cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1197
Views
5
Helpful
4
Replies

Configuring inbound PAT

vincent-n
Level 3
Level 3

Hi all

I have a 837 ADSL router running at the moment connecting to corporate network via a VPN connection. The current VPN setup only permit certain IP address ranges (from corporate hub site)to reach this ADSL router. What I needed to do now is to enable some http traffic (from the Internet) to reach certain STATIC devices behind this ADSL router. Below is the config (or part of it)

interface Dialer0

description $FW_OUTSIDE$

bandwidth 1500

ip address negotiated

ip access-group 102 in

no ip redirects

no ip proxy-arp

ip mtu 1452

ip nbar protocol-discovery

ip nat outside

ip inspect DEFAULT100 out

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 remark Auto generated by SDM for NTP (123) 192.189.54.33

access-list 102 permit udp host 192.189.54.33 eq ntp any eq ntp

access-list 102 permit ip 10.95.51.0 0.0.0.127 10.218.3.0 0.0.0.63

access-list 102 permit ip 203.110.x.0 0.0.0.31 10.218.3.0 0.0.0.63

access-list 102 permit ip 10.95.3.0 0.0.0.255 10.218.3.0 0.0.0.63

access-list 102 permit ip 10.108.0.0 0.0.255.255 10.218.3.0 0.0.0.63

access-list 102 permit udp host 203.110.136.131 eq domain any

access-list 102 permit udp host 203.110.136.142 eq domain any

access-list 102 permit udp host 192.231.203.3 eq domain any

access-list 102 permit ahp host 203.110.x.x any

access-list 102 permit esp host 203.110.x.x any

access-list 102 permit udp host 203.110.x.x any eq isakmp

access-list 102 permit udp host 203.110.x.x any eq non500-isakmp

access-list 102 deny ip 10.218.3.0 0.0.0.63 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 remark Auto generated by SDM for NTP (123) 192.189.54.33

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 remark Auto generated by SDM for NTP (123) 192.189.54.33

The static devices behind the router have IP addresses 10.218.3.6 and 10.218.3.7 respectively. The required configuration is for vendor to be able to reach those static devices for troubleshooting and upgrade purposes. What I would like to happen is from the Internet, if I type:

1. http://Dialer0-Public-IP 10000 - this will be forwarded to the device 10.218.3.6 with port 10000 unchaged

2. http://Dialero-Public-IP 10001 - this will be forwarded to the device 10.218.3.7 with port 10000

Thanks in advance for your help.

4 Replies 4

mchin345
Level 6
Level 6

The Cisco 827 router is usually a DSL customer premises equipment (CPE). In this sample configuration, the Cisco 827 is configured for Point-to-Point Protocol over Ethernet (PPPoE) and is used as a peer in a LAN-to-LAN IPSec tunnel with a Cisco 3600 router. The Cisco 827 is also doing Network Address Translation (NAT) overloading to provide Internet connection for its internal network.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html

The sample config that you provided does NAT/PAT for internal network devices going OUT to the Internet. It does not provide NAT/PAT in the reverse direction though. What I need to do is two folds:

1. The first is to provide site-site VPN from the 837 router to the corporate network which I've achieved already.

2. The second part is to enable NAT/PAT from the Internet to reach some of my internal devices on the inside of the 837 router and this is the part that I'm having problem with.

thanks for your reply.

Hi vincent

I see you are in trouble with static NAT/PAT in configuration on your 837 Router. I have an equal constellation with a 837 Router in UK and a Pix 515E

here in germany. Dynamic VPN for VP-Client's and Side-To-Side VPN between Router and Pix.

I also have to enable NAT and PAT for services like

Microsoft Remote Desktop for example to reach a Server with IP-Forwarding in trusted LAN behind the Router.

My Problem is, that when I enable PAT with

"ip nat inside source static (inside-IP)(Port) (outside-IP)(Port)" for RDP for exapmle (Port 3389),

the same service in this moment will no work in VPN

Side-To-Side or dynamic.

Also this will operate when I disable ip inspect tcp. And I don't know why !

Do you use the firewall on the router besides VPN and NAT/PAT ?

And do you have solve your problems with NAT and PAT.

Next Post you can see my configuration.

thanks and regards,

Frank

Hi vincent

version 12.3

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw h323 timeout 3600

ip audit notify log

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXX address 62.157.89.91

crypto isakmp client configuration address-pool local dynvpn

!

crypto isakmp client configuration group MobileVPN-UK

key XXXXXXXX

dns 192.168.7.1

domain slxuk.local

pool dynvpn

!

crypto ipsec transform-set sharks esp-3des esp-sha-hmac

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

crypto map OSNL isakmp authorization list MobileVPN-UK

crypto map OSNL client configuration address respond

crypto map OSNL 1 ipsec-isakmp dynamic dynmap

crypto map OSNL 10 ipsec-isakmp

set peer 62.157.89.91

set transform-set sharks

match address 160

!

interface Loopback0

ip address 192.168.37.254 255.255.255.0

!

interface Ethernet0

description CRWS Generated text. Please do not delete this:192.168.7.254-255.25

5.255.0

ip address 192.168.7.254 255.255.255.0

ip nat inside

ip inspect myfw in

ip route-cache policy

ip policy route-map nonat

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXXXXXXXXXXXXx

ppp chap password 7 XXXXXXXXXXXXXXXXxx

ppp pap sent-username XXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXX

ppp ipcp dns request

ppp ipcp wins request

crypto map OSNL

hold-queue 224 in

!

ip local pool dynvpn 192.168.37.1 192.168.37.100

ip nat inside source static tcp 192.168.7.1 3389 interface Dialer1 3389

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.1.16.0 255.255.255.0 192.168.7.1

ip route 172.16.0.0 255.255.0.0 62.157.89.91

ip route 192.168.6.0 255.255.255.0 192.168.7.1

!

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 3389

access-list 111 permit tcp any any eq 2001

access-list 111 permit tcp any any eq telnet

access-list 111 deny ip any any

access-list 140 deny ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 140 deny ip 192.168.7.0 0.0.0.255 192.168.37.0 0.0.0.255

access-list 140 deny ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 140 deny ip 192.168.6.0 0.0.0.255 192.168.37.0 0.0.0.255

access-list 140 deny ip 10.1.16.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 140 deny ip 10.1.16.0 0.0.0.255 192.168.37.0 0.0.0.255

access-list 140 permit ip 192.168.7.0 0.0.0.255 any

access-list 160 permit ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 160 permit ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 160 permit ip 10.1.16.0 0.0.0.255 172.16.0.0 0.0.255.255

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 140

!

Router#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco