Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1249
Views
0
Helpful
1
Replies

NAT Config

Go to solution
redbus
Level 1
Level 1

‎03-26-2019 07:08 AM - edited ‎03-26-2019 11:55 PM

Hi,

I have a router which I have inherited with a network.  Need to add a port forward to forward traffic on the Dialler0 port tcp/443 to the internal IP 10.20.24.49 on tcp/443.

 

I have tried adding a static NAT statement:

 

ip nat inside source static tcp 10.20.24.49 443 interface Dialer0 443

 

Which when trying to connect to http://1.2.3.4 in a browser and running 'sh ip nat translations' shows a list of active translations.

 

Router# sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 1.2.3.4:443 10.20.24.49:443 2.3.4.5:27916 2.3.4.5:27916
tcp1.2.3.4:443 10.20.24.49:443 2.3.4.5:53112 2.3.4.5:53112
tcp1.2.3.4:443 10.20.24.49:443 2.3.4.5:59827 2.3.4.5:59827

 

There is a number of ACLs which seem to correspond to policy maps / zone pairs in the current config.  Not sure if I need to add in an additional ACL to allow tcp/443 in addition to the static NAT statement.

 

Is anyone able to give me a pointer?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-26-2019 08:59 AM - edited ‎03-26-2019 09:19 AM

Hi,
You will need to create an acl, class map, policy map and a new zone-pair for OUTSIDE to INSIDE. E.g:-

 

ip access-list extended OUTSIDE->INSIDE
 permit tcp any host 172.20.24.49 eq 80


class-map type inspect match-any OUTSIDE->INSIDE
 match access-group name OUTSIDE->INSIDE

policy-map type inspect PM_OUTSIDE->INSIDE
 class type inspect OUTSIDE->INSIDE
 inspect
class class-default
 drop log

zone-pair security OUTSIDE->INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PM_OUTSIDE->INSIDE

HTH

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎03-26-2019 08:59 AM - edited ‎03-26-2019 09:19 AM

Hi,
You will need to create an acl, class map, policy map and a new zone-pair for OUTSIDE to INSIDE. E.g:-

 

ip access-list extended OUTSIDE->INSIDE
 permit tcp any host 172.20.24.49 eq 80


class-map type inspect match-any OUTSIDE->INSIDE
 match access-group name OUTSIDE->INSIDE

policy-map type inspect PM_OUTSIDE->INSIDE
 class type inspect OUTSIDE->INSIDE
 inspect
class class-default
 drop log

zone-pair security OUTSIDE->INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PM_OUTSIDE->INSIDE

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card