12-12-2010 05:51 PM - edited 03-04-2019 10:45 AM
Quick question, I just set up a Cisco 831 at home, and rather than write a NAT statement for every port that needs tobe forwarded can I just have my device NAT all incoming connections to my Linux box?
Here is the current related portions of my config, I have MANY more ports that need to be forwarded, Thus wanting to simply have the router foward EVERYTHING. Thanks!!!
interface Ethernet0
description Facing Internal (the LAN)
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
description Facing the ISP (the WAN)
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
!
.......
ip nat inside source list 100 interface Ethernet1 overload
ip nat inside source static tcp 172.16.1.5 80 interface Ethernet1 8080
ip nat inside source static tcp 172.16.1.5 9090 interface Ethernet1 9090
ip nat inside source static tcp 172.16.1.5 22 interface Ethernet1 22
!
!
ip access-list extended NAT-IN
access-list 100 permit ip any any
12-13-2010 01:46 AM
ip nat inside source static 172.16.1.5 interface Ethernet1
hth
Muammer
12-13-2010 06:46 PM
wow! ok now I feel silly for asking, =P I'll test it out when I get home tonight =) Thanks!
12-15-2010 12:45 AM
This did not work, I'm able to connect out still, even using it right now, but incoming connections are not coming through to my linux machine. I connected to an outside machine and tried to SSH back to my linux machine it timed out.
New config:
ip nat inside source list 100 interface Ethernet1 overload
ip nat inside source static 172.16.1.5 interface Ethernet1
!
!
ip access-list extended NAT-IN
access-list 100 permit ip any any
This was the only change I made to my original config above.
12-15-2010 01:16 AM
Hi Brandon,
Do the config like below which should work for your scenario.
ip nat inside source route map NAT-IN interface Ethernet1 overload
ip nat inside source static 172.16.1.5 interface Ethernet1
!
ip access-list extended NAT-IN
permit ip any any
OR
ip access-list extended NAT-IN
permit "source- ip subnet" any
Please rate if this help you... :-)
Regards,
Naidu.
12-15-2010 01:35 AM
Hi Naidu,
Could you explain why the route-map will do the trick but not the ACL?
Regards.
Alain.
12-15-2010 02:05 AM
Hi Alian,
A route-map is protecting unwanted outside users to reach to the inside users/servers. It also has the capability to map a single inside IP address to different Inside Global addresses based on the rule
When NAT uses a route map to decide to create a translation entry, it will always create a "fully extended" translation entry. This translation entry will contain both the inside and outside (local and global) address entries and any TCP or UDP port information.
The ACL operation is similar to the route-map case except that route-map has some additional features
The advantage of using route-maps is that under the match command you can have more options other than source IP address. For example, under the route-map, match interface or match ip next-hop can be specified. By using route-maps, you can specify the IP address as well as the interface or the next-hop address to which the packet is to be forwarded. Therefore, route-maps with NAT are used in a scenario where the subscriber is multi-homing to different ISPs.
I hope this clear you... :-)
Regards,
Naidu.
12-15-2010 02:17 AM
Hi Naidu,
The ACL operation is similar to the route-map case except that route-map has some additional features
Are those features gonna solve the OP problem?
Regards.
Alain.
12-15-2010 02:33 AM
Hi Alain,
OK, that is what i got from cisco docs.
And as far as I was observing since long time I no where see that ACL's used in NAT (global NAT) instead of route-map.
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide