cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1374
Views
0
Helpful
5
Replies
Highlighted
Beginner

Need help setting up static NAT to internal server

One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL

via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443

Here is a copy of my config. Please advise. Thanks.

IP    172.19.3.x

sub 255.255.255.128

GW 172.19.3.129

Ciscso 2801 Router

Current configuration : 11858 bytes

!

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname router-2801

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

!

!

aaa session-id common

clock timezone est -5

clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 172.19.3.129 172.19.3.149

ip dhcp excluded-address 172.19.10.1 172.19.10.253

ip dhcp excluded-address 172.19.3.140

ip dhcp ping timeout 900

!

ip dhcp pool DHCP

   network 172.19.3.128 255.255.255.128

   default-router 172.19.3.129

   domain-name domain.local

   netbios-name-server 172.19.3.7

   option 66 ascii 172.19.3.225

   dns-server 172.19.3.140 208.67.220.220 208.67.222.222

!

ip dhcp pool VoiceDHCP

   network 172.19.10.0 255.255.255.0

   default-router 172.19.10.1

   dns-server 208.67.220.220 8.8.8.8

   option 66 ascii 172.19.10.2

   lease 2

!

!

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip domain lookup

ip domain name domain.local

!

multilink bundle-name authenticated

!

!

!

key chain key1

key 1

   key-string 7 06040033484B1B484557

!

crypto pki trustpoint TP-self-signed-3448656681

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3448bb6681

revocation-check none

rsakeypair TP-self-signed-344bbb56681

!

!

crypto pki certificate chain TP-self-signed-3448656681

certificate self-signed 01

  3082024F

            quit

!

!

username admin privilege 15 password 7 F55

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXXX address 209.118.0.1

crypto isakmp key xxxxx address SITE B Public IP

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group IISVPN

key 1nsur3m3

dns 172.19.3.140

wins 172.19.3.140

domain domain.local

pool VPN_Pool

acl 198

crypto isakmp profile IISVPNClient

   description VPN clients profile

   match identity group IISVPN

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map Dynamic 5

set transform-set myset

set isakmp-profile IISVPNClient

qos pre-classify

!

!

crypto map VPN 10 ipsec-isakmp

set peer 209.118.0.1

set peer SITE B Public IP

set transform-set myset

match address 101

qos pre-classify

crypto map VPN 65535 ipsec-isakmp dynamic Dynamic

!

!

!

!

track 123 ip sla 1 reachability

delay down 15 up 10

!

class-map match-any VoiceTraffic

match protocol rtp audio

match protocol h323

match protocol rtcp

match access-group name VOIP

match protocol sip

class-map match-any RDP

match access-group 199

!

!

policy-map QOS

class VoiceTraffic

    bandwidth 512

class RDP

    bandwidth 768

policy-map MainQOS

class class-default

    shape average 1500000

  service-policy QOS

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$

ip address 172.19.3.129 255.255.255.128

ip access-group 100 in

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0.10

description $ETH-VoiceVLAN$$

encapsulation dot1Q 10

ip address 172.19.10.1 255.255.255.0

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description "Comcast"

ip address PUB IP 255.255.255.248

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN

!

interface Serial0/1/0

description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"

bandwidth 1536

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/1/0.1 point-to-point

bandwidth 1536

ip address 152.000.000.18 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF

crypto map VPN

service-policy output MainQOS

!

interface Serial0/2/0

description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"

ip address 123.252.123.102 255.255.255.252

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

crypto map VPN

service-policy output MainQOS

!

ip local pool VPN_Pool 172.20.3.130 172.20.3.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123

ip route 0.0.0.0 0.0.0.0 111.252.237.000 254

ip route 122.112.197.20 255.255.255.255 209.252.237.101

ip route 208.67.220.220 255.255.255.255 50.78.233.110

no ip http server

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip flow-top-talkers

top 20

sort-by bytes

!

ip nat inside source route-map COMCAST interface FastEthernet0/1 overload

ip nat inside source route-map PAETEC interface Serial0/2/0 overload

ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload

ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable

!

ip access-list extended VOIP

permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190

permit ip host 172.19.3.190 172.20.3.0 0.0.0.127

!

ip radius source-interface FastEthernet0/0

ip sla 1

icmp-echo 000.67.220.220 source-interface FastEthernet0/1

timeout 10000

frequency 15

ip sla schedule 1 life forever start-time now

access-list 23 permit 172.19.3.0 0.0.0.127

access-list 23 permit 172.19.3.128 0.0.0.127

access-list 23 permit 173.189.251.192 0.0.0.63

access-list 23 permit 107.0.197.0 0.0.0.63

access-list 23 permit 173.163.157.32 0.0.0.15

access-list 23 permit 72.55.33.0 0.0.0.255

access-list 23 permit 172.19.5.0 0.0.0.63

access-list 100 remark "Outgoing Traffic"

access-list 100 deny   ip 67.128.87.156 0.0.0.3 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit tcp host 172.19.3.190 any eq smtp

access-list 100 permit tcp host 172.19.3.137 any eq smtp

access-list 100 permit tcp any host 66.251.35.131 eq smtp

access-list 100 permit tcp any host 173.201.193.101 eq smtp

access-list 100 permit ip any any

access-list 100 permit tcp any any eq ftp

access-list 101 remark "Interesting VPN Traffic"

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq ftp-data

access-list 102 remark "Inbound Access"

access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp

access-list 102 permit udp any host 152.179.53.18 eq isakmp

access-list 102 permit esp any host 152.179.53.18

access-list 102 permit ahp any host 152.179.53.18

access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp

access-list 102 permit udp any host 209.000.000.102 eq isakmp

access-list 102 permit esp any host 209.000.000.102

access-list 102 permit ahp any host 209.000.000.102

access-list 102 permit udp any host PUB IP eq non500-isakmp

access-list 102 permit udp any host PUB IP eq isakmp

access-list 102 permit esp any host PUB IP

access-list 102 permit ahp any host PUB IP

access-list 102 permit ip 72.55.33.0 0.0.0.255 any

access-list 102 permit ip 107.0.197.0 0.0.0.63 any

access-list 102 deny   ip 172.19.3.128 0.0.0.127 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any

access-list 102 deny   ip any any log

access-list 102 permit tcp any host 172.19.3.140 eq ftp

access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established

access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp

access-list 102 permit udp any host SITE B Public IP  eq isakmp

access-list 102 permit esp any host SITE B Public IP

access-list 102 permit ahp any host SITE B Public IP

access-list    102  permit tcp any host public ip eq 8443

access-list 110 remark "Outbound NAT Rule"

access-list 110 remark "Deny VPN Traffic NAT"

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 110 permit ip 172.19.3.128 0.0.0.127 any

access-list 110 permit ip 172.19.10.0 0.0.0.255 any

access-list 198 remark "Networks for IISVPN Client"

access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127

access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 199 permit tcp any any eq 3389

!

!

!

route-map PAETEC permit 10

match ip address 110

match interface Serial0/2/0

!

route-map COMCAST permit 10

match ip address 110

match interface FastEthernet0/1

!

route-map VERIZON permit 10

match ip address 110

match interface Serial0/1/0.1

!

!

snmp-server community 123 RO

radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 128.118.25.3

ntp server 217.150.242.8

end


5 REPLIES 5
Cisco Employee

Need help setting up static NAT to internal server

Can you pls advise what exactly you have configured? as what you have posted as the command doesn't match your configuration.

There is no ACL 150, and there is no ip range of 192.168.5.x.

Beginner

Re: Need help setting up static NAT to internal server

I apologize, I placed the wrong ip address in the command it should read 172.19.3.133. All i want to to is NAT that public ip address to my private ip address.

Cisco Employee

Need help setting up static NAT to internal server

Are you using a spare ip or it is the interface IP? Also are you trying to configure static NAT or static PAT?

I can see that you have 2 outside interfaces, what public IP are you trying to use?

Beginner

Need help setting up static NAT to internal server

I am planning on using the public ip address on

interface FastEthernet0/1

description "Comcast"

Cisco Employee

Need help setting up static NAT to internal server

If you are planning to use the fa0/1 interface IP itself then the configuration would be:

ip nat inside source static tcp 172.19.3.133 8443 interface fa0/1 8443 extendable

Assuming that you would like to port forward TCP/8443.

Then the ACL should be written:

ip access-list extended 102

  2 permit tcp any host eq 8443

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here