NAT all ports with a Cisco 831

bleon · ‎12-12-2010

Quick question, I just set up a Cisco 831 at home, and rather than write a NAT statement for every port that needs tobe forwarded can I just have my device NAT all incoming connections to my Linux box?

Here is the current related portions of my config, I have MANY more ports that need to be forwarded, Thus wanting to simply have the router foward EVERYTHING. Thanks!!!

interface Ethernet0

description Facing Internal (the LAN)

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1

description Facing the ISP (the WAN)

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

!

.......

ip nat inside source list 100 interface Ethernet1 overload

ip nat inside source static tcp 172.16.1.5 80 interface Ethernet1 8080

ip nat inside source static tcp 172.16.1.5 9090 interface Ethernet1 9090

ip nat inside source static tcp 172.16.1.5 22 interface Ethernet1 22

!

ip access-list extended NAT-IN

access-list 100 permit ip any any

mrdogantr · ‎12-13-2010

ip nat inside source static 172.16.1.5 interface Ethernet1

hth

Muammer

bleon · ‎12-13-2010

wow! ok now I feel silly for asking, =P I'll test it out when I get home tonight =) Thanks!

bleon · ‎12-15-2010

This did not work, I'm able to connect out still, even using it right now, but incoming connections are not coming through to my linux machine. I connected to an outside machine and tried to SSH back to my linux machine it timed out.

New config:


ip nat inside source list 100 interface Ethernet1 overload                      
ip nat inside source static 172.16.1.5 interface Ethernet1                      
!                                                                               
!                                                                               
ip access-list extended NAT-IN                                                  
access-list 100 permit ip any any

This was the only change I made to my original config above.

Latchum Naidu · ‎12-15-2010

Hi Brandon,

Do the config like below which should work for your scenario.

ip nat inside source route map NAT-IN interface Ethernet1 overload

ip nat inside source static 172.16.1.5 interface Ethernet1

!

ip access-list extended NAT-IN

permit ip any any

OR

ip access-list extended NAT-IN

permit "source- ip subnet" any

Please rate if this help you... :-)

Regards,

Naidu.

cadet alain · ‎12-15-2010

Hi Naidu,

Could you explain why the route-map will do the trick but not the ACL?

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎12-15-2010

Hi Alian,

A route-map is protecting unwanted outside users to reach to the inside users/servers. It also has the capability to map a single inside IP address to different Inside Global addresses based on the rule

When NAT uses a route map to decide to create a translation entry, it will always create a "fully extended" translation entry. This translation entry will contain both the inside and outside (local and global) address entries and any TCP or UDP port information.

The ACL operation is similar to the route-map case except that route-map has some additional features

The advantage of using route-maps is that under the match command you can have more options other than source IP address. For example, under the route-map, match interface or match ip next-hop can be specified. By using route-maps, you can specify the IP address as well as the interface or the next-hop address to which the packet is to be forwarded. Therefore, route-maps with NAT are used in a scenario where the subscriber is multi-homing to different ISPs.

I hope this clear you... :-)

Regards,

Naidu.

cadet alain · ‎12-15-2010

Hi Naidu,

The ACL operation is similar to the route-map case except that route-map has some additional features

Are those features gonna solve the OP problem?

Regards.

Alain.

Don't forget to rate helpful posts.

Latchum Naidu · ‎12-15-2010

Hi Alain,

OK, that is what i got from cisco docs.
And as far as I was observing since long time I no where see that ACL's used in NAT (global NAT) instead of route-map.

Regards,
Naidu.