Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
5
Helpful
5
Replies

NAT translations DHCP and acess to internal servers

aducey01
Level 1
Level 1

‎01-20-2013 09:59 AM - edited ‎03-07-2019 11:11 AM

I'm using a 2601X router connecting to a broadband connections.  The following NAT connections is working but I need to do NAT exemptions to set up my VPN appliance on the DMZ.  I see a lot of documentation on how to use a pool of public addresses to do that, but I only have the one dhcp address from my isp.  Is there a way to make this happen? 

!

boot system flash:c2600-adventerprisek9-mz.124-25d.bin

!

!

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no clns route-cache

interface FastEthernet1/0

description DMZ Subnet

no switchport

ip address 10.33.33.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan22

ip address 10.22.22.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no clns route-cache

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 1 permit 10.22.22.0 0.0.0.255 log

access-list 1 permit 10.33.33.0 0.0.0.255 log



Labels:
0 Helpful
5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

‎01-20-2013 10:08 AM

Hi,

just replace your standard ACL for NAT by an extended one where you deny traffic from this DMZ to the distant subnet for which you are using the VPN.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

aducey01
Level 1
Level 1
In response to cadet alain

‎01-20-2013 11:40 AM

the acl is for NAT, not VPN...does that make a difference?

I'm thinking I need static mappings for the dmz ip's that I want exposed to the internet...

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to aducey01

‎01-20-2013 11:54 AM

Hi,

yes if you want to do port forwarding then you need a static PAT entry like this : ip nat inside source static tcp  80 x.x.x.x interface x/x 80 ( this example is for web service on the internal host).

But you were talking about a VPN so if this server communicates with another subnet through a IPSec VPN then you'll need to do NAT exemption.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

aducey01
Level 1
Level 1
In response to cadet alain

‎01-20-2013 01:35 PM

Thanks so much, can you show me what a nat exemption would look like or is the example you gave me a nat exemption? how is it coded?

thanks

0 Helpful

aducey01
Level 1
Level 1
In response to aducey01

‎01-20-2013 06:19 PM

ok to ssh to my router from the outside, I used the following:

ip nat inside source static tcp 22 10.33.33.1 interface vlan 33 22..

Is that what it's supposed to look like?  It's not working. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card