02-02-2016 03:52 AM - edited 03-05-2019 03:15 AM
Hello,
I have been assigned the task to configure NAT and forward some port on Router 2800 Cisco. I am mentioning the things which i need to acheived please help to configure it.
The public IP is 4.4.4.4 terminating on g0/1
To enable the public IP reach the local IPs below we need to do the port forwarding in our router:
local server connected with G0/0.20
Probe 1 172.16.20.2 Port 2021
Probe 2 172.16.20.3 Port 2022
Probe 2 172.16.20.4 Port 2023
Probe 2 172.16.20.5 Port 2024
Probe 2 172.16.20.6 Port 2025
Probe 2 172.16.20.7 Port 2026
global server with public ip address
The probes above will be communicating with the servers below:
5.5.5.5
6.6.6.6
7.7.7.7
8.8.8.8
On the following port:
ICMP/8 (ping) INBOUND
UDP 5000 to 6000 (SIP & RTP) INBOUND and OUTBOUND
TCP 2007 INBOUND and OUTBOUND
TCP 2008 INBOUND and OUTBOUND
TCP 2009 INBOUND and OUTBOUND
TCP 80 (HTTP) INBOUND
TCP 22 (SSH) INBOUND
02-03-2016 06:20 AM
Hello, duahimanshu816.
Am I right that you want to translate this ports:
UDP 5000 to 6000 (SIP & RTP) INBOUND and OUTBOUND
TCP 2007 INBOUND and OUTBOUND
TCP 2008 INBOUND and OUTBOUND
TCP 2009 INBOUND and OUTBOUND
TCP 80 (HTTP) INBOUND
TCP 22 (SSH) INBOUND
like this:
5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.2:80
5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.3:80
5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.4:80
5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.5:80
etc?
It will not be possible logically.
If you want to make your probes be accesseble only by 2021-2026 from the internet and you want give access from your probes to the global addresses by the ports at the start then you can use this:
ip nat inside source static tcp/udp (chose here a protocol because you doesn't writed it above) 172.16.20.2 2021 4.4.4.4 2021
ip nat inside source static tcp/udp 172.16.20.3 2022 4.4.4.4 2022
ip nat inside source static tcp/udp 172.16.20.4 2023 4.4.4.4 2023
ip nat inside source static tcp/udp 172.16.20.5 2024 4.4.4.4 2024
ip nat inside source static tcp/udp 172.16.20.6 2025 4.4.4.4 2025
ip nat inside source static tcp/udp 172.16.20.7 2026 4.4.4.4 2026
object-group network INSIDE_SERVERS (this way here is more flexibility)
host 172.16.20.2
host 172.16.20.3
host 172.16.20.4
host 172.16.20.5
host 172.16.20.6
host 172.16.20.7
object-group network OUTSIDE_SERVERS
host 5.5.5.5
host 6.6.6.6
host 7.7.7.7
host 8.8.8.8
ip access-list extended NAT
permit ip object-group INSIDE_SERVERS object-group OUTSIDE_SERVERS
ip nat inside list NAT interface g0/1
And for restricting access to the external servers you can use ACL to the "in" direction at the internal (G0/0.20) interface.
To restrict access to the internal servers only for specific global servers you can use ACL to the "in" direction at the external (g0/1) interface.
Best Regards.
02-04-2016 01:54 AM
Dear AllerGen,
Thanks for Reply, It really will help me a lot to understand the scenario.
my only confusion is which u mentioned it above
ip nat inside source static tcp/udp (chose here a protocol because you doesn't writed it above)172.16.20.2 2021 4.4.4.4 2021
i have range of TCPport we need to open it (2000 to 2007, 80,22) and UDP ports 5000 to 6000
is there any way to put port range like
ip nat inside source static tcp/udp range 172.16.20.3 2022 4.4.4.4 2022
and so on?
02-04-2016 02:33 AM
Am I right that you want to make range of ports accesseble from outside to inside?
02-04-2016 02:59 AM
yes i want if the traffic come from this below mention network:-
5.5.5.5
6.6.6.6
7.7.7.7
8.8.8.8
should able to access my local server
host 172.16.20.2
host 172.16.20.3
host 172.16.20.4
host 172.16.20.5
host 172.16.20.6
host 172.16.20.7
the port which outsider need to communicate that is :-
ICMP8 (ping),tcp range 80,22 and 2000-2010
udp 5000-6000
this above mention ports, my router should allow them to communicate with each other.
02-04-2016 04:11 AM
just to make it easy for you.
Each probe(172.16.20.0) needs to be able to communicate with our internet servers at IP
addresses:
• 5.5.5.5
• 6.6.6.6
• 7.7.7.7
• 8.8.8.8
• 9.9.9.9
On the following ports:
• ICMP/8 (ping) INBOUND
• UDP 5000 to 6000 (SIP & RTP) INBOUND and OUTBOUND
• TCP 2007 INBOUND and OUTBOUND
• TCP 2008 INBOUND and OUTBOUND
• TCP 2009 INBOUND and OUTBOUND
• TCP 80 (HTTP) INBOUND
• TCP 22 (SSH) INBOUND
tell me one thing u mention above to create object-group....is it possible to create object-group network on cisco router2800
02-04-2016 10:53 PM
Well, there is a few solutions. Just to be sure: is you internal servers is a SIP servers?
Best Regards.
02-05-2016 02:49 AM
yes its SIP.
let me tell you I did something.. but i am not sure will it work or not.?
IP nat inside source static TCP 172.16.20.2 2021 4.4.4.4 2021
IP nat Inside source static TCP 172.16.20.3 2022 4.4.4.4 2022
and so on.................
IP nat inside source list NAT interface G0/1
IP access list ext NAT
permit tcp 172.16.20.0 0.0.0.7 range 2000 2010 5.5.5.5 0.0.0.
permit tcp 172.16.20.0 0.0.0.7 range ftp www 5.5.5.5 0.0.0.0
permit tcp 172.16.20.0 0.0.0.7 range udp 5000 6000 5.5.5.5 0.0.0.0
and so on..... with all the public ip which wants to communicate with local servers
02-05-2016 06:35 AM
Hi.
Your solution is opening 2021 and 2022 ports from outside to internal servers. So other ports is not accesseble from outside (if initializer of the connection is someone from outside. From iside it will work without problems).
So there is few solutions that I could find:
1. Source ports range: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-4t/nat-12-4t-book/iadnat-usr-srcport-pat.pdf
2. Policy-map (and as I see from solution it can work with ranges at the ACL): http://networkengineering.stackexchange.com/questions/2238/open-a-range-of-tcp-ports-in-cisco-ios-nat
But I don't know how it will work if your 2 servers will chose the same port for the voice traffic for different clients (they will want to use the same port at the NAT traslation and this can couse some problems).
Best Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide