Solved

Redirect packets without using NAT

Posted on 2004-10-09
12
307 Views
Last Modified: 2010-04-17
I want to redirect all traffic from a public IP to an internal without using Nat.
I the moment we are using nat and it is working fine with a static route.( See config)
But the new Voip server on the internal IP allows no natting in front.

So we want to rediret all packets from 4 special Public IP addresses to the internal.(192.168.0.201)
Thats the most important thing.
The rest coming in should be redirected to a second internal IP(192.168.0.202)




User Access Verification

Password:
2MBSDSL>enable
Password:
2MBSDSL#show running
Building configuration...

Current configuration : 1475 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
 description SDSL
 no ip address
 ip tcp adjust-mss 1452
 full-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1/0
 description Internes Lan
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 full-duplex
!
interface Dialer1
 ip address negotiated
 ip access-group 103 in
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password  login
!
!
end

2MBSDSL#


0
Comment
Question by:Sickgolem
  • 6
  • 4
  • 2
12 Comments
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12265719
Even though the router can be configured to do what you want it to, it still may not work properly for VOIP. This is because during the call setup, the gateways exchange address for where the voice packets are to be sent, and with your VOIP server on the internal network at address 192.168.0.201 it’s going to respond with that address, and the other VOIP server is going to try and send the voice packets to that address, which it won’t be able to, and you will end up with one way audio.

Now some VOIP equipment allow you to override this behavior, and specify the addresses to be used in the setup messages, but not all VOIP equipment has these features. If your equipment doesn’t have this capability, you could be out of luck unless the equipment on the other end is set, or is able to be set to ignore the addresses in the setups, and use the information in the IP packet to determine the address to send the voice packets instead.

So I’d suggest before proceeding on your plan to forward packets from an public address to the private one, you should check the documentation for your equipment to see if you can configure it to send the public address instead of the private one, or that the equipment of the other end can be, or is set to ignore the incorrect address and use the actual one that the voice packets are coming from.

Also I wouldn’t forward everything from the outside to the inside address, I’d only forward the ports needed, or at least block those that can be used to control that server, like for example telnet, or NetBIOS if it’s a Windows box.      

   
0
 

Author Comment

by:Sickgolem
ID: 12265778
Hi,

the Voip Server( GSM Gateway with Voip card) can handle to send the public IP.
In the moment for testing I like to forward everything coming in.
When everything is setup for security reasons I like to accept only 3 Public IPs as host.
So that no telnet etc. to the system is possible.

0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12268543
Next problem I see, in your config it looks like you have only one public IP address, and that it is dynamically assigned via a PPOE client. Now in theory you could forward packets from different hosts to different IP addresses on the inside with only one public IP address using access lists, or route lists to determine which host gets forwarded to what internal address, but I have never seen such a config on a Cisco router, nor can I find any examples in Cisco’s extensive documentation of a similar config.

If you do only have one public address, what you want to do may not be do able, maybe Irmoore can clarify if this is the case, what I do know can be done is map individual ports to separate inside address when you only have one public address, i.e. HTTP to 10.10.2.2 and DNS to 10.10.2.3. And if you have a pool of public address you can forward each one to an individual host, i.e 20.20.20.1 to 10.10.2.2 and 20.20.20.2 10.10.2.3. So unless you have more than that one public IP address, you may have to rethink your plans.
     
0
 

Author Comment

by:Sickgolem
ID: 12269750
Hi, it is only one public ip that is asigned from the provider to the sdsl dialup.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12270632
If you only have one Public IP address, you have no choice but to use Port Address Translation (NAT).
Period.

0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12271171
It looks like lrmoore concurs with my conclusion, unless you can use port address translation, you can’t do what you want with out acquiring more public IP address, and depending on your ISP, that may, or may not be possible.    
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Sickgolem
ID: 12271734
So I have to do Nat.
Do i have to ad something more then:


ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 192.168.0.201
ip nat outside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255



0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12272519
It probably should be.

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat outside source static 192.168.0.201 interface Dialer1

But if you want to break out the ports that’s another story. Below I have a sample where 5060 which is the signally port for SIP goes to one server, and HTTP port 80 goes to the other server. If you are going to break it out in this manor you are going to have to find what ports the VOIP server uses for the voice packets and add lines for them, and if it use H.323 you will need to take out the translation for 5060 and add ones for 1719 and 1720 instead.

ip nat inside source static tcp 192.168.0.201 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.0.202 80 interface Dialer1 80

0
 

Author Comment

by:Sickgolem
ID: 12274334
Hi,


why is it ip nat ouside for the whole range and ip nat inside for single ports?
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12276001
Sorry typo on my part, should have been inside for all of them.

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.0.201 interface Dialer1
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12276865
I don't think you can redirect the whole interface IP address to an inside host.
You have no choice but to get another public IP address that you can use. Else you are stuck with port-by-port translation..


0
 
LVL 13

Accepted Solution

by:
Dr-IP earned 250 total points
ID: 12277202
I never tried that myself, but I figured he could try it and see if it worked, as it won’t hurt anything.

The kind issue he has by the way, seems to be becoming quite common now days as a lot people are trying to use their DSL lines to run things people have traditionally run on T1’s, the problem is, few consider the aspects of what they want to do before ordering their DSL line. So they end up with dynamic IP address, or even worse private ones, and can’t do what they wanted to do.

The sad part is a lot of these problems could easily be avoided, if they spent a little time to figure out the technical aspects of what they need, instead of just looking for the cheapest, and or fastest DSL provider in their area, and worrying about the technical aspects latter. When I chose mine, flexible was a top priority, especially when it comes to additional static public address, so if I need more, I know I can get them, and not have to deal with workarounds.  
 
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now