topic How to create a nat from outside to inside and using services in Network Security

How to create a nat from outside to inside and using services

Julio E. Moisa — Tue, 12 Mar 2019 00:26:52 GMT

Hello,

Do you know how to create a static nat from outside to inside and using services, this is a firewall 5545x

Thanks

How to create a nat from outside to inside and using services

Julio Carvajal — Fri, 23 Nov 2012 00:46:06 GMT

Hello Eduardo,

Do you want to translate an inside user to an outside ip using services or do you want to translate a specific outside user on an specific port to an inside ip on a specific service??

Hope I was clear

How to create a nat from outside to inside and using services

Julio E. Moisa — Mon, 26 Nov 2012 03:30:39 GMT

Hi JCarvaja,

Thanks for your response, actually i would like to translate an outside public IP to a specific inside ip address and using a X port.

It was very easy on the previous IOS 8.2 but currently Im working with IOS 8.6.

Please help me

Thank you

How to create a nat from outside to inside and using services

Sirajhussain — Mon, 26 Nov 2012 06:15:43 GMT

Hi,

Can you paste your NAT configuration? I understand that you want to translate - private ip to public ip (static nat).

For example your private ip is - 10.10.10.10 and public ip is: 100.100.100.100

then try this:

static (inside,outside) 100.100.100.100 10.10.10.10 netmask 255.255.255.255

Hope it will help you..!!

Thanks

Siraj

How to create a nat from outside to inside and using services

Muhammad Thanveer — Mon, 26 Nov 2012 06:58:47 GMT

Hello Eduardomoi,

There are some basic configurations you need to do.

Here in the example a public ip 117.1.1.1 is natted to private ip 192.168.5.6 wih some services

Natting the public ip with private ip

static (inside,outside) 117.1.1.1 192.168.5.6 netmask 255.255.255.255

U need to understand which ports u need to allow, are they TCP or UDP or both?.

Here in the below example both TCP and UDP are allowed.

Create an object group for TCP and UDP

object-group protocol TCPUDP
protocol-object udp
protocol-object tcp

Allow the service as per the requirement with the help of access lists and note that source can be any u can modify as per the requirement of urs.

In the below example port ranges in between 12000 and 29999 are allowed

access-list acl_out extended permit object-group TCPUDP any host 117.1.1.1 range 12000 29999

port ranges in between 8000 and 9000 are allowed

access-list acl_out extended permit object-group TCPUDP any host 117.1.1.1 range 8000 9000

port for specific service called sip is allowed

access-list acl_out extended permit udp any host 117.1.1.1 eq sip

port for specific service called sip with port number 5060 is allowed

access-list acl_out extended permit udp any host 117.1.1.1 eq 5060

Please dont forget to rate the helpful posts and if u feel the answer is correct please do the query answered.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

How to create a nat from outside to inside and using services

Riyasat Ali — Mon, 26 Nov 2012 11:06:54 GMT

I would like to add since it is 5545-x which works on 8.6 and 9.x IOS so nat commands are different on this , below is what can help you:-

object network 10.0.0.10 (external ip)

host 10.0.0.10

object network 192.168.25.10 (internal ip)

host 192.168.25.10

nat (outside,inside) source static 10.0.0.10 10.0.0.10 destination static 192.168.25.10 192.168.25.10

How to create a nat from outside to inside and using services

Julio E. Moisa — Mon, 26 Nov 2012 14:10:39 GMT

Hi Riyasat Ali,

Thank you for your prompt response, actually my conf is like the following but currently is not working the static nat from outside to inside

nat (inside,provider1) source dynamic INSIDEGROUP interface

nat (inside,provider2) source dynamic INSIDEGROUP interface

nat (provider1,inside) source static 10.0.0.10 10.0.0.10 destination static 192.168.25.10 192.168.25.10

I ran the sh nat command but there are no hits for it

How to create a nat from outside to inside and using services

Riyasat Ali — Mon, 26 Nov 2012 14:19:39 GMT

do u see any hit count on outside access-list for this traffic( as you need access-list since traffic is initiating from outside zone) , if not , then provide me the access list what u have , source ip from whr u initiating the traffic , destination ip and translated ip .

and also try to change the sequence of this nat as following :-

nat (provider1,inside) 1 source static 10.0.0.10 10.0.0.10 destination static 192.168.25.10 192.168.25.10

How to create a nat from outside to inside and using services

Julio E. Moisa — Mon, 26 Nov 2012 17:08:35 GMT

Thanks, the ACL is:

access-list OUTSIDE extended permit ip any host 10.0.0.10

How to create a nat from outside to inside and using services

Julio E. Moisa — Tue, 27 Nov 2012 07:07:03 GMT

I changed the sequence and it is not working