Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
4
Replies

Static NAT without losing router management access

marco.bulgarini
Level 1
Level 1

‎11-15-2012 05:30 AM - edited ‎03-04-2019 06:08 PM

Just a simple question involving NAT and end-user Cisco routers (like the 800 or 1800 series).

If my internet provider grants me one static IP address, and I have to NAT an internal private subnet, I make an ACL and nat the whole subnet (in this example Dialer 1 does the PPPoE negotiation of the static public IP)

access-list 101 permit 192.168.1.0 0.0.0.255 any

ip nat inside source list 101 interface Dialer 1 overload

In this scenario, I can manage the router via telnet or ssh from my host at 11.22.33.44 (multiple config lines omitted)

access-list 5 permit 11.22.33.44

line vty 0 4

access-class 2 in

If I have to perform a static NAT to fully NAT the public IP to an internal host - let's say the 192.168.1.10/24 - I do

ip nat inside source static 192.168.1.10 interface Dialer 1

Now, as it should be by design, everything is NATted to the host, including ports TCP 22 and 23. How can I keep those two ports from being NATted to the internal host? Do I have to make a manual forward of all-but-those ports or is there a more efficient way?

Thanks,

Marco

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎11-15-2012 08:37 AM

One option is to not do a full NAT, just NAT the ports needed. I don't have a box in front of me, but you may be able to NAT a range.

0 Helpful

marco.bulgarini
Level 1
Level 1
In response to Collin Clark

‎11-15-2012 08:49 AM

Single port translation sometime it's not an option, my question was just because of that (eg when the customer has a firewall and needs the static NAT of the public IP on the firewall's WAN interface).

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to marco.bulgarini

‎11-15-2012 08:54 AM

IMO that should never need to happen. Put the cable modem/DSL/whatever into bridge mode and have the public IP directly on the firewall. You could also buy the licensing to run the zone-based firewall on the router itself.

If you do a full NAT, you're going to lose management to the router. No way around it.Your only other option is to connect a modem to the console port and dial in.

0 Helpful

marco.bulgarini
Level 1
Level 1
In response to Collin Clark

‎11-15-2012 09:19 AM

I see your point, but the world is BIG and ISPs have different operations, and customers use different technologies.

In my experience, I use Cisco 1801/1841 in a failover configuration - my ISP let me use a WAN high-speed access, if the PPPoE session goes offline on that ethernet interface the router falls back to a DSL PPPoA access with a higher metric. Thanks to the ISP's structure, within seconds I'm reachabile (over one of the two media) on the public IP pool I bought.

In that scenario, a transparent bridge is not the best chance. I need a router to perform the failover task, as demanding it to other network equipment is an unnecessary complication - the huge benefit is also that the firewall just speaks on the WAN with one gateway (the router), knowing that it will always be reachable on a defined public IP address, no matter what.

The only flaw I found is that when I need to configure a /32 pool for another customer I can't statically NAT everything on the inside host, as I just completely lose access to the router (at least until the inside host does a port translation for the management... but not always the "inside host" is a firewall). Maybe a port-range forwarding is the way?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card