04-24-2012 08:01 AM - edited 03-04-2019 04:08 PM
Forum
i am working at a client site today. The client has indicated that they need to have a server translated so that connections coming in from the public can access the server. I told the client I would be able to use NAT for this on their 2911 G2 router.
The requirement is that connection attemtps be allowed to come into a public address, which I will call 1.2.3.4 for the purpose of this example.
The inside (real address) for the server is 192.168.15.14/24.
Here is the statement that I have placed on the router:
ip nat inside source static 192.168.15.14 1.2.3.4
and also have placed "ip nat inside" on the Ethernet that faces inside to the 192.168.15.0/24 network. I have placed "ip nat outside" on the Ethernet that faces the Internet.
I also placed an ACL statement to allow the ports required which reads:
180 permit tcp any any eq 60000 64999
181 permit udp any any eq 60000 64999
My concern is whether I have written the NAT statement correctly or not.
here is what I see when I perform a "sho ip nat trans"
tbhroomsgw#sho ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 1.2.3.4 192.168.15.14 --- ---
icmp 1.2.3.5:1 192.168.15.28:1 192.168.1.102:1 192.168.1.102:1
tcp 1.2.3.5:50474 192.168.15.28:50474 64.236.18.17:5190 64.236.18.17:5190
tcp 1.2.3.5:50475 192.168.15.28:50475 205.188.1.5:5190 205.188.1.5:5190
tcp 1.2.3.5:50883 192.168.15.28:50883 204.14.233.95:443 204.14.233.95:443
tcp 1.2.3.5:50884 192.168.15.28:50884 204.14.232.33:443 204.14.232.33:443
tcp 1.2.3.5:50886 192.168.15.28:50886 204.14.233.95:443 204.14.233.95:443
tcp 1.2.3.5:50912 192.168.15.28:50912 64.12.115.25:5192 64.12.115.25:5192
tcp 1.2.3.5:50922 192.168.15.28:50922 64.12.115.25:5192 64.12.115.25:5192
--- 1.2.3.5 192.168.15.28 --- ---
--- 1.2.3.6 192.168.15.29 --- ---
Any help would be greatly appreciated.
04-24-2012 03:30 PM
Hi Kevin,
you need to make some changes here. We'll assume your internal interface is fa0/0 and your external is fa0/1 for the sake of this reply.
ip access-list extended aclPortFrowardRange permit tcp any any range 60000 64999 permit udp any any range 60000 64999 ip access-list standard aclNat permit 192.168.15.0 0.0.0.255 ! ip nat pool poolServer 192.168.15.14 192.168.15.14 netmask 255.255.255.0 type rotary ! interface fa0/0 ip address 192.168.15.1 255.255.255.0 ! or whatever it is on this subnet. ip nat inside interface fa0/1 ip nat outside ! ip nat inside source list aclNat interface fa0/1 overload ip nat inside destination list aclPortForwardRange pool poolServer
You will also need to poke any holes in your inbound ACL on your external interface if there is one. use a similar sytax to the aclPortForwardRange example above in this ACL if need be.
Let us know how this goes.
04-25-2012 05:40 AM
As it turns out, the configuration I had submitted on the post worked just fine.
Thanks for your response.
Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide