Solved: Help with some NAT and ACL

mmoulson1 · ‎02-13-2014

Hi all,

We have been provided with a range of public IP addresses by our ISP. I want to configure some static NAT in and dynamic NAT out for our SIP based PBX. I also want to put an ACL on the outside interface so only my ITSP can talk to the public IP assigned to the PBX. I want all other hosts on my network to be able to NAT out using the WAN address assigned to the router.

Obviously the addresses are fictional!

4.4.4.3 – Default gateway to the internet

4.4.4.4 – Public IP of my router

4.4.4.5 – Public IP for the PBX

10.1.1.0/24 – PBX subnet

192.168.1.0/24 – LAN subnet

1.1.1.1 & 1.1.1.2 ITSP addresses

10.1.1.2 - PBX LAN Address

Can someone take a look at my config, would this work!?

Thanks

Matty

interface GigabitEthernet0/0

description *** Internet ***

ip address 4.4.4.4 255.255.255.192

ip access-group 111 in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat pool PBX_POOL 4.4.4.5 4.4.4.5 netmask 255.255.255.192

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip nat inside source list PBX_SUBNET pool PBX_POOL overload

ip nat inside source static tcp 10.1.1.2 5060 4.4.4.5 5060 extendable

ip nat inside source static udp 10.1.1.2 5060 4.4.4.5 5060 extendable

ip route 0.0.0.0 0.0.0.0 4.4.4.3

!

ip access-list extended PBX_SUBNET

permit ip 10.1.1.0 0.0.0.255 any

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

access-list 111 permit ip host 1.1.1.1 host 4.4.4.5

access-list 111 permit ip host 1.1.1.2 host 4.4.4.5

access-list 111 deny ip any host 4.4.4.5

access-list 111 permit ip any any

!

Jon Marshall · ‎02-13-2014

Matt

Thought it may be just typos

The NAT pool configuration should work fine and it if worked using the interface IP it should work fine.

Your acl is fine but if you try pinging from the router itself to test connectivity then it won't work because the return ICMP packets will be dropped so just bear that in mind.

Jon

View solution in original post

Jon Marshall · ‎02-13-2014

Matty

Not familiar with SIP so can't say for sure about that in terms of ports but some comments -

1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled

2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?

3) following on from 2) your PBX_SUBNET acl is wrong, it should be -

ip access-list extended PBX_SUBNET

permit ip 10.1.1.0 0.0.0.255 any <-- note the last octet of the wildcard mask is 255.

Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.

Jon

mmoulson1 · ‎02-13-2014

Hi Jon,

Thanks sorry I made some typo's! I have edited the original post! Many thanks!

Yes I have my 'ip nat inside' on my LAN side interfaces.

Does my ACL 111 for the ITSP look ok?

I've done SIP before but never using the NAT pool only it address assigned to the internet interface.

Thanks

Matt

Jon Marshall · ‎02-13-2014

Matt

Thought it may be just typos

The NAT pool configuration should work fine and it if worked using the interface IP it should work fine.

Your acl is fine but if you try pinging from the router itself to test connectivity then it won't work because the return ICMP packets will be dropped so just bear that in mind.

Jon

mmoulson1 · ‎02-13-2014

Many thanks Jon,

It’s a 3hr drive tomorrow to the site to install it so I’m crossing my fingers that it works! I don’t want to be messing around on a Friday!

I’ll post back when it’s in!

Matty

Jon Marshall · ‎02-13-2014

Matty

No problem and just to clarify i made a typo as well

Ignore what i said about the testing from the router. I made a mistake and assumed the IP you were blocking access to was the router IP and it isn't it is the NAT address for the PBX.

So nothing changes for everything else i said just the bit about testing from the actual router itself.

Jon

mmoulson1 · ‎02-14-2014

OK, so my NAT is looking good but my ACL isn’t doing anything!

Am I correct with my statement allow external IP to external IP? Then deny any to external IP?

Also applied as ‘ip access-group 111 in’ on the internet facing interface?

Thanks

Matty

Jon Marshall · ‎02-14-2014

Matty

Yes the acl you posted looks fine to me. Presume we are talking about acl 111 ?

When you say it's not doing anything, what exactly is happening ?

Jon

mmoulson1 · ‎02-17-2014

Ok, so I took it off and put it back on again and it’s working now! Probably another typo! More haste less speed!

Thanks for all your help!

Just trying to resolve a strange one way audio issue with the SIP! The engineer was not clear about what ports needed forwarding! Joy!