05-13-2015 09:09 AM - edited 03-05-2019 01:27 AM
I'm replacing an old internet router new Cisco 2911 and trying to clean up some of the configuration. the current configuration has multiple NAT statements permitting traffic from the outside on mulitple ports to the same port numbers on an inside host:
ip nat inside source static tcp 10.2.2.26 20 1.2.3.4 20 extendable
ip nat inside source static tcp 10.2.2.26 21 1.2.3.4 21 extendable
ip nat inside source static tcp 10.2.2.26 80 1.2.3.4 80 extendable
ip nat inside source static tcp 10.2.2.26 3000 1.2.3.4 3000 extendable
ip nat inside source static tcp 10.2.2.26 3001 1.2.3.4 3001 extendable
ip nat inside source static tcp 10.2.2.26 3002 1.2.3.4 3002 extendable
ip nat inside source static tcp 10.2.2.26 3003 1.2.3.4 3003 extendable
ip nat inside source static tcp 10.2.2.26 3004 1.2.3.4 3004 extendable
ip nat inside source static tcp 10.2.2.26 3005 1.2.3.4 3005 extendable
ip nat inside source static tcp 10.2.2.26 3006 1.2.3.4 3006 extendable
ip nat inside source static tcp 10.2.2.26 3007 1.2.3.4 3007 extendable
ip nat inside source static tcp 10.2.2.26 3008 1.2.3.4 3008 extendable
ip nat inside source static tcp 10.2.2.26 3009 1.2.3.4 3009 extendable
ip nat inside source static tcp 10.2.2.26 3010 1.2.3.4 3010 extendable
ip nat inside source static tcp 10.2.2.26 3011 1.2.3.4 3011 extendable
ip nat inside source static tcp 10.2.2.26 3012 1.2.3.4 3012 extendable
ip nat inside source static tcp 10.2.2.26 3013 1.2.3.4 3013 extendable
ip nat inside source static tcp 10.2.2.26 3014 1.2.3.4 3014 extendable
ip nat inside source static tcp 10.2.2.26 3015 1.2.3.4 3015 extendable
ip nat inside source static tcp 10.2.2.26 3016 1.2.3.4 3016 extendable
ip nat inside source static tcp 10.2.2.26 3017 1.2.3.4 3017 extendable
ip nat inside source static tcp 10.2.2.26 3018 1.2.3.4 3018 extendable
ip nat inside source static tcp 10.2.2.26 3019 1.2.3.4 3019 extendable
ip nat inside source static tcp 10.2.2.26 3020 1.2.3.4 3020 extendable
ip nat inside source static udp 10.2.2.26 21068 1.2.3.4 21068 extendable
ip nat inside source static udp 10.2.2.26 47808 1.2.3.4 47808 extendable
The outside interface also has an ACL permitting only the necessary ports:
270 permit tcp any host 1.2.3.4 eq www
280 permit tcp any host 1.2.3.4 eq ftp
290 permit tcp any host 1.2.3.4 eq ftp-data
300 permit udp any host 1.2.3.4 eq 21068
310 permit udp any host 1.2.3.4 eq 47808
320 permit tcp any host 1.2.3.4 range 3000 3020
is there any logical benefit for having the multiple NAT statements NAT'ing each individual port thru if the internet facing ACL is only allowing those ports anyways?
I guess i'm asking whats better? to have this:
ip nat inside source static 10.2.2.26 1.2.3.4
with all the ACL's permitting only the necessary traffic,
or the long list of NAT statements and the ACL's?
Matt.
05-13-2015 07:12 PM
Matt,
No benefit at all, but what about if I later tell you that port 22 need to be listening on 10.2.2.26, but the inside address should be 1.2.3.200 no 1.2.3.4?
At this point you will need to replace the ip nat inside source static 10.2.2.26 1.2.3.4 to multiple entries.
Anyways if you have enough external address you could do a 1:1 NAT then filter the ports on ACL as you suggested.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide