11-08-2007 08:23 PM - edited 03-03-2019 07:28 PM
Hi Guys,
I have a quick NAT question.
I'm doing basic outgoing dynamic NAT overloading to an outside address. (DSL)
I'm also doing some static NAT to direct connections to from the outside address to my mail server.
With the config; people from the internet can connect to my internet address on port 110 and all works well, forwarding it to my internal mail server.
But... I would like to extend this. I want to be able to sit on the local network and connect to the outside internet address on port 110. The router would then need to route my traffic from my inside address back inside to the mail server.
Why do I want to do this you ask? I want to be able to configure my mail client to the outside address and then no matter if I'm away from home or connected locally Ill get my data without needing to change settings on my laptop.
ps I know POP (110) is insecure over the net. If fact I am using secure IMAP but didn't want to complicate the example.
Here's a config snippit (using an 1800)
!
interface VLAN1
description Local LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
!
interface Dialer1
description Internet Connection
ip nat outside
ip inspect insp-fw-in in
ip inspect insp-fw-out out
!
ip nat inside source route-map NAT-MAP interface Dialer1 overload
ip nat inside source static tcp 192.168.0.123 110 interface Dialer1 110
!
ip access-list extended nat-outbound
remark NAT ACL
remark Permitted addresses to NAT
permit ip 192.168.0.0 0.0.0.255 any
remark External IP Address does not need natting (dont log its attempts)
deny ip host <outside IP> any
remark Deny All and log all other traffic trying to NAT
deny ip any any log
!
route-map NAT-MAP permit 1
match ip address nat-outbound
!
I do remember somewhere that Cisco had implemented a feature to enable this. Unfortunately I cant remember what it was called. Cant see to find it via google.
Any ideas would be appreciated.
Ben
11-08-2007 09:47 PM
I believe you are looking for NAT Virtual Interface (NVI).
Before you configure the NAT Virtual Interface feature, you should understand some of its concepts, so please check out this link:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008044eddc.html
11-08-2007 11:03 PM
Ahh perfect. That seems like it will work.
Unfortunately the code example they give seems to be totally different to the network diagram above it.
Ill do some head scratching and see if I can figure it out.
If someone has a basic working config for a standard 1 IP Internet connection it would be much apreciated.
01-07-2008 06:11 AM
EdisonOrtiz,
Thanks for the details... but im a bit stuck.
I have done some searching and reading but cant seem to find a simple working logical example for NVI.
All of the examples on the net seem to have the wrong diagram and missing commands.
If anyone has a nice simple example running NVI with a "inside" of something like 192.168.0.254/24 and a single dynamic "outside" IP it would be most appreciated.
(Running 12.4.11 IOS if that helps in any way)
Regards
Ben
01-07-2008 04:56 PM
Ben,
It's very simple, instead of creating an "inside" and "outside" domain for NAT, replace both commands with ip nat enable.
No need to change the rest of the configuration.
01-15-2008 04:21 AM
EdisonOrtiz,
I have tried swapping both interfaces to "ip nat enable" and turned on debugging but it doesn't seem to work at all.
With a "debug ip nat" running I don't get anything come up.
"show ip nat trans" shows me no dynamic entry's
interface Vlan1
ip nat enable
interface Dialer1
ip nat enable
ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25
ip nat inside source route-map NAT-MAP interface Dialer1 overload
also tried
ip nat inside source list nat-outbound interface Dialer1 overload
route-map NAT-MAP permit 1
match ip address nat-outbound
ip access-list extended nat-outbound
remark Permitted addresses to NAT
permit ip 192.168.0.0 0.0.0.255 any
Any ideas?
Regards
Ben
01-15-2008 12:21 PM
I believe what yuo are looking for is nat on a stick.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
But your setup is complecated in that the server and the hosts are on same IP subnet.
I think this is the way to go:
interface Loopback0
description Interface Used for NAT loop
ip address 169.254.0.1 255.255.255.252
ip nat outside
!
interface VLAN1
description Local LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip policy route-map Nat-loop
!
ip route
!
p nat inside source list 102 interface overload
!
access-list 102 remark *** Used for NAT loop ***
access-list 102 permit ip 192.168.0.0 0.0.0.255 host
access-list 102 remark *** Used for NAT loop ***
!
route-map Nat-loop permit 10
match ip address 102
set ip next-hop 169.254.0.2
But there is no guarante that it will actually work.
Infact you may need to swap this:
ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25
With this:
ip nat inside source static tcp 192.168.0.10 25
But let me know if you get lucky.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide