Re: Combining PAT and port-forwarding

GM1991 · ‎10-22-2019

hello,

im looking to use a single 867's dialer interface to hopefully accomplish outbound PAT for internet access but also with some inbound port forwarding. ive tried the idea of a route map to only allow the external addresses i want for the port forwarding but this seems to kill the PAT outbound?

interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1

interface Vlan10
ip address 192.168.250.254 255.255.255.0
ip nat inside

ip nat inside source list 99 interface Dialer0 overload < regular PAT

ip nat inside source static 192.168.250.1 *.*.*.* route-map NAT-PF < where * is my dialer interfaces IP

route-map NAT-PF permit 10
match ip address 50
continue

ip access standard 50

permit *.*.*.* <where * is the allowed external internet address for the port-forwarding

firstly is this possible? do i have the order incorrect?

Georg Pauwen · ‎10-22-2019

Hello,

what are you trying to accomplish with the route map ? If the route map contains just the IP address of your dialer, you might as well use just that IP address in the static NAT statement:

ip nat inside source static 192.168.250.1 *.*.*.* <-- IP address of the dialer interface

But since the IP address is negotiated and hence can change, you might be better off using the interface:

ip nat inside source static 192.168.250.1 interface Dialer0

GM1991 · ‎10-22-2019

Hi Georg thanks for replying.

the route-map I’m using to filter specific remote external addresses to lock down access to the device that I am forwarding ports to.

does that make sense?

Georg Pauwen · ‎10-22-2019

Hello,

sorry for asking stupid questions: you want only specific external (public) IP addresses to access your internal server ?

GM1991 · ‎10-22-2019

No worries Georg yes that’s correct, outside to inside for the port forward id like to limit to specific address ranges if possible

paul driver · ‎10-22-2019

Hello

@GM1991 wrote: outside to inside for the port forward id like to limit to specific address ranges if possible

Ip nat outside source static tcp/udp (outside source ip) xx ( inside nat ip) tcp/udp xx

Meaning that specific outside ip will be able to access the inside network on a specific port because its public source address will be natted to an internal network IP address

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎10-22-2019

Hello,

since you want a range of addresses from the outside to be able to access the inside device, I have come up with the below. The access list contains all the hosts you want to grant access.

ip nat pool POOL 192.168.250.1 192.168.250.1 netmask 255.255.255.0
ip nat outside source list 1 pool POOL add-route

!

access-list 1 permit host x.x.x.x

access-list 1 permit host y.y.y.y

GM1991 · ‎11-04-2019

apologies for not replying sooner ive been trying to find time to test this. so ive tried what you suggested and i can see the access list getting hit however on a NAT debug i see the translation failing;

.Nov 5 07:53:12.871 GMT: NAT: failed to allocate address for 84.51.168.98, list/map 150
.Nov 5 07:53:12.871 GMT: NAT: translation failed (L), dropping packet s=84.51.168.98 d=*.*.*.*
.Nov 5 07:53:13.819 GMT: NAT: failed to allocate address for 84.51.168.98, list/map 150
.Nov 5 07:53:13.819 GMT: NAT: translation failed (L), dropping packet s=84.51.168.98 d=*.*.*.*
.Nov 5 07:53:14.819 GMT: NAT: failed to allocate address for 84.51.168.98, list/map 150
.Nov 5 07:53:14.819 GMT: NAT: translation failed (L), dropping packet s=84.51.168.98 d=*.*.*.*
.Nov 5 07:53:15.843 GMT: NAT: failed to allocate address for 84.51.168.98, list/map 150
.Nov 5 07:53:15.843 GMT: NAT: translation failed (L), dropping packet s=84.51.168.98 d=*.*.*.*

*.*.*.* is my test router where i am testing connections from

Georg Pauwen · ‎11-05-2019

Hello,

what exactly did you test ? Can you post the configuration that generates the failure messages ?

GM1991 · ‎11-05-2019

hi Georg heres the config, im running a im browsing on a https session via port 8443 from my test router

interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside

interface Vlan10
ip address 192.168.250.254 255.255.255.0
ip nat inside
ip virtual-reassembly in

ip nat pool inside 192.168.250.1 192.168.250.1 prefix-length 24
ip nat inside source list 99 interface Dialer0 overload
ip nat outside source list 155 pool inside add-route

Standard IP access list 99
10 permit 192.168.250.1

Extended IP access list 155
10 permit tcp host *.*.*.* host 84.51.168.98 eq 8443

*.*.*.* being again my test router, and 84. address being the negotiated address from ISP.

Georg Pauwen · ‎11-05-2019

Hello,

whatever you match in access list 155 needs to be something on the Internet, so I am not sure I understand that access list.

Extended IP access list 155
10 permit tcp host *.*.*.* host 84.51.168.98 eq 8443

*.*.*.* being again my test router, and 84. address being the negotiated address from ISP.

For the sake of testing, try a standard access list just matching a single host on the Internet. So the entire configuration would be:

ip nat pool inside 192.168.250.1 192.168.250.1 prefix-length 24
ip nat inside source list 99 interface Dialer0 overload
ip nat outside source list 1 pool inside add-route

!

access-list 99 permit host 192.168.250.1

access-list 1 permit host x.x.x.x <-- this needs to be one of the IP addresses on the Internet