cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1783
Views
0
Helpful
13
Replies

Multiple webservers using Nat/Pat

dpatkins
Level 1
Level 1

We are using a Cisco 1841 router with Version 12.4.(15)T6. 

Here is what I would like to accomplish if possible.  We have certain devices that we need to access out of band.  We have a local ISP and with this ISP, we get one routable address.  I currently have Nat overload configured on the router and so far everything we have tried to do has worked without flaw.

Our next goal is to attempt to configure multiple weblinks.  As you all well know, we will want to web into http://myrouter.mydomain.com:<some_TCP_port and have it translate behind the router as https://myinternaladdress : 80.

Can this be done?

This is my NAT and ACL as well as my pat statement 

p nat inside source list 102 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.200 80 interface FastEthernet0/0 8081

ip nat inside source static  TCP 192.168.1.201 80 interface fa0/0 8082.

!

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Fast Ethernet 0/0 is my external interface.  Any help you can provide would be great. 

Thank you

Dwane

1 Accepted Solution

Accepted Solutions

Dwane, you used the route map config with port 23?  I ask because I don't think your config would work without it since the traffic you want to isolate by port would be caught by the more inclusive access permitting the entire subnet.  Also, did you account for the additional ports in your access list on the oustide interface?

View solution in original post

13 Replies 13

Bart Kersten
Level 1
Level 1

I think you need an ACL to permit the specified traffic on the outside interface.

Probably somethinf like this

Access-list 100 permit any eq port number.

Apply it inbound on the outside interface.

Int fa0/0

Ip access-group 102 in. Remember to also permit other services you need in the ACL.

Hope this helps

Sent from Cisco Technical Support iPhone App

Hello,

NAT PAR - redirects the connection for traffic directed to one device or port, to a different device or port

Have you tried using the same port either side?

ip nat inside source static tcp 192.168.1.200 8081 interface fa0/0 8081

ip nat inside source static  tcp 192.168.1.201 8082 interface fa0/0 8082

res

Paul

Please don't forget to rate this post if it has been helpful.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for the replies.

I do not have an option to configure the http TCP port.  I have to web in using http://x.x.x.x:8081 and have it forward to 192.168.x.x:80 and also be able ot web into http://x.x.x.x:8082 and have it forward to 192.168.x.y:80

I think we are all on the proper track but is there an absolute way on how to configure this task.

Thanks again.

Dwane

Have you tried using a route map instead of an access list, which would deny the two hosts from being PATd to the interface like the rest of the hosts, but instead be PATd like you want. 

access-list 102 deny host 192.168.1.200

access-list 102 deny host 192.168.1.201

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map EXAMPLE perm 10

match ip address 102

ip nat inside source route-map EXAMPLE interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.200 80 interface fa0/0 8081

ip nat inside source static  tcp192.168.1.201 80 interface fa0/0 8082

William,

I have not tried the route map route just yet.  I was hoping to keep it rather simple

I will try it and get back with you. 

Thank you

Dwane

I should add that i attempted this with TCP port 23.  That would not work as well.  Is there anything else I need to do to make this work?

Dwane, you used the route map config with port 23?  I ask because I don't think your config would work without it since the traffic you want to isolate by port would be caught by the more inclusive access permitting the entire subnet.  Also, did you account for the additional ports in your access list on the oustide interface?

William,

I am goign to try and configure this way.  I do not have any blocks outside and on the inside, we allow 192.168.x.x to any.  It is fairly wide open.

I will try the route map.  Is there anything else I would need that you can think of?  I did this with RDP on another router and it worked just fine.

Let me give it a shot.

Thanks

Dwane

My ip nat translation shows:

tcp 10.10.10.10:8081      192.168.1.200:80      10.50.10.10:41914   10.50.10.10:41914

tcp 10.10.10.10:8081      192.168.1.200:80      10.50.10.10:41915   10.50.10.10:41915

tcp 10.10.10.10:8081      192.168.1.200:80      10.50.10.10:41916   10.50.10.10:41916

where 10.10.10.10 represents our external ISP address we are trying to use. 10.50.10.10 represents the ip address I am attempting the 10.10.10.10:8081 request.  So it does see it hitting the address.  I can ping the 192.168.1.200 from the router. 

Any other ideas or can I debug maybe the IP nat to see what is taking place?  I am stuck on this one.  It should work.

Thanks for your help

William,

I am sorry but I could not get this configuration to work.  Do you have the routemap configuration? 

ip nat inside source static tcp 192.168.1.200 80 interface FastEthernet0/0 8081

ip nat inside source route-map tcp-pf interface FastEthernet0/0 overload

!

access-list 102 deny   ip host 192.168.1.200 any

access-list 102 deny   ip host 192.168.1.201 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

!

!

!

route-map tcp-pf permit 10

match ip address 102

This is how it is configured.  Any ideas?

Thanks

Dwane

William,

Can you give me a better understanding of what you are trying to say?  I know my example has port 80 and 8081 defined but I did attemtpt it with TCP port 23. 

Shouldn't the access-list be reversed?  Shouldn't it be access-list 102 permit tcp host 192.168.1.200 any eq 23 and then a deny statement for ip to 192.168.1.200?

Thank you

Dwane

William,

Does this look better? I assigned the routemap to the external interface and change the direction of the ACLs.

Dwane

interface FastEthernet0/0

ip address dhcp client-id FastEthernet0/0

ip nat outside

no ip virtual-reassembly

no ip route-cache cef

no ip route-cache

ip policy route-map tcp-pf

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

!

ip forward-protocol nd

!        

!

no ip http server

no ip http secure-server

ip nat inside source static tcp 192.168.1.200 80 interface FastEthernet0/0 8081

ip nat inside source route-map tcp-pf interface FastEthernet0/0 overload

!

access-list 102 permit tcp any host 192.168.1.200 eq www

access-list 102 permit tcp any host 192.168.1.201 eq www

access-list 102 deny   ip any host 192.168.1.200

access-list 102 deny   ip any host 192.168.1.201

access-list 102 permit ip any 192.168.1.0 0.0.0.255

!

!

!

route-map tcp-pf permit 10

match ip address 102

!

I don't think that will work.  I think the issue is the direction of the flow.  From inside to outside what I suggested would work, but you'd have to initiate the connection from the inside, not practical.  There is a "reversible" keyword that can be added to an ip nat inside command, e.g.

ip nat inside source route-map route-map-mgmt interface fa 0/0 reversible

that allows the connection to be initiated from the outside and have the NAT applied as configured when the internal host responds.  However, this doesn't appear to be an option in your setup because of your limitation in having only one public address available.  Try this

ip nat outside source static tcp 1.1.1.1 8081 192.168.1.200 80

where 1.1.1.1 is the public IP address being used by your router

Then use your

ip nat inside source list 102 interface FastEthernet0/0 overload

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

With the port forwarding setup on the outside interface, you may not need to exclude the inside to outside translation of the resources your trying to make accessible publicly as I initially suggested. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: