topic Re: nat issue to block in Network Security

nat issue to block

angembaki2002 — Sun, 18 Jun 2023 23:03:09 GMT

please sir
can someone help me to solve this problem please
I have a 2900 series rotator so I have voice traffic which comes from the public ip 197.231.xxx.xxx which must arrive at its destination on a local server 192.168.30.21 but the local server's firewalls block the traffic
I would like to block the 80 from the ip 197.231.xxx.xxx and send it back by the private ip 192.168.30.21:5060 but the nat that I am using is blocking my router
here is the conig that I made if you can give me a correction please

interface GigabitEthernet0/0
ip address 197.231.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.30.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source static 197.231.xxx.xxx 255.255.255.252
ip nat inside source static 192.168.30.10 255.255.255.0
ip nat outside source static 197.231.xxx.xxx 255.255.255.252
ip route 0.0.0.0 0.0.0.0 197.231.xxx.xxx

Re: nat issue to block

Flavio Miranda — Sun, 18 Jun 2023 23:48:26 GMT

I might say this is confuse.

"can someone help me to solve this problem please
I have a 2900 series rotator so I have voice traffic which comes from the public ip 197.231.xxx.xxx which must arrive at its destination on a local server 192.168.30.21 but the local server's firewalls block the traffic"

The server´s firewall is blocking the traffic intentionally or this is a misconfiguration? dont follow you here.

"I would like to block the 80 from the ip 197.231.xxx.xxx and send it back by the private ip 192.168.30.21:5060 but the nat that I am using is blocking my router"

Are you saying here that you dont want the server to be open to the internet on port 80?

Port 5060 is SIP port and if this is a VOIP server, that port need to ne open.

NAT have no hability to block. You need to be more clear on this point.

"here is the conig that I made if you can give me a correction please"

ip nat source static 197.231.xxx.xxx 255.255.255.252
ip nat inside source static 192.168.30.10 255.255.255.0
ip nat outside source static 197.231.xxx.xxx 255.255.255.252

Those NAT statement is wrong. The NAT should be like this

ip nat inside source static <first IP address> <second IP address> I never saw the usage of subnet mask on this command.

If what you are trying to achieve is PAT, you can do like this

ip nat outside source static tcp 197.231.xxx.xxx 5060 192.168.30.10 5060

Re: nat issue to block

angembaki2002 — Mon, 19 Jun 2023 06:49:45 GMT

hello flavio i mean that traffic from 197.230.xxx.xxx:80 must go to 192.168.:5060 because my server is blocking port 80
clearly my local server should not detect the public port 80