I’ve had a good search and can’t find an example of what I was thinking would be quite a common configuration!
So far my config is as below so basic NAT to allow inside devices access to the internet.
What I need to do is allow static NAT from the outside to an inside host but only from specific sources on the internet.
I’ve seen some configuration using route maps but the examples I have seen appear to control how to NAT out via different interfaces based on destination address, whereas I want to NAT in based on source address.
Many thanks in advance.
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat outside
access-list 101 permit ip 192.168.1.0 0.0.255.255 any
ip nat inside source list 101 interface dialer 0 overload
I am not sure i fully understand. Do you want to present an internal host to the outside but only allow certain hosts to it or do you want to NAT the internet client IPs as they come in, or something else entirely.
Could you perhaps clarify with an example using the IPs of the device internally and how you want it to be seen on the internet and what you want to do with internet client IPs ?
Ok for example I have a web server on the internal network with an IP address 192.168.1.10. I want to allow access to TCP port 80 from the internet but only from host 220.127.116.11.
Can i ask why you don't just an acl to controll the access. Using 18.104.22.168 as the public IP in this example you present the web server on why can you not just do -
ip nat inside source static tcp 192.168.1.10 80 22.214.171.124 80
and then use an acl on your outside interface to only allow the specific IPs you want.
I suspect you may be able to do some policy NAT but i don't have anything to test with so it would be trial and error eg.
ip nat inside source static tcp 192.168.1.10 80 126.96.36.199 80 route-map WEB
access-list 101 permit tcp host 192.168.1.10 eq 80 host 188.8.131.52
route-map WEB permit 10
match ip address 101
Note with the above config i am not sure whether the nat statement supports using TCP ports number ie. a normal static translation does but this is conditional NAT so it may not.
I wanted to use a route map to forward a range of ports rather than just a single. (sorry I was trying to keep my example above simple!)
As these appear to be based on ACL I thought could also control the source address as well the ports if that makes sense?
As i say i don't have anything to test with so these are just suggestions but you could try changing the NAT statement to -
ip nat inside source static 192.168.10.1 184.108.40.206 route-map WEB
but it think that would just create a static entry in the translation table ie. without any ports so you may as well just use -
ip nat inside source static 192.168.10.1 220.127.116.11
and then control the access via an acl. Of course if you need to translate 192.168.10.1 to another public IP for different connections then you could use the route map NAT statement with the "extendable" keyword.
Apologies for not being able to give defintive answers but i just don't the equipment and this is definitely something that needs testing.
There are a lot of other people on these forums though so hopefully someone else may join who may be able to give a more definitive answer.
I gave up after looking into it further! There appeared to be some bug around creating route maps for UDP ranges.
My config now has 2000+ lines that look like this:
ip nat inside source static udp 192.168.1.64 7036 interface Dialer0 7036
However when testing it appears we are still having issues! Does the above config look ok?
From what you have posted it looks fine. Be aware that if there were already dynamic entries for 192.168.1.64 in the translation table before setting up the statics this may have caused a problem.
What sort of issues are you facing ?
Yeah I tried to clear the translations but got the same behaviour.
I’m trying to NAT a SIP trunk through to a PBX. The issue appears to be the call will establish but there is no audio once the call is connected.
Previously I had NAT entries for media ports but was told by the ITSP that only 5060 is required as the media ports are opened dynamically.
When I do a ‘show ip nat translations’ I can see it is opening things dynamically but we still get no audio on the call.
I read on other posts about the ‘ip nat service sip udp 5060’ command, which as I understand it will turn sip ALG on or off if negated. However this appears to not make any difference!
Thanks for all your help.
Are all the NAT translations mean to be for SIP or are they for something else ie. if SIP dynamically opens ports back then you wouldn't need static NAT translations so i am assuming they are for something else ?
Apart from checking any acls etc. which may be applied to the interfaces i suspect i will be of limited help as i have no experience with SIP.
You may want to either post into the VoIP forums or move this thread there if the main issue is SIP as i am sure there must be people in there who have done this sort of thing before
Sorry i can't be more help, just don't have any experience with it.
NAT'int SIP is a tricky beast, completely different from "regular" NAT. SIP is picky.
Try to issue a "no ip nat service sip udp port 5060". If that doesn't do the trick, maybe you need then to make your router act as a SBC. More details at http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htnatsbc.html
(Edit: there are some why's at this link