01-25-2012 07:54 AM - edited 03-04-2019 03:01 PM
I need to permit the conexion from outside to inside in a 2911 Cisco router, only from an Public IP Address (supose 1.1.1.1) to some local private IPs.
I have one question:
Using the command:
ip nat inside source static tcp <local ip> <port> <global ip> <port>
The "global IP" can be the Public IP from where the connection starts (in this case 1.1.1.1)? or it must be the Public IP assigned the the Router interface connected to the Public Network.
Thanks
Solved! Go to Solution.
01-25-2012 07:58 AM
The Global Ip is for the front of the router, the access list applied to the interface would be what should be applied to secure the communications.
01-25-2012 08:23 AM
Hi,
This should help you to get started
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
HTH
Alex
Please rate useful posts
01-25-2012 10:59 AM
if your ISP assigns to you 1.1.1.1, thats the ip you have to use as the gobal address (Source) to destination (example: 192.168.1.12).
---
Posted by WebUser Julio C. Padilla
01-25-2012 07:58 AM
The Global Ip is for the front of the router, the access list applied to the interface would be what should be applied to secure the communications.
01-25-2012 08:15 AM
Thanks for your quick reply.
Could you or anybody recommend any document regarding the NAT and access list?
Thanks
01-25-2012 08:23 AM
Hi,
This should help you to get started
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
HTH
Alex
Please rate useful posts
01-25-2012 08:28 AM
Thanks!
01-27-2012 12:43 AM
Hi,
The document recomended is good, but i would need a document that shows how to configure an access list to get from the internet to the private network also using NAT to redirect TCP traffic using ports. The NAT configuration would be like this:
ip nat inside source static tcp 1.1.1.1 5900 192.168.1.10 5900
Thanks
01-27-2012 12:56 AM
Hi,
you don't need any ACL for the static NAT or static PAT to work because this is a router not a firewall but you can configure either ACL inbound on the public side only permitting traffic you desire but don't forget return traffic for inside to outside communication so the best security wise would be to configure stateful IOS firewall with CBAC or the newer ZBF.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Regards.
Alain
01-27-2012 01:01 AM
Thanks for the quick reply, but mi idea is not to configure the firewall. What is required is only to give access to one public address to one private address, so that is what I would like to do.
Thanks
01-25-2012 10:59 AM
if your ISP assigns to you 1.1.1.1, thats the ip you have to use as the gobal address (Source) to destination (example: 192.168.1.12).
---
Posted by WebUser Julio C. Padilla
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: