2012

Hi,

This should help you to get started

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

HTH

Alex

Please rate useful posts

Regards, Alex. Please rate useful posts.

View solution in original post

fb_webuser · ‎01-25-2012

if your ISP assigns to you 1.1.1.1, thats the ip you have to use as the gobal address (Source) to destination (example: 192.168.1.12).

---

Posted by WebUser Julio C. Padilla

View solution in original post

davidjknapp · ‎01-25-2012

The Global Ip is for the front of the router, the access list applied to the interface would be what should be applied to secure the communications.

marianares0001 · ‎01-25-2012

Thanks for your quick reply.

Could you or anybody recommend any document regarding the NAT and access list?

Thanks

acampbell · ‎01-25-2012

Hi,

This should help you to get started

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

HTH

Alex

Please rate useful posts

Regards, Alex. Please rate useful posts.

marianares0001 · ‎01-25-2012

Thanks!

marianares0001 · ‎01-27-2012

Hi,

The document recomended is good, but i would need a document that shows how to configure an access list to get from the internet to the private network also using NAT to redirect TCP traffic using ports. The NAT configuration would be like this:

ip nat inside source static tcp 1.1.1.1 5900 192.168.1.10 5900

Thanks

cadet alain · ‎01-27-2012

Hi,

you don't need any ACL for the static NAT or static PAT to work because this is a router not a firewall but you can configure either ACL inbound on the public side only permitting traffic you desire but don't forget return traffic for inside to outside communication so the best security wise would be to configure stateful IOS firewall with CBAC or the newer ZBF.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Regards.

Alain

Don't forget to rate helpful posts.

marianares0001 · ‎01-27-2012

Thanks for the quick reply, but mi idea is not to configure the firewall. What is required is only to give access to one public address to one private address, so that is what I would like to do.

Thanks

fb_webuser · ‎01-25-2012

if your ISP assigns to you 1.1.1.1, thats the ip you have to use as the gobal address (Source) to destination (example: 192.168.1.12).

---

Posted by WebUser Julio C. Padilla