01-30-2013 12:14 PM - edited 03-07-2019 11:24 AM
We are using a Cisco 1841 router with Version 12.4.(15)T6.
Here is what I would like to accomplish if possible. We have certain devices that we need to access out of band. We have a local ISP and with this ISP, we get one routable address. I currently have Nat overload configured on the router and so far everything we have tried to do has worked without flaw.
Our next goal is to attempt to configure multiple weblinks. As you all well know, we will want to web into http://myrouter.mydomain.com:<some_TCP_port and have it translate behind the router as https://myinternaladdress : 80.
Can this be done?
This is my NAT and ACL as well as my pat statement
p nat inside source list 102 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.200 80 interface FastEthernet0/0 8081
ip nat inside source static TCP 192.168.1.201 80 interface fa0/0 8082.
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
Fast Ethernet 0/0 is my external interface. Any help you can provide would be great.
Thank you
Dwane
Solved! Go to Solution.
01-31-2013 12:10 PM
Dwane, you used the route map config with port 23? I ask because I don't think your config would work without it since the traffic you want to isolate by port would be caught by the more inclusive access permitting the entire subnet. Also, did you account for the additional ports in your access list on the oustide interface?
01-30-2013 01:08 PM
I think you need an ACL to permit the specified traffic on the outside interface.
Probably somethinf like this
Access-list 100 permit any
Apply it inbound on the outside interface.
Int fa0/0
Ip access-group 102 in. Remember to also permit other services you need in the ACL.
Hope this helps
Sent from Cisco Technical Support iPhone App
01-30-2013 04:36 PM
Hello,
NAT PAR - redirects the connection for traffic directed to one device or port, to a different device or port
Have you tried using the same port either side?
ip nat inside source static tcp 192.168.1.200 8081 interface fa0/0 8081
ip nat inside source static tcp 192.168.1.201 8082 interface fa0/0 8082
res
Paul
Please don't forget to rate this post if it has been helpful.
01-31-2013 05:18 AM
Thank you for the replies.
I do not have an option to configure the http TCP port. I have to web in using http://x.x.x.x:8081 and have it forward to 192.168.x.x:80 and also be able ot web into http://x.x.x.x:8082 and have it forward to 192.168.x.y:80
I think we are all on the proper track but is there an absolute way on how to configure this task.
Thanks again.
Dwane
01-31-2013 06:37 AM
Have you tried using a route map instead of an access list, which would deny the two hosts from being PATd to the interface like the rest of the hosts, but instead be PATd like you want.
access-list 102 deny host 192.168.1.200
access-list 102 deny host 192.168.1.201
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map EXAMPLE perm 10
match ip address 102
ip nat inside source route-map EXAMPLE interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.200 80 interface fa0/0 8081
ip nat inside source static tcp192.168.1.201 80 interface fa0/0 8082
01-31-2013 09:52 AM
William,
I have not tried the route map route just yet. I was hoping to keep it rather simple
I will try it and get back with you.
Thank you
Dwane
01-31-2013 10:05 AM
I should add that i attempted this with TCP port 23. That would not work as well. Is there anything else I need to do to make this work?
01-31-2013 12:10 PM
Dwane, you used the route map config with port 23? I ask because I don't think your config would work without it since the traffic you want to isolate by port would be caught by the more inclusive access permitting the entire subnet. Also, did you account for the additional ports in your access list on the oustide interface?
02-01-2013 12:17 PM
William,
I am goign to try and configure this way. I do not have any blocks outside and on the inside, we allow 192.168.x.x to any. It is fairly wide open.
I will try the route map. Is there anything else I would need that you can think of? I did this with RDP on another router and it worked just fine.
Let me give it a shot.
Thanks
Dwane
02-01-2013 12:45 PM
My ip nat translation shows:
tcp 10.10.10.10:8081 192.168.1.200:80 10.50.10.10:41914 10.50.10.10:41914
tcp 10.10.10.10:8081 192.168.1.200:80 10.50.10.10:41915 10.50.10.10:41915
tcp 10.10.10.10:8081 192.168.1.200:80 10.50.10.10:41916 10.50.10.10:41916
where 10.10.10.10 represents our external ISP address we are trying to use. 10.50.10.10 represents the ip address I am attempting the 10.10.10.10:8081 request. So it does see it hitting the address. I can ping the 192.168.1.200 from the router.
Any other ideas or can I debug maybe the IP nat to see what is taking place? I am stuck on this one. It should work.
Thanks for your help
03-06-2013 02:25 PM
William,
I am sorry but I could not get this configuration to work. Do you have the routemap configuration?
ip nat inside source static tcp 192.168.1.200 80 interface FastEthernet0/0 8081
ip nat inside source route-map tcp-pf interface FastEthernet0/0 overload
!
access-list 102 deny ip host 192.168.1.200 any
access-list 102 deny ip host 192.168.1.201 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map tcp-pf permit 10
match ip address 102
This is how it is configured. Any ideas?
Thanks
Dwane
03-07-2013 06:32 AM
William,
Can you give me a better understanding of what you are trying to say? I know my example has port 80 and 8081 defined but I did attemtpt it with TCP port 23.
Shouldn't the access-list be reversed? Shouldn't it be access-list 102 permit tcp host 192.168.1.200 any eq 23 and then a deny statement for ip to 192.168.1.200?
Thank you
Dwane
03-07-2013 06:54 AM
William,
Does this look better? I assigned the routemap to the external interface and change the direction of the ACLs.
Dwane
interface FastEthernet0/0
ip address dhcp client-id FastEthernet0/0
ip nat outside
no ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip policy route-map tcp-pf
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.200 80 interface FastEthernet0/0 8081
ip nat inside source route-map tcp-pf interface FastEthernet0/0 overload
!
access-list 102 permit tcp any host 192.168.1.200 eq www
access-list 102 permit tcp any host 192.168.1.201 eq www
access-list 102 deny ip any host 192.168.1.200
access-list 102 deny ip any host 192.168.1.201
access-list 102 permit ip any 192.168.1.0 0.0.0.255
!
!
!
route-map tcp-pf permit 10
match ip address 102
!
03-07-2013 07:22 AM
I don't think that will work. I think the issue is the direction of the flow. From inside to outside what I suggested would work, but you'd have to initiate the connection from the inside, not practical. There is a "reversible" keyword that can be added to an ip nat inside command, e.g.
ip nat inside source route-map route-map-mgmt interface fa 0/0 reversible
that allows the connection to be initiated from the outside and have the NAT applied as configured when the internal host responds. However, this doesn't appear to be an option in your setup because of your limitation in having only one public address available. Try this
ip nat outside source static tcp 1.1.1.1 8081 192.168.1.200 80
where 1.1.1.1 is the public IP address being used by your router
Then use your
ip nat inside source list 102 interface FastEthernet0/0 overload
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
With the port forwarding setup on the outside interface, you may not need to exclude the inside to outside translation of the resources your trying to make accessible publicly as I initially suggested.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide