NAT configuration on Cisco 2800

duahimanshu816 · ‎02-02-2016

Hello,

I have been assigned the task to configure NAT and forward some port on Router 2800 Cisco. I am mentioning the things which i need to acheived please help to configure it.

The public IP is 4.4.4.4 terminating on g0/1

To enable the public IP reach the local IPs below we need to do the port forwarding in our router:

local server connected with G0/0.20

Probe 1 172.16.20.2 Port 2021
Probe 2 172.16.20.3 Port 2022
Probe 2 172.16.20.4 Port 2023
Probe 2 172.16.20.5 Port 2024
Probe 2 172.16.20.6 Port 2025
Probe 2 172.16.20.7 Port 2026

global server with public ip address

The probes above will be communicating with the servers below:

5.5.5.5

6.6.6.6

7.7.7.7

8.8.8.8

On the following port:

ICMP/8 (ping) INBOUND

UDP 5000 to 6000 (SIP & RTP) INBOUND and OUTBOUND

TCP 2007 INBOUND and OUTBOUND

TCP 2008 INBOUND and OUTBOUND

TCP 2009 INBOUND and OUTBOUND

TCP 80 (HTTP) INBOUND

TCP 22 (SSH) INBOUND

AllertGen · ‎02-03-2016

Hello, duahimanshu816.

Am I right that you want to translate this ports:

UDP 5000 to 6000 (SIP & RTP) INBOUND and OUTBOUND

TCP 2007 INBOUND and OUTBOUND

TCP 2008 INBOUND and OUTBOUND

TCP 2009 INBOUND and OUTBOUND

TCP 80 (HTTP) INBOUND

TCP 22 (SSH) INBOUND

like this:

5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.2:80

5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.3:80

5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.4:80

5.5.5.5 -> 4.4.4.4: 80 transfer to 172.16.20.5:80

etc?

It will not be possible logically.

If you want to make your probes be accesseble only by 2021-2026 from the internet and you want give access from your probes to the global addresses by the ports at the start then you can use this:

ip nat inside source static tcp/udp (chose here a protocol because you doesn't writed it above) 172.16.20.2 2021 4.4.4.4 2021

ip nat inside source static tcp/udp 172.16.20.3 2022 4.4.4.4 2022

ip nat inside source static tcp/udp 172.16.20.4 2023 4.4.4.4 2023

ip nat inside source static tcp/udp 172.16.20.5 2024 4.4.4.4 2024

ip nat inside source static tcp/udp 172.16.20.6 2025 4.4.4.4 2025

ip nat inside source static tcp/udp 172.16.20.7 2026 4.4.4.4 2026

object-group network INSIDE_SERVERS (this way here is more flexibility)

host 172.16.20.2

host 172.16.20.3

host 172.16.20.4

host 172.16.20.5

host 172.16.20.6

host 172.16.20.7

object-group network OUTSIDE_SERVERS

host 5.5.5.5

host 6.6.6.6

host 7.7.7.7

host 8.8.8.8

ip access-list extended NAT

permit ip object-group INSIDE_SERVERS object-group OUTSIDE_SERVERS

ip nat inside list NAT interface g0/1

And for restricting access to the external servers you can use ACL to the "in" direction at the internal (G0/0.20) interface.

To restrict access to the internal servers only for specific global servers you can use ACL to the "in" direction at the external (g0/1) interface.

Best Regards.

duahimanshu816 · ‎02-04-2016

Dear AllerGen,

Thanks for Reply, It really will help me a lot to understand the scenario.

my only confusion is which u mentioned it above

ip nat inside source static tcp/udp (chose here a protocol because you doesn't writed it above)172.16.20.2 2021 4.4.4.4 2021

i have range of TCPport we need to open it (2000 to 2007, 80,22) and UDP ports 5000 to 6000

is there any way to put port range like

ip nat inside source static tcp/udp range 172.16.20.3 2022 4.4.4.4 2022

and so on?

AllertGen · ‎02-04-2016

Am I right that you want to make range of ports accesseble from outside to inside?

duahimanshu816 · ‎02-04-2016

yes i want if the traffic come from this below mention network:-

5.5.5.5

6.6.6.6

7.7.7.7

8.8.8.8

should able to access my local server

host 172.16.20.2

host 172.16.20.3

host 172.16.20.4

host 172.16.20.5

host 172.16.20.6

host 172.16.20.7

the port which outsider need to communicate that is :-

ICMP8 (ping),tcp range 80,22 and 2000-2010

udp 5000-6000

this above mention ports, my router should allow them to communicate with each other.

duahimanshu816 · ‎02-04-2016

just to make it easy for you.

Each probe(172.16.20.0) needs to be able to communicate with our internet servers at IP
addresses:
• 5.5.5.5
• 6.6.6.6
• 7.7.7.7
• 8.8.8.8
• 9.9.9.9
On the following ports:
• ICMP/8 (ping) INBOUND
• UDP 5000 to 6000 (SIP & RTP) INBOUND and OUTBOUND
• TCP 2007 INBOUND and OUTBOUND
• TCP 2008 INBOUND and OUTBOUND
• TCP 2009 INBOUND and OUTBOUND
• TCP 80 (HTTP) INBOUND
• TCP 22 (SSH) INBOUND

tell me one thing u mention above to create object-group....is it possible to create object-group network on cisco router2800

AllertGen · ‎02-04-2016

Well, there is a few solutions. Just to be sure: is you internal servers is a SIP servers?

Best Regards.

duahimanshu816 · ‎02-05-2016

yes its SIP.

let me tell you I did something.. but i am not sure will it work or not.?

IP nat inside source static TCP 172.16.20.2 2021 4.4.4.4 2021

IP nat Inside source static TCP 172.16.20.3 2022 4.4.4.4 2022

and so on.................

IP nat inside source list NAT interface G0/1

IP access list ext NAT

permit tcp 172.16.20.0 0.0.0.7 range 2000 2010 5.5.5.5 0.0.0.

permit tcp 172.16.20.0 0.0.0.7 range ftp www 5.5.5.5 0.0.0.0

permit tcp 172.16.20.0 0.0.0.7 range udp 5000 6000 5.5.5.5 0.0.0.0

and so on..... with all the public ip which wants to communicate with local servers

AllertGen · ‎02-05-2016

Hi.

Your solution is opening 2021 and 2022 ports from outside to internal servers. So other ports is not accesseble from outside (if initializer of the connection is someone from outside. From iside it will work without problems).

So there is few solutions that I could find:

1. Source ports range: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-4t/nat-12-4t-book/iadnat-usr-srcport-pat.pdf

2. Policy-map (and as I see from solution it can work with ranges at the ACL): http://networkengineering.stackexchange.com/questions/2238/open-a-range-of-tcp-ports-in-cisco-ios-nat

But I don't know how it will work if your 2 servers will chose the same port for the voice traffic for different clients (they will want to use the same port at the NAT traslation and this can couse some problems).

Best Regards.