cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11072
Views
0
Helpful
15
Replies

Problem Configuring NAT to Allow the Internet to Access Internal Devices

saif_farooq
Level 1
Level 1

Hi,

I want to allow my internal Web Server (CCTV) on private IP(192.168.1.2) to be accessed from the internet. I have already configured NAT for PCs on private IPs to access Internet.

Now the problem im facing is "I cannot access my Local Lan Web Server PC" from Internet. Kindly look at the configuration below & let me know where Im doing mistake. Also kindly check the 'routes' that I have given, as I've seen some sample configs but they are without 'routes'.

Also can u pls tell me if I need a 'route-map' to direct traffic from Internet to local Web-Server.

Configuration:

!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet1/0
ip address 192.168.100.10 255.255.255.0 (for reference,,although its Public IP in actual)
ip nat outside

!

ip nat inside source list 10 interface FastEthernet1/0 overload

ip nat inside source static 192.168.1.2 192.168.100.11

ip route 0.0.0.0 0.0.0.0 192.168.100.1 (Gateway Modem)

!

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip any 192.168.100.11 0.0.0.255

!

!

Router_7200#sh ip nat translations
     Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.100.11:80    192.168.1.2:80       ---                ---

Please note I cannot see any output in Debug IP NAT,

Regards & Thanks in advance!!

15 Replies 15

Jennifer Halim
Cisco Employee
Cisco Employee

That should work. Check if the adsl router or modem has an ARP entry for the public NATed ip address. Reloading the adsl router/modem normally helps, or if you have access to it, clear arp.

Thanks for the reply. But the problem is still there!!!

I want to ask few questions clearly:

Q1)     For users to access internet from inside network, simple NAT configuration was done. alongwith default route. In the case of traffic from internet to come inside LAN & access PC on private IP, e.g. Webserver, shouldn't there be a route for this??

Q2) Do we also need route-map??

Q3) Do I need to put 'TCP' in Static NAT command?

Q4) Do I need any configuration in the DSL Modem as well,,right now its simply configured with one IP from the pool & acting as gateway!!?

I hope u understand my questions & can send me a sample & complete configuration for my scenario!!!

Thx in advance!!

A route map won't work because it won't modify the L3 header.  Your syntax is correct, but you're natting from private IP to private IP which won't work.  Do you have any free addresses from your ISP? if you only have one, you can specify a TCP port & do a redirect.

This won't work:

ip nat inside source static 192.168.1.2 192.168.100.11

With only 1 IP, you need a port translation:

ip nat inside source static tcp 65.21.23.X 443 192.168.24.X 443

Hi,

For the internet users to access your internal network, you may have to Statically NAT with Public IP address and give them to internet users to access.

No Route map or the TCP in static command is necessary.

Check the arp from the gateway-DSL modem and see if you are able to ping the inside hosts.

Thanks or the replies. Unfortunately problem is stll there & I sort of understand the reason.

I have 6 usable Public IP Pool (132.145.10.1-132.145.10.6,,,only as example) of which 1 IP configured on DSL Modem & 2 on the Router Interface (NAT Outside Interface). For the users to access internet on my LAN,,I used "ip nat inside source list 10 interface FastEthernet2/0 overload".

Now for Internet users to access internal devices, I configured following command but its not working.

'ip nat inside source static 192.168.10.10 132.145.10.3'

Reason: which I understand is that "132.145.10.3 is of same pool as used to connect Router to DSL Modem".

Solution(as per my understanding): If I use IPs from pool other than the one one used on Router-DSL, than access to internal devices from Internet would be possible.

Please suggest!!

If 132.145.10.3 is your router fa2/0 interface ip address, then you can't configure the following static statement:

'ip nat inside source static 192.168.10.10 132.145.10.3'

However, if 132.145.10.3 is just a spare ip address in the same subnet as your router fa2/0 interface, then the above static statement should work. Just make sure that the DSL modem as the correct ARP entry for that ip address (your router should proxy arp for that ip address). Reloading the DSL modem generally resolve the issue.

Thanks for earlier reply. I tried "ip proxy-arp" on cisco interface, but its still not working. Im copying below my configuration which you can check & please suggest the changes. Like you said that even if the IPs used on F2/0 & one for static NAT are different but same subnet,,Internet users should be able to access my internal LAN devices. I hope u can point out my mistake of routing or wny other thing & can kindly let me know.

Please note we need to give access to our LAN PC 192.168.10.10 from Internet. Public IP Pool is 132.145.10.1 - 132.145.10.6.

Cisco#sh run
Building configuration...

Current configuration : 3163 bytes
!
version 12.2
ip cef
!
!
interface FastEthernet0/0
ip address 192.168.10.1 255.0.0.0

ip proxy-arp
!
interface FastEthernet2/0
ip address 132.145.10.32 255.255.255.248 (Public IP only used here as example)
ip proxy-arp
!
ip nat inside source list 50 interface FastEthernet2/0 overload
ip nat inside source static 192.168.10.10 132.145.10.33
ip classless
ip route 0.0.0.0 0.0.0.0 132.145.10.1 (132.145.10.1 is the IP of DSL Modem)
!
access-list 50 permit 192.168.10.0 255.0.0.0
!
end

Router#

Config is correct. As advised earlier, try reloading your adsl modem (not the router), that would clear its arp cache.

I have the same Problem, i am using 877W Router to allow access of Fortigate Firewall (Internal/ IP: 192.168.4.1 to the External users using port no: 5555

Please help

Thanks

Nadeem

interface FastEthernet0/0

ip address 192.168.10.1 255.0.0.0

ip proxy-arp


interface FastEthernet2/0

ip address 132.145.10.32 255.255.255.248 (Public IP only used here as example)

ip proxy-arp

presumably you have just missed out "ip nat inside" under fa0/0 and "ip nat outside" under fa2/0 when you copied the config here ?

The spare address that you are using for your webserver - it isn't being used anywhere else is it ?

Does the webserver have it's default-gateway set to the fa0/0 interface ip address ie. 192.168.10.1 ?

Jon

Hi All,

Thx again for the earlier replies. Finally I have been able to access my internal LAN Web-Server PC from Internet. But there is a small problem now.

Step1:

When I configured the static NAT IP on the Router, i.e.

ip nat inside source static 192.168.1.10 132.145.10.33

Initially the PC could not ping the Internet DSL Modem. Then I removed this configuration line & it started to ping. Then again I typed the 'Static NAT' command & it all became fine, now I was able to access this PC(Web-Server) from the internet.

Step2:

Then I rebooted the DSL modem several times & everything was working fine.

Problem:

When I reload the Router, again I have to follow Step1, i.e. disable & enable 'Static NAT' entry, for it to work again. This is the only problem at the moment. I have also configured 'ip proxy-arp' on both LAN & WAN interfaces. Following is the sample configuration:

======================================================================

Router#sh run
Building configuration...

!
version 12.2
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet2/0
ip address 132.145.10.32 255.255.255.248
ip nat outside
!
ip nat inside source static 192.168.1.10 132.145.10.33
ip route 0.0.0.0 0.0.0.0 132.145.10.31   (Next Hop IP address of DSL Modem)
!
end

Router#

=====================================================================

Pls suggest!!Thx

Hi All,

Im still facing the same problem as i mentioned in the last post. Now that I've been able to configure NAT for PCs on my LAN, & I can access the local LAN PCs from Internet. The only problem is on reboot...on DSL Modem reboot,,ther is no issue... but if the Router reboots,,,then the PC(Webserver) does not become connected on Public IP, unless I reboot the Router again, and perform "no Ip NAT inside source static......" & again " IP NAT inside source...."

static....".

I  believe there is some logical error in th simple Router configuration, shown in my previous post. Pls suggest if u guyz find any mistake. Thats because evreyday I need to perform same action on router & now I also need to add few more of my LAN PCs for outside access.

Please suggest!!

Hello

you are specifying a static nat translation to a public ip other than your own assigned ip or the routers next-hop so can you confirm this .33 is applicable to be used?

 

As this is a web server then suggest you apply a static port address translation for it and normal nat translation for the rest of your internal network 

 

access-list 10 deny host 192.168.1.10 access-list 10 permit 192.168.1.0 0.0.0.255

ip nat inside source list 10 interface fa2/0 overload 

ip nat inside source static  tcp 192.168.1.10 80 132.145.10.32 80 extendable

ip nat inside source static tcp 192.168.1.10 443 132.145.10.32 443 extendable

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

This is my router router configuration for VCS, I can not access from outsides network to 59.145.213.89. or 93. 

Pls help me....

interface FastEthernet0/0
description **** Connected to LAN ****
ip address 172.17.2.5 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description **** Connect to Internet Switch ****
ip address 59.145.213.88 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 59.145.213.81
ip route 172.16.0.0 255.255.0.0 172.16.0.1
!
!
ip http server
ip nat inside source list 110 interface FastEthernet0/1 overload
ip nat inside source static 172.17.2.53 59.145.213.89
no ip nat inside source static 172.17.2.49 59.145.213.93
!
access-list 110 permit ip 172.17.2.0 0.0.0.255 any
access-list 110 deny ip any any

Review Cisco Networking for a $25 gift card