11-15-2012 05:30 AM - edited 03-04-2019 06:08 PM
Just a simple question involving NAT and end-user Cisco routers (like the 800 or 1800 series).
If my internet provider grants me one static IP address, and I have to NAT an internal private subnet, I make an ACL and nat the whole subnet (in this example Dialer 1 does the PPPoE negotiation of the static public IP)
access-list 101 permit 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface Dialer 1 overload
In this scenario, I can manage the router via telnet or ssh from my host at 11.22.33.44 (multiple config lines omitted)
access-list 5 permit 11.22.33.44
line vty 0 4
access-class 2 in
If I have to perform a static NAT to fully NAT the public IP to an internal host - let's say the 192.168.1.10/24 - I do
ip nat inside source static 192.168.1.10 interface Dialer 1
Now, as it should be by design, everything is NATted to the host, including ports TCP 22 and 23. How can I keep those two ports from being NATted to the internal host? Do I have to make a manual forward of all-but-those ports or is there a more efficient way?
Thanks,
Marco
11-15-2012 08:37 AM
One option is to not do a full NAT, just NAT the ports needed. I don't have a box in front of me, but you may be able to NAT a range.
11-15-2012 08:49 AM
Single port translation sometime it's not an option, my question was just because of that (eg when the customer has a firewall and needs the static NAT of the public IP on the firewall's WAN interface).
11-15-2012 08:54 AM
IMO that should never need to happen. Put the cable modem/DSL/whatever into bridge mode and have the public IP directly on the firewall. You could also buy the licensing to run the zone-based firewall on the router itself.
If you do a full NAT, you're going to lose management to the router. No way around it.Your only other option is to connect a modem to the console port and dial in.
11-15-2012 09:19 AM
I see your point, but the world is BIG and ISPs have different operations, and customers use different technologies.
In my experience, I use Cisco 1801/1841 in a failover configuration - my ISP let me use a WAN high-speed access, if the PPPoE session goes offline on that ethernet interface the router falls back to a DSL PPPoA access with a higher metric. Thanks to the ISP's structure, within seconds I'm reachabile (over one of the two media) on the public IP pool I bought.
In that scenario, a transparent bridge is not the best chance. I need a router to perform the failover task, as demanding it to other network equipment is an unnecessary complication - the huge benefit is also that the firewall just speaks on the WAN with one gateway (the router), knowing that it will always be reachable on a defined public IP address, no matter what.
The only flaw I found is that when I need to configure a /32 pool for another customer I can't statically NAT everything on the inside host, as I just completely lose access to the router (at least until the inside host does a port translation for the management... but not always the "inside host" is a firewall). Maybe a port-range forwarding is the way?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: