Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
3
Replies

Incoming Traffic for HTTP and FTP on PAT

qasimkhans
Level 1
Level 1

‎02-01-2013 03:59 PM - edited ‎03-11-2019 05:55 PM

Hi,

     I am using NAT with overload (PAT). i want to allow incoming traffic HTTP for my Web Server and FTP for FTP Server. please let me know which Commands (NAT, ACL etc.....) i need to used on Router 3845. Thanks

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-01-2013 10:16 PM

It would be:

ip nat inside source static tcp 80 80

ip nat inside source static tcp 21 21

or alternatively, if you are using the WAN interface as the public ip, then:

ip nat inside source static tcp 80 interface 80

ip nat inside source static tcp 21 interface 21

ACL would be applied to the WAN interface:

access-list 120 permit tcp any host eq 80

access-list 120 permit tcp any host eq 21

0 Helpful

qasimkhans
Level 1
Level 1
In response to Jennifer Halim

‎02-02-2013 06:42 AM

Hi Jennifer,

                  i did the same config but its not working, if i "setup ip access-group 120 in"    on interface fastethernet 0/0/1 then my internet stop working, following is my config

  1. interface GigabitEthernet0/0.7
  2. description Voice-Vlan
  3. encapsulation dot1Q 7
  4. ip address 192.168.7.1 255.255.255.0
  5. !
  6. interface GigabitEthernet0/0.8
  7. description IT-Vlan
  8. encapsulation dot1Q 8
  9. ip address 192.168.8.1 255.255.255.0
  10. !
  11. interface GigabitEthernet0/0.9
  12. description Regency-Vlan
  13. encapsulation dot1Q 9
  14. ip address 192.168.9.1 255.255.255.0
  15. !
  16. interface GigabitEthernet0/0.10
  17. description Servers-&-Switches-Vlan
  18. encapsulation dot1Q 10
  19. ip address 192.168.10.1 255.255.255.0
  20. ip nat inside
  21. ip virtual-reassembly in
  22. !
  23. interface GigabitEthernet0/1
  24. no ip address
  25. shutdown
  26. duplex auto
  27. speed auto
  28. media-type rj45
  29. !
  30. interface FastEthernet0/0/0
  31. description "Direct Fiber Connection to ITC-R3845-Fast Ethernet 0/0/0"
  32. ip address 10.1.1.2 255.255.255.0
  33. duplex auto
  34. speed auto
  35. !
  36. interface FastEthernet0/0/1
  37. ip address 70.88.142.140 255.255.255.248
  38. ip nat outside
  39. ip virtual-reassembly in
  40. duplex auto
  41. speed auto
  42. crypto map Regency_ITC
  43. !
  44. interface FastEthernet0/1/0
  45. no ip address
  46. duplex auto
  47. speed auto
  48. !
  49. interface FastEthernet0/1/1
  50. no ip address
  51. duplex auto
  52. speed auto
  53. !
  54. !
  55. router eigrp 10
  56. network 10.0.0.0
  57. network 192.168.0.0 0.0.255.255
  58. !
  59. ip forward-protocol nd
  60. no ip http server
  61. no ip http secure-server
  62. !
  63. !
  64. ip nat inside source list acl_nat interface FastEthernet0/0/1 overload
  65. ip nat inside source static tcp 192.168.10.25 80 interface FastEthernet0/0/1 80
  66. ip route 0.0.0.0 0.0.0.0 70.88.142.142
  67. !
  68. ip access-list extended acl_nat
  69. deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  70. permit ip 192.168.0.0 0.0.255.255 any
  71. ip access-list extended acl_vpn
  72. permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  73. !
  74. access-list 120 permit tcp any host 70.88.142.140 eq www
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to qasimkhans

‎02-02-2013 11:14 AM

Hello Qasim,

Yes, as soon as you add that access-group the internet will stop because you were only permiting such traffic ( HTTP and FTP to that particular server) and ACL's work different on a router with default configuration ( No such a stateful information than an ASA)

That being said here is what you need

ip nat inside source list acl_nat interface FastEthernet0/0/1 overload

ip nat inside source static tcp 192.168.10.25 80 interface FastEthernet0/0/1 80

With only that you should be able to access 192.168.10.25 on port 80 via fast ethernet 0/0/1 ip address

If then FTP is need it:

ip nat inside source static tcp 192.168.10.25 21 interface fastethernet 0/0/1 21

Now with that configuration (without ACL's this should work).

If security is need it then that is a different whole story,

Try that and let us know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card