Solved: Re: NAT difficulties - Page 2

Dan Muntz · ‎06-20-2012

I need to setup the following:

ALL traffic FROM internal IP of 10.0.0.1 needs to be seen on the internet as the public IP of 204.0.0.1

ONLY ports 80 and 443 FROM 204.0.0.1 need to be sent to the internal IP of 10.0.0.1

I've tried NAT with route maps, but no matter what I attempt, ALL traffic to 204.0.0.1 gets sent to 10.0.0.1, when I only need ports 80 and 443.

Also, I need a way to have the same as above, but to translate a port. For example: external 204.0.0.1:555 goes to 10.0.0.1:22

This is one example, I have about 10 public IPs that I need to do the same thing to.

So basically I need to know how to NAT specific inbound ports on a specific public IP to specific internal ports on a specific internal IP, but at the same time, ALL outbound traffic from the internal IP will be shown to the world as a specific public IP.

Hope this makes sense.

John Blakley · ‎06-22-2012

You're very welcome. If you don't want to allow anything back in on 53, you can also tighten the acl down to allow just the host that you're expecting your replies to come back from. For example, if you use 4.2.2.1 and 4.2.2.2 for dns servers on your hosts, you can put those in your acl:

permit udp host 4.2.2.1 any eq 53

permit udp host 4.2.2.2 any eq 53

And you should be able to remove "permit udp any any 53". A good way to test this would be to put these 2 lines above your "permit udp any any" line and then look at your counters. If you're getting hits on the new lines, then you're safe to remove the "any any" line. Substitute your real dns servers for the ones that I put in my post above though.

John

HTH, John *** Please rate all useful posts ***