Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
3
Helpful
2
Replies

NAT on a Cisco IOS router

Kevin Melton
Level 2
Level 2

‎04-24-2012 08:01 AM - edited ‎03-04-2019 04:08 PM

Forum

i am working at a client site today.  The client has indicated that they need to have a server translated so that connections coming in from the public can access the server.  I told the client I would be able to use NAT for this on their 2911 G2 router.

The requirement is that connection attemtps be allowed to come into a public address, which I will call 1.2.3.4 for the purpose of this example. 

The inside (real address) for the server is 192.168.15.14/24. 

Here is the statement that I have placed on the router:

ip nat inside source static 192.168.15.14 1.2.3.4

and also have placed "ip nat inside" on the Ethernet that faces inside to the 192.168.15.0/24 network.  I have placed "ip nat outside" on the Ethernet that faces the Internet.

I also placed an ACL statement to allow the ports required which reads:

180 permit tcp any any eq 60000 64999

181 permit udp any any eq 60000 64999

My concern is whether I have written the NAT statement correctly or not.

here is what I see when I perform a "sho ip nat trans"

tbhroomsgw#sho ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

--- 1.2.3.4      192.168.15.14      ---                ---

icmp 1.2.3.5:1   192.168.15.28:1    192.168.1.102:1    192.168.1.102:1

tcp 1.2.3.5:50474 192.168.15.28:50474 64.236.18.17:5190 64.236.18.17:5190

tcp 1.2.3.5:50475 192.168.15.28:50475 205.188.1.5:5190 205.188.1.5:5190

tcp 1.2.3.5:50883 192.168.15.28:50883 204.14.233.95:443 204.14.233.95:443

tcp 1.2.3.5:50884 192.168.15.28:50884 204.14.232.33:443 204.14.232.33:443

tcp 1.2.3.5:50886 192.168.15.28:50886 204.14.233.95:443 204.14.233.95:443

tcp 1.2.3.5:50912 192.168.15.28:50912 64.12.115.25:5192 64.12.115.25:5192

tcp 1.2.3.5:50922 192.168.15.28:50922 64.12.115.25:5192 64.12.115.25:5192

--- 1.2.3.5      192.168.15.28      ---                ---

--- 1.2.3.6    192.168.15.29      ---                ---

Any help would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

ramtech.computing
Level 1
Level 1

‎04-24-2012 03:30 PM

Hi Kevin,

you need to make some changes here.  We'll assume your internal interface is fa0/0 and your external is fa0/1 for the sake of this reply. 

ip access-list extended aclPortFrowardRange
 permit tcp any any range 60000 64999
 permit udp any any range 60000 64999
ip access-list standard aclNat
 permit 192.168.15.0 0.0.0.255
!
ip nat pool poolServer 192.168.15.14 192.168.15.14 netmask 255.255.255.0 type rotary
!
interface fa0/0 
 ip address 192.168.15.1 255.255.255.0 ! or whatever it is on this subnet.
 ip nat inside
interface fa0/1
 ip nat outside
!
ip nat inside source list aclNat interface fa0/1 overload
ip nat inside destination list aclPortForwardRange pool poolServer

You will also need to poke any holes in your inbound ACL on your external interface if there is one.  use a similar sytax to the aclPortForwardRange example above in this ACL if need be.

Let us know how this goes.

Kevin Melton
Level 2
Level 2
In response to ramtech.computing

‎04-25-2012 05:40 AM

As it turns out, the configuration I had submitted on the post worked just fine.

Thanks for your response.

Kevin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card