Solved: Doubt configuring NAT

ciscolover · ‎01-14-2014

Hi all,

I have a router connected to internet and a private LAN 192.168.5.X. Now all the trafic of my LAN have NAT to Internet side:

Interface dialer 1 IP NAT Outside.

Interface FE0/1 IP NAT INSIDE

access-list 101 permit ip any any

ip nat inside source list 101 interface Dialer1 overload

Now I would like to have the same configuration but also transforms one public IP to a private IP.

How can I configure the router to make inside NAT on the dialer 1 interface and outside nat on the FE0/1 interface to transform allways the same public IP 1.1.1.1 to the private IP 192.168.5.5 and make the same procedure when the packet goes to internet(192.168.5.5 -->1.1.1.1).

Thanks all.

cadet alain · ‎01-14-2014

Hi,

If I understand your problem correctly, you are doing nat overload on your outside interface and you would like to statically nat another public IP on the WAN to a specific IP on the LAN ?

If so then you can do ip nat inside source static 192.168.5.5 1.1.1.1

But you'll need to have this 1.1.1.1 IP routeable by your ISP.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

John Blakley · ‎01-14-2014

I would change the 101 acl to allow only the subnet that you're wanting instead of "any any".

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

Then to do your other request, you would configure another line for that single host:

ip nat inside source static 192.168.5.5 1.1.1.1

The above is one for one nat. You could also tie it down to a port:

ip nat inside source static tcp 192.168.5.5 80 1.1.1.1 80

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

cadet alain · ‎01-14-2014

Hi,

If I understand your problem correctly, you are doing nat overload on your outside interface and you would like to statically nat another public IP on the WAN to a specific IP on the LAN ?

If so then you can do ip nat inside source static 192.168.5.5 1.1.1.1

But you'll need to have this 1.1.1.1 IP routeable by your ISP.

Regards

Alain

Don't forget to rate helpful posts.

ciscolover · ‎01-14-2014

Thanks for your help...

Yes, I'm doing nat overload on my outside interface and I would like to statically nat another public IP on the WAN to a specific IP on the LAN.

I don't know hot to use inside NAT on the WAN interface for this IP public and outside Nat in the WAN interface for all the rest of LAN traffic.

cadet alain · ‎01-14-2014

Hi,

You can't configure an interface as nat inside and nat outside at the same time but you can use NAT NVI syntax with ip nat enable under interfaces and the traffic flow along with nat statement will decide if it is an inside or outside interface.

But to allow public IP access to a private IP you need to do static NAT like we told you, are we misunderstanding something?

Regards

Alain

Don't forget to rate helpful posts.

ciscolover · ‎01-14-2014

I have read about NAT NVI and is not necesary to specify the inside or outside interface...

Could you help my with and example ?

Interface dialer 1 IP NAT

Interface FE0/1 IP NAT

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

ip nat inside source static 192.168.5.5 1.1.1.1

John Blakley · ‎01-14-2014

For that config, you'll need to remove your existing configuration from all interfaces. Your nat commands will change as well:

int dial1

no ip nat out

ip nat enable

int fa0/1

no ip nat in

ip nat enable

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

ip nat source list 101 inter dial1

ip nat source static 192.168.5.5 1.1.1.1

As Alain stated, your ISP will need to route whatever public address you're wanting to use. So, we're assuming that you have a block of addresses that have been assigned to you.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

ciscolover · ‎01-14-2014

Thanks for your help and your example...

I have an IP public static address asigned to an interface of my router... The router is PPOE client and always obtain the same IP.

If I try to access to the public IP(1.1.1.1) from internet to the port 443 I want that the router transforms this Public IP to 192.168.5.5 (this is the IP of an internal server).

Also the clients/users of the private network 192.168.4.0/24 send trafic to the router and the router NAT this traffic (overload) and sends it to the Wan interface.

¿Really the router knows that all the traffic from the 192.168.4.0/24 network needs to make NAT inside in the LAN interface and outside nat in the wan interface withouth IP Nat Inside outside command, and knows that all the traffic to the public IP 1.1.1.1 :443 needs nat INside in the wan interface and nat outside in the LAN interface to the 192.168.5.5 without ip nat insede/outside?

It's easy... I cannot try it now...

cadet alain · ‎01-14-2014

Hi,

both of your requirements are inside NAT because this is the IP of the inside server which is statically natted to the IP on the WAN side for your static NAT, with a static NAT the translation is bidirectional.

Now what you are asking here:

If I try to access to the public IP(1.1.1.1) from internet to the port  443 I want that the router transforms this Public IP to 192.168.5.5  (this is the IP of an internal server).

is static inside PAT: ip nat inside source static tcp 192.168.5.5 443 1.1.1.1 443 or with nat nvi syntax:

ip nat source static tcp 192.168.5.5 443 1.1.1.1 443

Regards

Alain

Don't forget to rate helpful posts.

ciscolover · ‎01-14-2014

Thanks ¡¡

In this case the wan interface is the NAT inside and the lan interface the nat outside... to connect from internet to the server...

In the case of the internet users of my LAN the LAN interface is the Nat inside and the Wan interface is the NAt outside...

This is not correct?

Regards ¡¡¡

cadet alain · ‎01-14-2014

Hi,

No in both cases the LAN interface is inside and the WAN is outside.

Regards

Alain

Don't forget to rate helpful posts.