04-24-2012 08:01 AM - edited 03-04-2019 04:08 PM
Forum
i am working at a client site today. The client has indicated that they need to have a server translated so that connections coming in from the public can access the server. I told the client I would be able to use NAT for this on their 2911 G2 router.
The requirement is that connection attemtps be allowed to come into a public address, which I will call 1.2.3.4 for the purpose of this example.
The inside (real address) for the server is 192.168.15.14/24.
Here is the statement that I have placed on the router:
ip nat inside source static 192.168.15.14 1.2.3.4
and also have placed "ip nat inside" on the Ethernet that faces inside to the 192.168.15.0/24 network. I have placed "ip nat outside" on the Ethernet that faces the Internet.
I also placed an ACL statement to allow the ports required which reads:
180 permit tcp any any eq 60000 64999
181 permit udp any any eq 60000 64999
My concern is whether I have written the NAT statement correctly or not.
here is what I see when I perform a "sho ip nat trans"
tbhroomsgw#sho ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 1.2.3.4 192.168.15.14 --- ---
icmp 1.2.3.5:1 192.168.15.28:1 192.168.1.102:1 192.168.1.102:1
tcp 1.2.3.5:50474 192.168.15.28:50474 64.236.18.17:5190 64.236.18.17:5190
tcp 1.2.3.5:50475 192.168.15.28:50475 205.188.1.5:5190 205.188.1.5:5190
tcp 1.2.3.5:50883 192.168.15.28:50883 204.14.233.95:443 204.14.233.95:443
tcp 1.2.3.5:50884 192.168.15.28:50884 204.14.232.33:443 204.14.232.33:443
tcp 1.2.3.5:50886 192.168.15.28:50886 204.14.233.95:443 204.14.233.95:443
tcp 1.2.3.5:50912 192.168.15.28:50912 64.12.115.25:5192 64.12.115.25:5192
tcp 1.2.3.5:50922 192.168.15.28:50922 64.12.115.25:5192 64.12.115.25:5192
--- 1.2.3.5 192.168.15.28 --- ---
--- 1.2.3.6 192.168.15.29 --- ---
Any help would be greatly appreciated.
04-24-2012 03:30 PM
Hi Kevin,
you need to make some changes here. We'll assume your internal interface is fa0/0 and your external is fa0/1 for the sake of this reply.
ip access-list extended aclPortFrowardRange permit tcp any any range 60000 64999 permit udp any any range 60000 64999 ip access-list standard aclNat permit 192.168.15.0 0.0.0.255 ! ip nat pool poolServer 192.168.15.14 192.168.15.14 netmask 255.255.255.0 type rotary ! interface fa0/0 ip address 192.168.15.1 255.255.255.0 ! or whatever it is on this subnet. ip nat inside interface fa0/1 ip nat outside ! ip nat inside source list aclNat interface fa0/1 overload ip nat inside destination list aclPortForwardRange pool poolServer
You will also need to poke any holes in your inbound ACL on your external interface if there is one. use a similar sytax to the aclPortForwardRange example above in this ACL if need be.
Let us know how this goes.
04-25-2012 05:40 AM
As it turns out, the configuration I had submitted on the post worked just fine.
Thanks for your response.
Kevin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: