rohmelec
asked on
Cisco router outside NAT configuration help?
I have fiddled with this for a while now and still cannot figure this dam thing out. I just want to allow for the following host to access this host.
10.36.1.30 -> 192.168.0.30
As you can see from below we are currently using NAT to route from our 192.168.0.30 network out but I am unable to create a nat rule to allow traffic from our 10.36.1.30 to come in.
I tried this rule and it made all our 192.168.X.X cleints loose connectivity to the exchange server.
ip nat ouside source static 10.36.1.30 192.168.0.30.
My full config is listed below. Could somone please provide me with the right command to accomplish what Im trying to do?
Thank You in advance.
--------------------------
Current configuration : 2398 bytes
!
! Last configuration change at 03:06:30 PST Wed Mar 28 2007
! NVRAM config last updated at 04:03:15 PST Sat Jan 27 2007
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname japanfr
!
logging queue-limit 100
logging buffered 10000 debugging
no logging console
enable secret 5 $1$GG25$CY8l/xU1o2tyHbtXEl
enable password phO=q4u7
!
memory-size iomem 20
clock timezone PST -8
ip subnet-zero
!
!
!
!
modemcap entry usrmodem:MSC=&FS0=1&C1&D3&
!
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface FastEthernet0/0
ip address 192.168.0.3 255.255.255.0
ip nat inside
speed auto
half-duplex
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet1/0
ip address 10.36.1.10 255.255.255.0
ip nat outside
half-duplex
no cdp enable
!
router eigrp 1
redistribute connected
redistribute static
network 192.168.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip nat translation timeout 43200
ip nat pool newrobin 10.36.1.100 10.36.1.100 netmask 255.255.255.0
ip nat pool beacon 10.36.1.200 10.36.1.200 netmask 255.255.255.0
ip nat inside source list 101 pool newrobin overload
ip nat inside source list 102 pool beacon overload
ip classless
ip route 10.1.63.0 255.255.255.0 10.36.1.254
ip route 10.36.1.0 255.255.255.0 FastEthernet0/0
ip route 155.229.103.0 255.255.255.0 192.168.0.4
no ip http server
!
!
logging 192.168.0.20
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 155.229.0.0 0.0.255.255 any
snmp-server community ROHMPUB# RO
snmp-server community ROHMWR1TE RW
snmp-server contact IT Department
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps syslog
snmp-server enable traps cnpd
snmp-server enable traps rtr
!
line con 0
exec-timeout 0 0
line aux 0
modem InOut
modem autoconfigure type usrmodem
transport input all
flowcontrol hardware
line vty 0 4
password phO=q4u7
login
!
no scheduler allocate
end
japanfr#
--------------------------
10.36.1.30 -> 192.168.0.30
As you can see from below we are currently using NAT to route from our 192.168.0.30 network out but I am unable to create a nat rule to allow traffic from our 10.36.1.30 to come in.
I tried this rule and it made all our 192.168.X.X cleints loose connectivity to the exchange server.
ip nat ouside source static 10.36.1.30 192.168.0.30.
My full config is listed below. Could somone please provide me with the right command to accomplish what Im trying to do?
Thank You in advance.
--------------------------
Current configuration : 2398 bytes
!
! Last configuration change at 03:06:30 PST Wed Mar 28 2007
! NVRAM config last updated at 04:03:15 PST Sat Jan 27 2007
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname japanfr
!
logging queue-limit 100
logging buffered 10000 debugging
no logging console
enable secret 5 $1$GG25$CY8l/xU1o2tyHbtXEl
enable password phO=q4u7
!
memory-size iomem 20
clock timezone PST -8
ip subnet-zero
!
!
!
!
modemcap entry usrmodem:MSC=&FS0=1&C1&D3&
!
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface FastEthernet0/0
ip address 192.168.0.3 255.255.255.0
ip nat inside
speed auto
half-duplex
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet1/0
ip address 10.36.1.10 255.255.255.0
ip nat outside
half-duplex
no cdp enable
!
router eigrp 1
redistribute connected
redistribute static
network 192.168.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip nat translation timeout 43200
ip nat pool newrobin 10.36.1.100 10.36.1.100 netmask 255.255.255.0
ip nat pool beacon 10.36.1.200 10.36.1.200 netmask 255.255.255.0
ip nat inside source list 101 pool newrobin overload
ip nat inside source list 102 pool beacon overload
ip classless
ip route 10.1.63.0 255.255.255.0 10.36.1.254
ip route 10.36.1.0 255.255.255.0 FastEthernet0/0
ip route 155.229.103.0 255.255.255.0 192.168.0.4
no ip http server
!
!
logging 192.168.0.20
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 155.229.0.0 0.0.255.255 any
snmp-server community ROHMPUB# RO
snmp-server community ROHMWR1TE RW
snmp-server contact IT Department
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps syslog
snmp-server enable traps cnpd
snmp-server enable traps rtr
!
line con 0
exec-timeout 0 0
line aux 0
modem InOut
modem autoconfigure type usrmodem
transport input all
flowcontrol hardware
line vty 0 4
password phO=q4u7
login
!
no scheduler allocate
end
japanfr#
--------------------------
And I assume that you mean you want any traffic that gets to 10.36.1.30 from some other network beyond that outside interface- say, from the 10.1.63.0 network- to be redirected to the inside address 192.168.0.30?
NAT doesn't "route," it translates addresses.
NAT doesn't "route," it translates addresses.
ASKER
actually all I needed was this.
ip nat inside source static 192.168.0.30 10.36.1.10
This allows me to send smtp communication to 10.36.1.10 and have it forward on to our mail server at 192.168.0.30.
However, since I figured out my own problem I would like to add to this question to award points.
Im assuming I need some ACL to control what machines can get to 192.168.0.30 because currently anthing on the 10.36.1.X network can access it.
so possibly something like this.
ip nat inside source list 103 192.168.0.30 10.36.1.10 or something and the the ACL 103 should look something like this
access-list 103 permit ip 192.168.0.30 25 0.0.0.0 10.36.1.10 25 0.0.0.0
For full points please correct my assumtions with correcty syntax so I can just paste them in.
Thank you in advance.
ip nat inside source static 192.168.0.30 10.36.1.10
This allows me to send smtp communication to 10.36.1.10 and have it forward on to our mail server at 192.168.0.30.
However, since I figured out my own problem I would like to add to this question to award points.
Im assuming I need some ACL to control what machines can get to 192.168.0.30 because currently anthing on the 10.36.1.X network can access it.
so possibly something like this.
ip nat inside source list 103 192.168.0.30 10.36.1.10 or something and the the ACL 103 should look something like this
access-list 103 permit ip 192.168.0.30 25 0.0.0.0 10.36.1.10 25 0.0.0.0
For full points please correct my assumtions with correcty syntax so I can just paste them in.
Thank you in advance.
Agree 100% with Mike
Your nat static was backward in your first attempt
>ip nat ouside source static 10.36.1.30 192.168.0.30
should be as Mike stated..
ip nat inside source static 192.168.0.30 10.36.1.30
And you never want to add a static route for any directly connected network
Note: Once you create that static NAT xlate, without an access-list applied to the interface, then ALL traffic to that IP is permitted to the server. VERY serious security issues.
Your nat static was backward in your first attempt
>ip nat ouside source static 10.36.1.30 192.168.0.30
should be as Mike stated..
ip nat inside source static 192.168.0.30 10.36.1.30
And you never want to add a static route for any directly connected network
Note: Once you create that static NAT xlate, without an access-list applied to the interface, then ALL traffic to that IP is permitted to the server. VERY serious security issues.
ASKER
I think this might be the correct ACL but I still need some assistance to get my configuration correct.
access-list 103 permit ip host 10.36.1.30 host 192.168.0.30
ip nat inside source list 103 interface Ethernet1/0
How do I go on to configure the port number?? 25 is all that needs to get through?
access-list 103 permit ip host 10.36.1.30 host 192.168.0.30
ip nat inside source list 103 interface Ethernet1/0
How do I go on to configure the port number?? 25 is all that needs to get through?
ip nat inside source static tcp 192.168.0.30 25 10.36.1.30 25
access-list 103 permit tcp any host 10.36.1.30 eq 25
interface fast 1/0
ip access-group 103 in
Done.
access-list 103 permit tcp any host 10.36.1.30 eq 25
interface fast 1/0
ip access-group 103 in
Done.
OOPS, we need to refine acl 103, because that will block a bunch of other stuff...
access-list 103 permit tcp any host 10.36.1.30 eq 25
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
interface fast 0/1
ip access-group 103 in
access-list 103 permit tcp any host 10.36.1.30 eq 25
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
interface fast 0/1
ip access-group 103 in
ASKER
10.36.1.30 is the IP address of the remote host. SHouldn't the rule be the outside IP of the NAT router 10.36.1.10 ?
ASKER
Also I all I need to get through is port 25 from 10.36.1.10 to 192.168.0.30 comming from remote host 10.36.1.30
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for you help. You suggestion worked correctly.
no ip route 10.36.1.0 255.255.255.0 FastEthernet0/0