Solved

How do you allow some addresses behind a Cisco NAT interface through without translation, while others are translated?

Posted on 2006-10-30
7
348 Views
Last Modified: 2010-03-19
I have a Cisco 1750 router (soon to be a Cisco 2611) that is separating the networks of two corporate entities.  The Ethernet interface connects to a VLAN on one corporate network (10.1.1.0 255.255.255.224) and the Serial interface connects via T1 to another series of corporate networks (192.168.10.0 255.255.255.0).  The Ethernet interface has an IP address of 10.1.1.1 and the Serial interface has an IP of 192.168.10.1.  I am running NAT on the router, with the Ethernet as the Outside interface and the Serial as the Inside interface.  I overload the Ethernet interface with an ACL permitting access by hosts on the internal networks through the interface.  I also have a few static NATs to certain host printers on the inside networks that are assigned IP addresses in the 10.1.1.2 - 10.1.1.10 range.

The problem:  I need to allow a few host computers on the network directly connect to the Outside Ethernet interface to pass through the interface untranslated - no NAT at all.  The hosts should be able to see everything as if NAT wasn't there.  I'm sure that I need to use an extended ACL to get this done, but I'm unsure of the specific statements.  Anyone care to give this one a shot?  It would be much appreciated!
0
Comment
Question by:rgmckenz
  • 3
  • 3
7 Comments
 
LVL 2

Expert Comment

by:HeavyWaterLTD
ID: 17838965
please paste your config
0
 

Author Comment

by:rgmckenz
ID: 17839151
OK, here's the config - watered down to the important stuff.  This does not include any statements, such as an extended ACL, to get the hosts (IP address 10.1.1.20, 10.1.1.21 and 10.1.1.22) through the FastEthernet0 interface untranslated.  I need them to see servers on the 192.168.1.0 and 192.168.2.0 networks, as well as some other devices on some other subnets.  Most other machines on the Outside should be translated through the NAT, but just not these three.  Hope this helps to explain things a little bit better.  Thanks!

hostname ROUTER1
!
ip subnet-zero
no ip domain-lookup
no ip http server
!
interface Serial0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 cdp enable
!
interface FastEthernet0
 ip address 10.1.1.1 255.255.255.224
 ip nat outside
 cdp enable
!
router rip
 version 2
 redistribute static
 passive-interface FastEthernet0
 network 10.0.0.0
 network 192.168.10.0
 distribute-list 3 out static
 no auto-summary
!
ip nat inside source list 50 interface FastEthernet0 overload
ip nat inside source static 192.168.1.10 10.1.1.4
ip nat inside source static 192.168.1.11 10.1.1.5
ip nat inside source static 192.168.1.12 10.1.1.6
ip nat inside source static 192.168.1.13 10.1.1.7
ip nat inside source static 192.168.1.14 10.1.1.8
ip nat inside source static 192.168.1.15 10.1.1.9
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
!
ip route 10.2.1.0 255.255.255.0 10.1.1.30
ip route 10.3.1.0 255.255.255.0 10.1.1.30
!
no ip http server
!
access-list 3 permit 10.2.1.0 0.0.0.255
access-list 3 permit 10.3.1.0 0.0.0.255
!
access-list 50 permit 192.168.10.0 0.0.0.255
access-list 50 permit 192.168.9.0 0.0.0.255
access-list 50 permit 192.168.1.0 0.0.0.255
access-list 50 permit 192.168.2.0 0.0.0.255
access-list 50 permit 192.168.4.0 0.0.0.255
!
end
0
 
LVL 2

Accepted Solution

by:
HeavyWaterLTD earned 125 total points
ID: 17839219
you need to modify your access-list 50

anything that matches this access-list will be dynamically NATed to your fastethernet0 interface

so you need to put in deny statements here for the hosts you do NOT want NATed

access-list 50 deny 192.168.x.x 0.0.0.0 <---------- no NAT host 1
access-list 50 deny 192.168.x.x 0.0.0.0 <---------- no NAT host 2
access-list 50 permit 192.168.10.0 0.0.0.255
access-list 50 permit 192.168.9.0 0.0.0.255
access-list 50 permit 192.168.1.0 0.0.0.255
access-list 50 permit 192.168.2.0 0.0.0.255
access-list 50 permit 192.168.4.0 0.0.0.255
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:rgmckenz
ID: 17839297
Thanks for the quick response.  Would the same hold true for devices on the Outside, such as a device at address 10.1.1.20?  Would I need a deny with those addresses, and if so, would they work with the same NAT statement and access list?  Do I need an ip nat outside statement covering those addresses?
0
 
LVL 2

Expert Comment

by:HeavyWaterLTD
ID: 17839409
NAT works only in this direction

inside -> outside

and the access-list will above will look at source addresses coming from "inside" only.

there is no such thing as NAT from outside interface to the inside....
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17839614
You should have the other end guy create the same exceptions as you on his router so that you get the traffic un-natted. On the device, you could have the nat either way but only one way at a time.

inside to outside OR outside to inside.

Cheers,
Rajesh
0
 

Author Comment

by:rgmckenz
ID: 17842698
Thank for the assistance.  HeavyWaterLTD, your deny statements would work fine, but I modified them a bit.  I'm now using an extended ACL and referencing specific hosts on the Outside network.  They now pass right around the NAT untranslated.  My 10.1.1.20, 21 and 22 hosts can get to my other interior networks.  I'm posting my updated, working config below.  Thanks once again for the ultra-quick response!

hostname ROUTER1
!
ip subnet-zero
no ip domain-lookup
no ip http server
!
interface Serial0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 cdp enable
!
interface FastEthernet0
 ip address 10.1.1.1 255.255.255.224
 ip nat outside
 cdp enable
!
router rip
 version 2
 redistribute static
 passive-interface FastEthernet0
 network 10.0.0.0
 network 192.168.10.0
 distribute-list 3 out static
 no auto-summary
!
ip nat inside source list 150 interface FastEthernet0 overload
ip nat inside source static 192.168.1.10 10.1.1.4
ip nat inside source static 192.168.1.11 10.1.1.5
ip nat inside source static 192.168.1.12 10.1.1.6
ip nat inside source static 192.168.1.13 10.1.1.7
ip nat inside source static 192.168.1.14 10.1.1.8
ip nat inside source static 192.168.1.15 10.1.1.9
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
!
ip route 10.2.1.0 255.255.255.0 10.1.1.30
ip route 10.3.1.0 255.255.255.0 10.1.1.30
!
no ip http server
!
access-list 3 permit 10.2.1.0 0.0.0.255
access-list 3 permit 10.3.1.0 0.0.0.255
!
access-list 150 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.20
access-list 150 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.21
access-list 150 deny ip 192.168.0.0 0.0.255.255 host 10.1.1.22
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 192.168.9.0 0.0.0.255 any
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 permit ip 192.168.4.0 0.0.0.255 any
!
end
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now