?
Solved

Cisco router outside NAT configuration help?

Posted on 2007-03-29
11
Medium Priority
?
661 Views
Last Modified: 2011-10-03
I have fiddled with this for a while now and still cannot figure this dam thing out.  I just want to allow for the following host to access this host.

10.36.1.30 -> 192.168.0.30

As you can see from below we are currently using NAT to route from our 192.168.0.30 network out but I am unable to create a nat rule to allow traffic from our 10.36.1.30 to come in.

I tried this rule and it made all our 192.168.X.X cleints loose connectivity to the exchange server.

ip nat ouside source static 10.36.1.30 192.168.0.30.

My full config is listed below.  Could somone please provide me with the right command to accomplish what Im trying to do?

Thank You in advance.


--------------------------------------------------------------------------------------------------------------------------------
Current configuration : 2398 bytes
!
! Last configuration change at 03:06:30 PST Wed Mar 28 2007
! NVRAM config last updated at 04:03:15 PST Sat Jan 27 2007
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname japanfr
!
logging queue-limit 100
logging buffered 10000 debugging
no logging console
enable secret 5 $1$GG25$CY8l/xU1o2tyHbtXEld3.1
enable password phO=q4u7
!
memory-size iomem 20
clock timezone PST -8
ip subnet-zero
!
!
!
!
modemcap entry usrmodem:MSC=&FS0=1&C1&D3&H1&R2&B1
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.0.0.0
!
interface FastEthernet0/0
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 speed auto
 half-duplex
 no cdp enable
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet1/0
 ip address 10.36.1.10 255.255.255.0
 ip nat outside
 half-duplex
 no cdp enable
!
router eigrp 1
 redistribute connected
 redistribute static
 network 192.168.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip nat translation timeout 43200
ip nat pool newrobin 10.36.1.100 10.36.1.100 netmask 255.255.255.0
ip nat pool beacon 10.36.1.200 10.36.1.200 netmask 255.255.255.0
ip nat inside source list 101 pool newrobin overload
ip nat inside source list 102 pool beacon overload
ip classless
ip route 10.1.63.0 255.255.255.0 10.36.1.254
ip route 10.36.1.0 255.255.255.0 FastEthernet0/0
ip route 155.229.103.0 255.255.255.0 192.168.0.4
no ip http server
!
!
logging 192.168.0.20
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 155.229.0.0 0.0.255.255 any
snmp-server community ROHMPUB# RO
snmp-server community ROHMWR1TE RW
snmp-server contact IT Department
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps syslog
snmp-server enable traps cnpd
snmp-server enable traps rtr
!
line con 0
 exec-timeout 0 0
line aux 0
 modem InOut
 modem autoconfigure type usrmodem
 transport input all
 flowcontrol hardware
line vty 0 4
 password phO=q4u7
 login
!
no scheduler allocate
end

japanfr#
---------------------------------------------------------------------------------------------------------------------------------
0
Comment
Question by:rohmelec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 18819291
ip nat inside source static 192.168.0.30 10.36.1.30
no ip route 10.36.1.0 255.255.255.0 FastEthernet0/0
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 18819324
And I assume that you mean you want any traffic that gets to 10.36.1.30 from some other network beyond that outside interface- say, from the 10.1.63.0 network-  to be redirected to the inside address 192.168.0.30?

NAT doesn't "route," it translates addresses.
0
 

Author Comment

by:rohmelec
ID: 18819360
actually all I needed was this.

ip nat inside source static 192.168.0.30 10.36.1.10

This allows me to send smtp communication to 10.36.1.10 and have it forward on to our mail server at 192.168.0.30.

However, since I figured out my own problem I would like to add to this question to award points.

Im assuming I need some ACL to control what machines can get to 192.168.0.30 because currently anthing on the 10.36.1.X network can access it.

so possibly something like this.

ip nat inside source list 103 192.168.0.30 10.36.1.10    or something and the the ACL 103 should look something like this

access-list 103 permit ip 192.168.0.30 25 0.0.0.0 10.36.1.10 25 0.0.0.0

For full points please correct my assumtions with correcty syntax so I can just paste them in.

Thank you in advance.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 18819386
Agree 100% with Mike
Your nat static was backward in your first attempt
  >ip nat ouside source static 10.36.1.30 192.168.0.30
should be as Mike stated..
  ip nat inside source static 192.168.0.30 10.36.1.30

And you never want to add a static route for any directly connected network

Note: Once you create that static NAT xlate, without an access-list applied to the interface, then ALL traffic to that IP is permitted to the server. VERY serious security issues.
0
 

Author Comment

by:rohmelec
ID: 18819592
I think this might be the correct ACL but I still need some assistance to get my configuration correct.

access-list 103 permit ip host 10.36.1.30 host 192.168.0.30

ip nat inside source list 103 interface Ethernet1/0

How do I go on to configure the port number?? 25 is all that needs to get through?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18819638
ip nat inside source static tcp 192.168.0.30 25 10.36.1.30 25
access-list 103 permit tcp any host 10.36.1.30 eq 25
interface fast 1/0
 ip access-group 103 in

Done.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18819659
OOPS, we need to refine acl 103, because that will block a bunch of other stuff...

access-list 103 permit tcp any host 10.36.1.30 eq 25
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
interface fast 0/1
  ip access-group 103 in
0
 

Author Comment

by:rohmelec
ID: 18819663
10.36.1.30 is the IP address of the remote host.  SHouldn't the rule be the outside IP of the NAT router 10.36.1.10 ?
0
 

Author Comment

by:rohmelec
ID: 18819674
Also I all I need to get through is port 25 from 10.36.1.10 to 192.168.0.30 comming from remote host 10.36.1.30
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 2000 total points
ID: 18819740
That's what I was asking earlier- 1.30 is another host, not the address you want as part of your NAT.

Since you've put the whole 10.36.1.0 network on the outside interface, I would define the NAT address as something else altogether so it doesn't cause possible conflict on your router address:
ip nat inside source static tcp 192.168.0.30 25 10.36.1.50 25

access-list 103 permit tcp host 10.36.1.30 host 10.36.1.50 eq 25
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
interface fast 0/1
  ip access-group 103 in
0
 

Author Comment

by:rohmelec
ID: 18819810
Thank you for you help.  You suggestion worked correctly.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question