cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1802
Views
0
Helpful
13
Replies

NAT on ADSL Connection

alertforce
Level 1
Level 1

I am having a ADSL connection with dynamic IP from my ISP, I am using a Cisco 837 router.

I need to access one of my servers from the internet. I am using a dyndns agent in my server so that I will know the updated IP address. I tried setting NAT on the dialer0 interface, but it did not work. I need to NAT 2 ports (port 22 and 122) to a LAN server: 192.168.5.11

Here is the original config file:

Please see attached.

I searched the web and I tried this:

config t

interface dialer0

ip access-group 104 in

exit

access-list 104 permit tcp any any eq 22

access-list 104 permit tcp any any eq 122

ip nat inside source static tcp 192.168.5.11 25 interface dialer0 22

ip nat inside source static tcp 192.168.5.11 25 interface dialer0 122

After I entered these command, I can no longer access the internet.

May I know where did I do wrong?

Can anyone assist me?

Thanks.

13 Replies 13

Hi Patrick

I dont know how you lose connectivity, but you can not forward ports to a network whicy you dont have route to. Your inside network is 192.168.2.0 but you try a 192.168.5.x IP for port forwarding

Regards

Opps, typo, I meant I added in the following:

ip nat inside source static tcp 192.168.2.11 25 interface dialer0 22

ip nat inside source static tcp 192.168.2.11 25 interface dialer0 122

Should I be using "ip nat inside" or "ip nat outside"? I am a bit confused.

"ip nat inside" is the correct one. Are you sure that your connectivity goes down? Did you try reloading the router? Can you paste output of "sh ip nat translations" and "traceroute 4.2.2.2"

Yes after I all in those entries, internet connection dropped. And when I remove all of them the internet connection is up again. I did not try to re-start the router.

The router is not with me now so I cannot get the output for you.

Should I be adding the commands at the vlan1 interface or the dialer0 interface?

Thanks.

foxbatreco
Level 3
Level 3

Hii.

it seems ur acl104 is the cause of the issue with implicit deny blocking all traffic.

Pls try removing this.

Rate if this helps.

I added acl104 to allow incoming port 22 and 122 from the internet to the internal server (192.168.2.11). If not how should I configure the router?

I am a firewall expert than router, but router should be a stateful device also, I mean return traffic of traffic that is originated locally should bypass an ACL applied to inbound of Dialer0, thats why it shouldnt cause internet connectivity loss.

But lets find it out by trial and error,

Patrick, let the nat statements stay and remove the ip access-group 104 in command from interface. Internet connection still down?

Patrick,as the nat is already dere to allow external traffic to hit the internal server, there should not be any need for an acl on the dialer interface. Anyways the acl is not doin much here. I wud suggest removing the acl & tryin the access..as in situations like this the nat should suffice for traffic redirection to correct internal segment!

let us know ur thoughts or results..

Husy..the router being stateful wud have been stateful if there would hv been an explicit inspect statement attached to the interface to keep the originated traffic under inspection.

Firewalls on the other hand are built to be stateful cos they are xclusive security stuff.

Lets w8 for patrick to revert with results!

Rate if this helps..Thanks!!!!

Patrick,

Before removing the acl, try adding this

access-list 104 permit tcp any any established

Regards

Hi all,

OK, in that case I will try changing it tomorrow when I am back to office.

In that case do I still need to put "ip access-group 104 in" at the dialer0 interface?

So in total I will put in

"access-list 104 permit tcp any any established",

"ip nat inside source static tcp 192.168.5.11 25 interface dialer0 22",

and

"ip nat inside source static tcp 192.168.5.11 25 interface dialer0 122"?

I notice that there are some statement on the router's current config is mentioning port 22 as well, will my port 22 NAT affect those current settings as well?

Thanks.

Patrick,

Here is the total comands that you have to issue

interface d0

ip access-group 104 in

access-list 104 permit tcp any any established

access-list 104 permit tcp any any eq 22

access-list 104 permit tcp any any eq 122

ip nat inside source static tcp 192.168.5.11 25 interface dialer0 22

ip nat inside source static tcp 192.168.5.11 25 interface dialer0 122

Port 22 is for Secure Shell (SSH), dont know where it can be stated in your config so cant say what would it affect other than SSH communication.

Assuming that CBAC, which is a part of IOS firewall feature set for your router is not enabled or doesnt exist, It can not bypass the return traffic of locally originated sessions, thus return traffic for your internet traffic hits the implicit deny and you have no internet connectivity. The permti statement for "established" would take care of that.

Regards

You should be using "inspection" on the internal and external interfaces.

Inspection will create dynamic holes in the firewall to facilitate traffic in the return path, and will simplify your interface ACLs.

The internal interface ACL should be configured to permit the specific protocols permitted (by security policy) for outbound communication. Applying inspection on the internal interface will provision the return path by opening dynamic holes in the outside interface ACL.

The same is done on the external interface. An ACL is created to permit connections from external hosts to your internal servers. Inspection is applied there to facilitate packets returning from your servers, by opening dynamic holes in the internal interface's ACL.

Inspection would be a better choice that using the established key word in ACLs.

e.g.: A simple inspection example:

ip inspect log drop-pkt

ip inspect audit-trail

ip inspect name our-insp tcp

ip inspect name our-insp udp

ip inspect name our-insp icmp

ip inspect name our-insp dns

ip inspect name our-insp ftp

ip inspect name our-insp pop3

interface Ethernet0

description ~5Mbps Exposed to Internet

ip inspect our-insp in

interface FastEthernet0

description Internal Network

ip inspect our-insp in

Note: Ideally you would migrate to Granular Protocol Inspection and avoid the generic UDP and TCP inspection, but that is up to you.

I've not looked at your NAT issues, just the lack of Internet connectivity following application of the limited ACL on the external interface.

zalimjin123
Level 1
Level 1

There are two steps to getting the port forwarding to work:

Allow the desired traffic into the router.

Lets say access-list 101 is used to control what is allowed into the router from the Internet.

You need to add an entry for your traffic just above the current permit entries.

A modified access-list to allow tcp port 22 and tcp port 122 might look like:

interface Dialer0

...

ip access-group 101 in

...

access-list 101

! This allows inbound Port 22 traffic.

access-list 101 permit tcp any any eq 22

! This allows inbound Port 122 traffic.

access-list 101 permit tcp any any eq 122

Tell the router where to forward the traffic to.

! Forward Port 22 -> 192.168.5.11 : 22

ip nat inside source static tcp 192.168.5.11 22 interface dialer0 22

! Forward Port 122 -> 192.168.5.11 : 122

ip nat inside source static tcp 192.168.5.11 122 interface dialer0 122

Hope this will help you.

Regards

Asif Saif

Review Cisco Networking for a $25 gift card