In this case, then do i still need to create network oject group?

full command will be:

hostname (config)# object network ABC

hostname (config-object-network)# host 192.168.1.100 (internal Host eg, webserver)

afterwhich

hostname (config t)# ip nat inside source static 192.168.1.100 5.5.5.5 => Public WAN IP

i dont quite understand

int 0/0

ip address: 5.5.5.1 255.255.255.0

ip nat outside

int gi 0/1

ip address: 192.168.1.1 255.255.255.0

ip nat inside

For this configuration, it already exist in my original configurration.

Please advise.

Dear Yeo,

Scenarios in the firewall and the router will be different, dont compare the commands and get confused.

First of all You need to understand whether you are nating an inside host to ouside or an outside host to inside.

Let us first clarify why object groups are created:

In firewalls like ASA 5501

You will be creating an object group for mentioning the services or network elements etc...,

{for example if you want to create an accesslist and allow 10 to 15 networks all at a time

command: access-list inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_1

object-group network DM_INLINE_NETWORK_1

network-object DakshinKannara 255.255.255.0

network-object 192.168.115.0 255.255.255.0

network-object 192.168.114.0 255.255.255.0

network-object 192.168.116.0 255.255.255.0

network-object 192.168.118.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound [This is to tell dont nat objects mentioned in the access list mentioned above while coming in to inside network]}

{access-list ISP-2_access_in extended permit object-group WEB_SERVICES1 any host 115.249.253.251

access-group ISP-2_access_in in interface ISP-2

( to allow www, https and 6303 for access list isp to access in at interface isp-2)

object-group service WEB_SERVICES (for webservices)

service-object tcp eq www

service-object tcp eq https

service-object tcp eq 6303}

In router you must know which kind of natting you are doing I mean whether you are allowing a inside network to go outside world with a public IP  OR

a outside network to come inside with a nat command antted to IP in your private network.

Now for natting you private IP to Public IP you need to

ip nat inside source static tcp 192.168.1.198 80 49.123.456.7 80 extendable

wherer 49.123.456.7 is your public ip and port 80 to be allowed.

If you want to allow mutiple networks then

ip nat inside source list NAT_Addresses interface FastEthernet4.1103 overload

ip access-list extended NAT_Addresses

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

permit ip 172.16.61.1  0.0.0.255 any

Please rate the helpful posts.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Dear Muhammad, you are very helpful.

Thanks, my current needs is to let outside world (Public IP) to Internal LAN (Private IP) through 1 of my avaliable WAN address, which i will need to access through something like that http/https://WAN IP:9101

let's take your scenario, whereby 192.168.1.198 (the prviate IP host) and 49.123.456.7 (the public IP)

so my command will need:

ip nat inside source static tcp 192.168.1.198 9101 49.123.456.7 9101 (Simple 1 sentence command?)

Do i need to add in any access list?

currently i have an access-list 101 permit ip 192.168.1.0 0.0.0.255 and also and statement of

ip nat inside source list 101 interface gigabitethernet0/1 overload (Which i believe its telling the router to translation whatever IP coming in to the IP at my ethernet0/1 interface right?

Question no. 2 this is really confusing.

when i do an show ip arp. i have 2 internet address binding to GigabitEthernet0/1. Please note we can use up to 6 avaliable host for WAN IP.

Internet     49.123.456.7          -     a44c.1145.6c81     ARPA      GigabitEthernet0/1

internet     49.123.456.8          -     001e.ec6a.3286     ARPA      GigabitEthernet0/1

Internet     49.123.456.7          -     a44c.1145.6c81 (This is my actual Internet address when i do an sh interface).

Is this acutally possible? i try to do an sh ip nat translations. i cant find this IP 49.123.456.8 at all, and cant find any information about this IP address 49.123.456.8

**My cisco model is 1941.

Please kindly advise.

Hi Yeo,

Thanks for your compliment.

Please rate all the helpful posts this may help others to find the solution qickly. That itself is a big thanks for us.

ip nat inside source static tcp 192.168.1.198 9101 49.123.456.7 9101

(here you are natting source ip 192.168.1.198 to 49.123.456.7 and allowing traffice for 9101 port

int fas0/0

description lan

ip address 192.168.1.1

nat inside

int fas 0/1

description wan

ip address 49.123.456.7

nat outside

Q1) currently i have an access-list 101 permit ip 192.168.1.0 0.0.0.255

A1) you access list must look something like this

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

This command is used to permit IP traffic from 192.168.1.0 network to any networks. All packets with a source not in this range will be rejected.

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 1.1.1.1 (where 1.1.1.1 is a destination address)

This command is used to permit IP traffic from 192.168.1.0 network to 1.1.1.1 specific host. All packets with a source not in range will be rejected.

access-list 101 permit ip 192.168.1.0 0.0.0.255 1.1.1.0 0.0.0.25 (where 1.1.1.0 is a destination network)

This command is used to permit IP traffic from 192.168.1.0 network to 1.1.1.0 network. All packets with a source address not in this range will be rejected.

Q2) and also and statement of

ip nat inside source list 101 interface gigabitethernet0/1 overload

here you are natting access list in which you are allowing the ip traffic to interface gig0/1

Above command must be used to allow internet access to your LAN.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Hi Yeo,

You can refer to these links for more info on IP command reference:

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#1079697

configuring ip access-list

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

for nating info

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

hi Muhammad,

Thanks alot.

any idea of my question no. 2

Question no. 2 this is really confusing.

when i do an show ip arp. i have 2 internet address binding to GigabitEthernet0/1. Please note we can use up to 6 avaliable host for WAN IP.

Internet     49.123.456.7          -     a44c.1145.6c81     ARPA      GigabitEthernet0/1

internet     49.123.456.8          -     001e.ec6a.3286     ARPA      GigabitEthernet0/1

Internet     49.123.456.7          -     a44c.1145.6c81 (This is my actual Internet address when i do an sh interface).

Is this acutally possible? i try to do an sh ip nat translations. i cant find this IP 49.123.456.8 at all, and cant find any information about this IP address 49.123.456.8

Please advise.

Hi Yeo,

Internet     49.123.456.7          -    a44c.1145.6c81     ARPA      GigabitEthernet0/1

internet     49.123.456.8          -     001e.ec6a.3286     ARPA      GigabitEthernet0/1

Internet     49.123.456.7          -     a44c.1145.6c81

If you observe the bold macs they are the same, ip 49.123.456.7 could be your other side wan ip

Please Rate the helpful posts

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Hi Muhammad,

Thanks for your reply, appreciate it.

Apologize as i am quite green in networking.

what i mean is the internet 49.123.456.8 ( this internet address is bind together with Gigabitethernet 0/1, Please see in Bold and underline), what i am confuse is, can GigabitEthernet0/1 have 2 ip adress?

Internet     49.123.456.7          -    a44c.1145.6c81     ARPA      GigabitEthernet0/1

internet     49.123.456.8          -     001e.ec6a.3286     ARPA      GigabitEthernet0/1

1 more thing is for:

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 1.1.1.1 (where 1.1.1.1 is a destination address)

This command is used to permit IP traffic from 192.168.1.0 network to 1.1.1.1 specific host. All packets with a source not in range will be rejected.

the host 1.1.1.1 is inside LAN or at the Outside Internet?

Please advise.

Hi Yeo,

Q) can GigabitEthernet0/1 have 2 ip adress?

A) yes it can have two ip addresses

for example

conf t

int fas 0/0

ip address  49.123.456.7 255.255.255.0 (It refers to primary ip)

ip address 98.76.43.1 255.255.255.0 secondary (it refer to secondary IP)

but in your scenario the ips which are shown for the cpmmand sh ip arp doesnot actually refer to interface ips, those are the ips learnt by the device through the interface.

ARP is address resolution protocol

49.123.456.7 intrerface ip

49.123.456.8 learnt by the interface might be pc or other side interface

Please refer to link

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_s1g.html#wp1079902

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 1.1.1.1 (where 1.1.1.1 is a destination address)

it can be public or private ip address basing up on requirement.

For example you have a server which needs to accessed by internet, in this case you may nat the same to a public IP and you may allow particular traffic over particular ports then you may specify ports.

Please dont forget to rate the helpful posts.

Thanks

Thanveer