cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
794
Views
0
Helpful
4
Replies

Static NAT without losing router management access

marco.bulgarini
Level 1
Level 1

Just a simple question involving NAT and end-user Cisco routers (like the 800 or 1800 series).

If my internet provider grants me one static IP address, and I have to NAT an internal private subnet, I make an ACL and nat the whole subnet (in this example Dialer 1 does the PPPoE negotiation of the static public IP)

access-list 101 permit 192.168.1.0 0.0.0.255 any

ip nat inside source list 101 interface Dialer 1 overload

In this scenario, I can manage the router via telnet or ssh from my host at 11.22.33.44 (multiple config lines omitted)

access-list 5 permit 11.22.33.44

line vty 0 4

access-class 2 in

If I have to perform a static NAT to fully NAT the public IP to an internal host - let's say the 192.168.1.10/24 - I do

ip nat inside source static 192.168.1.10 interface Dialer 1

Now, as it should be by design, everything is NATted to the host, including ports TCP 22 and 23. How can I keep those two ports from being NATted to the internal host? Do I have to make a manual forward of all-but-those ports or is there a more efficient way?

Thanks,

Marco

4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

One option is to not do a full NAT, just NAT the ports needed. I don't have a box in front of me, but you may be able to NAT a range.

Single port translation sometime it's not an option, my question was just because of that (eg when the customer has a firewall and needs the static NAT of the public IP on the firewall's WAN interface).

IMO that should never need to happen. Put the cable modem/DSL/whatever into bridge mode and have the public IP directly on the firewall. You could also buy the licensing to run the zone-based firewall on the router itself.

If you do a full NAT, you're going to lose management to the router. No way around it.Your only other option is to connect a modem to the console port and dial in.

I see your point, but the world is BIG and ISPs have different operations, and customers use different technologies.

In my experience, I use Cisco 1801/1841 in a failover configuration - my ISP let me use a WAN high-speed access, if the PPPoE session goes offline on that ethernet interface the router falls back to a DSL PPPoA access with a higher metric. Thanks to the ISP's structure, within seconds I'm reachabile (over one of the two media) on the public IP pool I bought.

In that scenario, a transparent bridge is not the best chance. I need a router to perform the failover task, as demanding it to other network equipment is an unnecessary complication - the huge benefit is also that the firewall just speaks on the WAN with one gateway (the router), knowing that it will always be reachable on a defined public IP address, no matter what.

The only flaw I found is that when I need to configure a /32 pool for another customer I can't statically NAT everything on the inside host, as I just completely lose access to the router (at least until the inside host does a port translation for the management... but not always the "inside host" is a firewall). Maybe a port-range forwarding is the way?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: