Sickgolem
asked on
Redirect packets without using NAT
I want to redirect all traffic from a public IP to an internal without using Nat.
I the moment we are using nat and it is working fine with a static route.( See config)
But the new Voip server on the internal IP allows no natting in front.
So we want to rediret all packets from 4 special Public IP addresses to the internal.(192.168.0.201)
Thats the most important thing.
The rest coming in should be redirected to a second internal IP(192.168.0.202)
User Access Verification
Password:
2MBSDSL>enable
Password:
2MBSDSL#show running
Building configuration...
Current configuration : 1475 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
description SDSL
no ip address
ip tcp adjust-mss 1452
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/0
description Internes Lan
ip address 192.168.0.200 255.255.255.0
ip nat inside
full-duplex
!
interface Dialer1
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password login
!
!
end
2MBSDSL#
I the moment we are using nat and it is working fine with a static route.( See config)
But the new Voip server on the internal IP allows no natting in front.
So we want to rediret all packets from 4 special Public IP addresses to the internal.(192.168.0.201)
Thats the most important thing.
The rest coming in should be redirected to a second internal IP(192.168.0.202)
User Access Verification
Password:
2MBSDSL>enable
Password:
2MBSDSL#show running
Building configuration...
Current configuration : 1475 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
description SDSL
no ip address
ip tcp adjust-mss 1452
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/0
description Internes Lan
ip address 192.168.0.200 255.255.255.0
ip nat inside
full-duplex
!
interface Dialer1
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password login
!
!
end
2MBSDSL#
ASKER
Hi,
the Voip Server( GSM Gateway with Voip card) can handle to send the public IP.
In the moment for testing I like to forward everything coming in.
When everything is setup for security reasons I like to accept only 3 Public IPs as host.
So that no telnet etc. to the system is possible.
the Voip Server( GSM Gateway with Voip card) can handle to send the public IP.
In the moment for testing I like to forward everything coming in.
When everything is setup for security reasons I like to accept only 3 Public IPs as host.
So that no telnet etc. to the system is possible.
Next problem I see, in your config it looks like you have only one public IP address, and that it is dynamically assigned via a PPOE client. Now in theory you could forward packets from different hosts to different IP addresses on the inside with only one public IP address using access lists, or route lists to determine which host gets forwarded to what internal address, but I have never seen such a config on a Cisco router, nor can I find any examples in Cisco’s extensive documentation of a similar config.
If you do only have one public address, what you want to do may not be do able, maybe Irmoore can clarify if this is the case, what I do know can be done is map individual ports to separate inside address when you only have one public address, i.e. HTTP to 10.10.2.2 and DNS to 10.10.2.3. And if you have a pool of public address you can forward each one to an individual host, i.e 20.20.20.1 to 10.10.2.2 and 20.20.20.2 10.10.2.3. So unless you have more than that one public IP address, you may have to rethink your plans.
If you do only have one public address, what you want to do may not be do able, maybe Irmoore can clarify if this is the case, what I do know can be done is map individual ports to separate inside address when you only have one public address, i.e. HTTP to 10.10.2.2 and DNS to 10.10.2.3. And if you have a pool of public address you can forward each one to an individual host, i.e 20.20.20.1 to 10.10.2.2 and 20.20.20.2 10.10.2.3. So unless you have more than that one public IP address, you may have to rethink your plans.
ASKER
Hi, it is only one public ip that is asigned from the provider to the sdsl dialup.
If you only have one Public IP address, you have no choice but to use Port Address Translation (NAT).
Period.
Period.
It looks like lrmoore concurs with my conclusion, unless you can use port address translation, you can’t do what you want with out acquiring more public IP address, and depending on your ISP, that may, or may not be possible.
ASKER
So I have to do Nat.
Do i have to ad something more then:
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 192.168.0.201
ip nat outside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
Do i have to ad something more then:
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 192.168.0.201
ip nat outside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
It probably should be.
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat outside source static 192.168.0.201 interface Dialer1
But if you want to break out the ports that’s another story. Below I have a sample where 5060 which is the signally port for SIP goes to one server, and HTTP port 80 goes to the other server. If you are going to break it out in this manor you are going to have to find what ports the VOIP server uses for the voice packets and add lines for them, and if it use H.323 you will need to take out the translation for 5060 and add ones for 1719 and 1720 instead.
ip nat inside source static tcp 192.168.0.201 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.0.202 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat outside source static 192.168.0.201 interface Dialer1
But if you want to break out the ports that’s another story. Below I have a sample where 5060 which is the signally port for SIP goes to one server, and HTTP port 80 goes to the other server. If you are going to break it out in this manor you are going to have to find what ports the VOIP server uses for the voice packets and add lines for them, and if it use H.323 you will need to take out the translation for 5060 and add ones for 1719 and 1720 instead.
ip nat inside source static tcp 192.168.0.201 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.0.202 80 interface Dialer1 80
ASKER
Hi,
why is it ip nat ouside for the whole range and ip nat inside for single ports?
why is it ip nat ouside for the whole range and ip nat inside for single ports?
Sorry typo on my part, should have been inside for all of them.
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 interface Dialer1
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 interface Dialer1
I don't think you can redirect the whole interface IP address to an inside host.
You have no choice but to get another public IP address that you can use. Else you are stuck with port-by-port translation..
You have no choice but to get another public IP address that you can use. Else you are stuck with port-by-port translation..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Now some VOIP equipment allow you to override this behavior, and specify the addresses to be used in the setup messages, but not all VOIP equipment has these features. If your equipment doesn’t have this capability, you could be out of luck unless the equipment on the other end is set, or is able to be set to ignore the addresses in the setups, and use the information in the IP packet to determine the address to send the voice packets instead.
So I’d suggest before proceeding on your plan to forward packets from an public address to the private one, you should check the documentation for your equipment to see if you can configure it to send the public address instead of the private one, or that the equipment of the other end can be, or is set to ignore the incorrect address and use the actual one that the voice packets are coming from.
Also I wouldn’t forward everything from the outside to the inside address, I’d only forward the ports needed, or at least block those that can be used to control that server, like for example telnet, or NetBIOS if it’s a Windows box.