Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
0
Helpful
2
Replies

nat issue to block

angembaki2002
Level 1
Level 1

‎06-18-2023 04:03 PM

please sir
can someone help me to solve this problem please
I have a 2900 series rotator so I have voice traffic which comes from the public ip 197.231.xxx.xxx which must arrive at its destination on a local server 192.168.30.21 but the local server's firewalls block the traffic
I would like to block the 80 from the ip 197.231.xxx.xxx and send it back by the private ip 192.168.30.21:5060 but the nat that I am using is blocking my router
here is the conig that I made if you can give me a correction please

interface GigabitEthernet0/0
ip address 197.231.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.30.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source static 197.231.xxx.xxx 255.255.255.252
ip nat inside source static 192.168.30.10 255.255.255.0
ip nat outside source static 197.231.xxx.xxx 255.255.255.252
ip route 0.0.0.0 0.0.0.0 197.231.xxx.xxx

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎06-18-2023 04:48 PM

Hi

 I might say this is confuse.

"can someone help me to solve this problem please
I have a 2900 series rotator so I have voice traffic which comes from the public ip 197.231.xxx.xxx which must arrive at its destination on a local server 192.168.30.21 but the local server's firewalls block the traffic"

  The server´s firewall is blocking the traffic intentionally or this is a misconfiguration? dont follow you here.

 

"I would like to block the 80 from the ip 197.231.xxx.xxx and send it back by the private ip 192.168.30.21:5060 but the nat that I am using is blocking my router"

 Are you saying here that you dont want the server to be open to the internet on port 80?

 Port 5060 is SIP port and if this is a VOIP server, that port need to ne open.

NAT have no hability to block.  You need to be more clear on this point.


"here is the conig that I made if you can give me a correction please"

ip nat source static 197.231.xxx.xxx 255.255.255.252
ip nat inside source static 192.168.30.10 255.255.255.0
ip nat outside source static 197.231.xxx.xxx 255.255.255.252

 Those NAT statement is wrong.  The NAT should be like this

 

ip nat inside source static <first IP address> <second IP address>  I never saw the usage of subnet mask on this command.

 

If what you are trying to achieve is PAT, you can do like this

ip nat outside source static tcp 197.231.xxx.xxx  5060 192.168.30.10  5060

 

0 Helpful

angembaki2002
Level 1
Level 1
In response to Flavio Miranda

‎06-18-2023 11:49 PM

hello flavio i mean that traffic from 197.230.xxx.xxx:80 must go to 192.168.:5060 because my server is blocking port 80
clearly my local server should not detect the public port 80

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card