01-15-2014 06:07 AM - edited 03-04-2019 10:05 PM
Hi all,
I’ve had a good search and can’t find an example of what I was thinking would be quite a common configuration!
So far my config is as below so basic NAT to allow inside devices access to the internet.
What I need to do is allow static NAT from the outside to an inside host but only from specific sources on the internet.
I’ve seen some configuration using route maps but the examples I have seen appear to control how to NAT out via different interfaces based on destination address, whereas I want to NAT in based on source address.
Many thanks in advance.
Matty
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Dialer0
ip nat outside
!
access-list 101 permit ip 192.168.1.0 0.0.255.255 any
ip nat inside source list 101 interface dialer 0 overload
01-15-2014 06:28 AM
Matty
I am not sure i fully understand. Do you want to present an internal host to the outside but only allow certain hosts to it or do you want to NAT the internet client IPs as they come in, or something else entirely.
Could you perhaps clarify with an example using the IPs of the device internally and how you want it to be seen on the internet and what you want to do with internet client IPs ?
Jon
01-15-2014 06:33 AM
Hi Jon,
Ok for example I have a web server on the internal network with an IP address 192.168.1.10. I want to allow access to TCP port 80 from the internet but only from host 8.8.8.8.
Thanks
Matty
01-15-2014 06:51 AM
Hi Matty
Can i ask why you don't just an acl to controll the access. Using 175.10.10.1 as the public IP in this example you present the web server on why can you not just do -
ip nat inside source static tcp 192.168.1.10 80 175.10.10.1 80
and then use an acl on your outside interface to only allow the specific IPs you want.
I suspect you may be able to do some policy NAT but i don't have anything to test with so it would be trial and error eg.
ip nat inside source static tcp 192.168.1.10 80 175.10.10.1 80 route-map WEB
access-list 101 permit tcp host 192.168.1.10 eq 80 host 8.8.8.8
route-map WEB permit 10
match ip address 101
Note with the above config i am not sure whether the nat statement supports using TCP ports number ie. a normal static translation does but this is conditional NAT so it may not.
Jon
01-15-2014 07:11 AM
Hi Jon,
I wanted to use a route map to forward a range of ports rather than just a single. (sorry I was trying to keep my example above simple!)
As these appear to be based on ACL I thought could also control the source address as well the ports if that makes sense?
Thanks
Matty
01-15-2014 08:33 AM
Matty
As i say i don't have anything to test with so these are just suggestions but you could try changing the NAT statement to -
ip nat inside source static 192.168.10.1 175.10.10.1 route-map WEB
but it think that would just create a static entry in the translation table ie. without any ports so you may as well just use -
ip nat inside source static 192.168.10.1 175.10.10.1
and then control the access via an acl. Of course if you need to translate 192.168.10.1 to another public IP for different connections then you could use the route map NAT statement with the "extendable" keyword.
Apologies for not being able to give defintive answers but i just don't the equipment and this is definitely something that needs testing.
There are a lot of other people on these forums though so hopefully someone else may join who may be able to give a more definitive answer.
Jon
01-17-2014 03:14 AM
Thanks Jon,
I gave up after looking into it further! There appeared to be some bug around creating route maps for UDP ranges.
My config now has 2000+ lines that look like this:
ip nat inside source static udp 192.168.1.64 7036 interface Dialer0 7036
However when testing it appears we are still having issues! Does the above config look ok?
Thanks
Matty
01-17-2014 06:08 AM
Matty
From what you have posted it looks fine. Be aware that if there were already dynamic entries for 192.168.1.64 in the translation table before setting up the statics this may have caused a problem.
What sort of issues are you facing ?
Jon
01-17-2014 07:31 AM
Hi Jon,
Yeah I tried to clear the translations but got the same behaviour.
I’m trying to NAT a SIP trunk through to a PBX. The issue appears to be the call will establish but there is no audio once the call is connected.
Previously I had NAT entries for media ports but was told by the ITSP that only 5060 is required as the media ports are opened dynamically.
When I do a ‘show ip nat translations’ I can see it is opening things dynamically but we still get no audio on the call.
I read on other posts about the ‘ip nat service sip udp 5060’ command, which as I understand it will turn sip ALG on or off if negated. However this appears to not make any difference!
Any ideas?
Thanks for all your help.
Matty
01-17-2014 07:58 AM
Matty
Are all the NAT translations mean to be for SIP or are they for something else ie. if SIP dynamically opens ports back then you wouldn't need static NAT translations so i am assuming they are for something else ?
Apart from checking any acls etc. which may be applied to the interfaces i suspect i will be of limited help as i have no experience with SIP.
You may want to either post into the VoIP forums or move this thread there if the main issue is SIP as i am sure there must be people in there who have done this sort of thing before
Sorry i can't be more help, just don't have any experience with it.
Jon
01-18-2014 02:18 PM
Jon,
NAT'int SIP is a tricky beast, completely different from "regular" NAT. SIP is picky.
Try to issue a "no ip nat service sip udp port 5060". If that doesn't do the trick, maybe you need then to make your router act as a SBC. More details at http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htnatsbc.html
HTH.
(Edit: there are some why's at this link
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide