cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2916
Views
5
Helpful
2
Replies

Best practices for NAT/PAT?

IM-Design
Level 1
Level 1

Greetings:

My setup is

Cisco 1811 serving as a router/firewall to several windows 2003 servers at an ISP. Ive configured NAT on the router to expose http, https, and smtp ports on each of the servers to a unique public ip address within my x.x.x.230/29 address space.

The WAN port on the 1811 is configured with x.x.x.230/29. On the ServerA I NAT ports 25, 80, and 443 on that same x.x.x.230 address, while managing the 1811 itself using SSH on that same address as well.

On server B (local ip 192.168.0.3), I NAT the x.x.x.231 for ports 25. 80, and 443. On server C (local ip 192.168.0.4), I NAT the x.x.x.232 address for the same ports.

Can anyone offer a critique of this configuration and offer some ideas of the best practices topology-wise for providing routing, vpn and firewall functionality for these servers?

My question arises because now I have a site to site VPN with Server B at the local end and I am unable to connect to the server B smtp port due to the following nat statements. I can confirm that this is the case since by removing the statement I am able to connect.

Here is the NAT section of the show run:

ip nat inside source static tcp 192.168.0.2 443 interface FastEthernet0 443

ip nat inside source static tcp 192.168.0.2 80 interface FastEthernet0 80

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.0.3 25 x.x.x.231 25 extendable

ip nat inside source static tcp 192.168.0.3 80 x.x.x.231 80 extendable

ip nat inside source static tcp 192.168.0.3 443 x.x.x.231 443 extendable

ip nat inside source static tcp 192.168.0.4 25 x.x.x.232 25 extendable

ip nat inside source static tcp 192.168.0.4 80 x.x.x.232 80 extendable

ip nat inside source static tcp 192.168.0.4 443 x.x.x.232 443 extendable

Would appreciate any and all comments on the way it is currently configured ass well as:

-How I might be able to change the config to follow a best-practice arrangement for the router/firewall and these servers.

TIA

2 Replies 2

ebreniz
Level 6
Level 6

The following document explains configuring Network Address Translation (NAT) on a Cisco router in some of the common network scenarios.

http://www.cisco.com/warp/public/556/12.html

bjornarsb
Level 4
Level 4

Hi,

Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.

This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).

For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports

And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.

Regards

Bjornarsb