Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
2
Replies

Allow external user access to internal without static NAT

trinhphanle
Level 1
Level 1

‎11-22-2013 08:11 AM - edited ‎03-07-2019 04:44 PM

Hi all

I can configure router to allow external access to internal server by static NAT. Are there any way to configure without static NAT, and we can use ACL to prevent them from some services?

Thanks for all your advise

Here is the example configuration:

Current Configuration:
! 
version 12.1
service timestamps debug uptime
service timestamps log uptime
!
!
ip subnet-zero
no ip domain-lookup
!
bridge irb
!
interface Ethernet0
ip address 192.168.0.254 255.255.255.0
ip nat inside!--- This is the inside local IP address and it is a private IP address. !
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
!
bundle-enable
dsl operating-mode auto 
bridge-group 1
!
interface BVI1
ip address 171.68.1.1 255.255.255.240
ip nat outside!--- This is the inside global IP address.
!--- This is your public IP address and it is provided to you by your ISP.!
ip nat inside source list 1 interface BVI1 overload!--- This statement makes the router perform PAT for all the 
!--- End Stations behind the Ethernet interface that  uses 
!--- private IP addresses defined in access list #1.ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable !--- This statement performs the static address translation for the Web server. 
!--- With this statement, users  that try to reach 171.68.1.1 port 80 (www)  are 
!--- automatically redirected to 192.168.0.5 port 80 (www). In this case 
!--- it is the Web server.ip classless
ip route 0.0.0.0 0.0.0.0 171.68.1.254
!--- IP address 171.68.1.254 is the next hop IP address, also
!--- called the default gateway.
!--- Your ISP can tell you what IP address to configure as the next hop address.!
access-list 1 permit 192.168.0.0 0.0.0.255!--- This access list defines the private network 
!--- that  is network address translated. bridge 1 protocol ieee 
bridge 1 route ip 
!
end
Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎11-22-2013 08:31 AM

Hello

Nat provides ip.translation but its doesnt give.you any real security to.the server you still.need.to prohibit access via either ios fw features( cbac zbfw,extended acls etc) or via a designated fwl

To answer your question

Yes you can
You can position it in a dmz with a.public ip address and use port forwarding/filtering etc to.open up specifc ports to the server

Res
Paul


Sent from Cisco Technical Support Android App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

trinhphanle
Level 1
Level 1
In response to paul driver

‎11-22-2013 08:40 AM

Thanks for your reply

1/ I use router for accessing the internet

2/ I use IP PBX inside NAT router, therefore if I do not add static NAT pointing to IP PBX address, it cannot register with VoIP provider.

3/ Are there any way to access from internet to IP PBX without static NAT?

Please show me the example configuration

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card