Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
234
Views
0
Helpful
1
Replies

Multiple NAT statements or just one?

Matt Goli
Level 1
Level 1

‎05-13-2015 09:09 AM - edited ‎03-05-2019 01:27 AM

I'm replacing an old internet  router new Cisco 2911 and trying to clean up some of the configuration.  the current configuration has multiple NAT statements permitting traffic from the outside on mulitple ports to the same port numbers on an inside host:

 

ip nat inside source static tcp 10.2.2.26 20 1.2.3.4 20 extendable
ip nat inside source static tcp 10.2.2.26 21 1.2.3.4 21 extendable
ip nat inside source static tcp 10.2.2.26 80 1.2.3.4 80 extendable
ip nat inside source static tcp 10.2.2.26 3000 1.2.3.4 3000 extendable
ip nat inside source static tcp 10.2.2.26 3001 1.2.3.4 3001 extendable
ip nat inside source static tcp 10.2.2.26 3002 1.2.3.4 3002 extendable
ip nat inside source static tcp 10.2.2.26 3003 1.2.3.4 3003 extendable
ip nat inside source static tcp 10.2.2.26 3004 1.2.3.4 3004 extendable
ip nat inside source static tcp 10.2.2.26 3005 1.2.3.4 3005 extendable
ip nat inside source static tcp 10.2.2.26 3006 1.2.3.4 3006 extendable
ip nat inside source static tcp 10.2.2.26 3007 1.2.3.4 3007 extendable
ip nat inside source static tcp 10.2.2.26 3008 1.2.3.4 3008 extendable
ip nat inside source static tcp 10.2.2.26 3009 1.2.3.4 3009 extendable
ip nat inside source static tcp 10.2.2.26 3010 1.2.3.4 3010 extendable
ip nat inside source static tcp 10.2.2.26 3011 1.2.3.4 3011 extendable
ip nat inside source static tcp 10.2.2.26 3012 1.2.3.4 3012 extendable
ip nat inside source static tcp 10.2.2.26 3013 1.2.3.4 3013 extendable
ip nat inside source static tcp 10.2.2.26 3014 1.2.3.4 3014 extendable
ip nat inside source static tcp 10.2.2.26 3015 1.2.3.4 3015 extendable
ip nat inside source static tcp 10.2.2.26 3016 1.2.3.4 3016 extendable
ip nat inside source static tcp 10.2.2.26 3017 1.2.3.4 3017 extendable
ip nat inside source static tcp 10.2.2.26 3018 1.2.3.4 3018 extendable
ip nat inside source static tcp 10.2.2.26 3019 1.2.3.4 3019 extendable
ip nat inside source static tcp 10.2.2.26 3020 1.2.3.4 3020 extendable
ip nat inside source static udp 10.2.2.26 21068 1.2.3.4 21068 extendable
ip nat inside source static udp 10.2.2.26 47808 1.2.3.4 47808 extendable

 

The outside interface also has an ACL permitting only the necessary ports:

    270 permit tcp any host 1.2.3.4 eq www
    280 permit tcp any host 1.2.3.4 eq ftp
    290 permit tcp any host 1.2.3.4 eq ftp-data
    300 permit udp any host 1.2.3.4 eq 21068
    310 permit udp any host 1.2.3.4 eq 47808
    320 permit tcp any host 1.2.3.4 range 3000 3020

 

is there any logical benefit for having the multiple NAT statements NAT'ing each individual port thru if the internet facing ACL is only allowing those ports anyways?

 

I guess i'm asking whats better?  to have this:

 

ip nat inside source static 10.2.2.26 1.2.3.4

with all the ACL's permitting only the necessary traffic,

 

or the long list of NAT statements and the ACL's?

 

Matt.

Labels:
0 Helpful
1 Reply 1

Edwin Matos
Level 1
Level 1

‎05-13-2015 07:12 PM

Matt,

No benefit at all, but what about if I later tell you that port 22 need to be listening on 10.2.2.26, but the inside address should be 1.2.3.200 no 1.2.3.4?

At this point you will need to replace the ip nat inside source static 10.2.2.26 1.2.3.4 to multiple entries.

Anyways if you have enough external address you could do a 1:1 NAT then filter the ports on ACL as you suggested.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card