Just a simple question involving NAT and end-user Cisco routers (like the 800 or 1800 series).
If my internet provider grants me one static IP address, and I have to NAT an internal private subnet, I make an ACL and nat the whole subnet (in this example Dialer 1 does the PPPoE negotiation of the static public IP)
access-list 101 permit 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface Dialer 1 overload
In this scenario, I can manage the router via telnet or ssh from my host at 126.96.36.199 (multiple config lines omitted)
access-list 5 permit 188.8.131.52
line vty 0 4
access-class 2 in
If I have to perform a static NAT to fully NAT the public IP to an internal host - let's say the 192.168.1.10/24 - I do
ip nat inside source static 192.168.1.10 interface Dialer 1
Now, as it should be by design, everything is NATted to the host, including ports TCP 22 and 23. How can I keep those two ports from being NATted to the internal host? Do I have to make a manual forward of all-but-those ports or is there a more efficient way?
One option is to not do a full NAT, just NAT the ports needed. I don't have a box in front of me, but you may be able to NAT a range.
Single port translation sometime it's not an option, my question was just because of that (eg when the customer has a firewall and needs the static NAT of the public IP on the firewall's WAN interface).
IMO that should never need to happen. Put the cable modem/DSL/whatever into bridge mode and have the public IP directly on the firewall. You could also buy the licensing to run the zone-based firewall on the router itself.
If you do a full NAT, you're going to lose management to the router. No way around it.Your only other option is to connect a modem to the console port and dial in.
I see your point, but the world is BIG and ISPs have different operations, and customers use different technologies.
In my experience, I use Cisco 1801/1841 in a failover configuration - my ISP let me use a WAN high-speed access, if the PPPoE session goes offline on that ethernet interface the router falls back to a DSL PPPoA access with a higher metric. Thanks to the ISP's structure, within seconds I'm reachabile (over one of the two media) on the public IP pool I bought.
In that scenario, a transparent bridge is not the best chance. I need a router to perform the failover task, as demanding it to other network equipment is an unnecessary complication - the huge benefit is also that the firewall just speaks on the WAN with one gateway (the router), knowing that it will always be reachable on a defined public IP address, no matter what.
The only flaw I found is that when I need to configure a /32 pool for another customer I can't statically NAT everything on the inside host, as I just completely lose access to the router (at least until the inside host does a port translation for the management... but not always the "inside host" is a firewall). Maybe a port-range forwarding is the way?