Solved

Cisco router outside NAT configuration help?

Posted on 2007-03-29
11
636 Views
Last Modified: 2011-10-03
I have fiddled with this for a while now and still cannot figure this dam thing out.  I just want to allow for the following host to access this host.

10.36.1.30 -> 192.168.0.30

As you can see from below we are currently using NAT to route from our 192.168.0.30 network out but I am unable to create a nat rule to allow traffic from our 10.36.1.30 to come in.

I tried this rule and it made all our 192.168.X.X cleints loose connectivity to the exchange server.

ip nat ouside source static 10.36.1.30 192.168.0.30.

My full config is listed below.  Could somone please provide me with the right command to accomplish what Im trying to do?

Thank You in advance.


--------------------------------------------------------------------------------------------------------------------------------
Current configuration : 2398 bytes
!
! Last configuration change at 03:06:30 PST Wed Mar 28 2007
! NVRAM config last updated at 04:03:15 PST Sat Jan 27 2007
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname japanfr
!
logging queue-limit 100
logging buffered 10000 debugging
no logging console
enable secret 5 $1$GG25$CY8l/xU1o2tyHbtXEld3.1
enable password phO=q4u7
!
memory-size iomem 20
clock timezone PST -8
ip subnet-zero
!
!
!
!
modemcap entry usrmodem:MSC=&FS0=1&C1&D3&H1&R2&B1
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.0.0.0
!
interface FastEthernet0/0
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 speed auto
 half-duplex
 no cdp enable
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet1/0
 ip address 10.36.1.10 255.255.255.0
 ip nat outside
 half-duplex
 no cdp enable
!
router eigrp 1
 redistribute connected
 redistribute static
 network 192.168.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip nat translation timeout 43200
ip nat pool newrobin 10.36.1.100 10.36.1.100 netmask 255.255.255.0
ip nat pool beacon 10.36.1.200 10.36.1.200 netmask 255.255.255.0
ip nat inside source list 101 pool newrobin overload
ip nat inside source list 102 pool beacon overload
ip classless
ip route 10.1.63.0 255.255.255.0 10.36.1.254
ip route 10.36.1.0 255.255.255.0 FastEthernet0/0
ip route 155.229.103.0 255.255.255.0 192.168.0.4
no ip http server
!
!
logging 192.168.0.20
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 155.229.0.0 0.0.255.255 any
snmp-server community ROHMPUB# RO
snmp-server community ROHMWR1TE RW
snmp-server contact IT Department
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps syslog
snmp-server enable traps cnpd
snmp-server enable traps rtr
!
line con 0
 exec-timeout 0 0
line aux 0
 modem InOut
 modem autoconfigure type usrmodem
 transport input all
 flowcontrol hardware
line vty 0 4
 password phO=q4u7
 login
!
no scheduler allocate
end

japanfr#
---------------------------------------------------------------------------------------------------------------------------------
0
Comment
Question by:rohmelec
  • 5
  • 3
  • 3
11 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 18819291
ip nat inside source static 192.168.0.30 10.36.1.30
no ip route 10.36.1.0 255.255.255.0 FastEthernet0/0
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 18819324
And I assume that you mean you want any traffic that gets to 10.36.1.30 from some other network beyond that outside interface- say, from the 10.1.63.0 network-  to be redirected to the inside address 192.168.0.30?

NAT doesn't "route," it translates addresses.
0
 

Author Comment

by:rohmelec
ID: 18819360
actually all I needed was this.

ip nat inside source static 192.168.0.30 10.36.1.10

This allows me to send smtp communication to 10.36.1.10 and have it forward on to our mail server at 192.168.0.30.

However, since I figured out my own problem I would like to add to this question to award points.

Im assuming I need some ACL to control what machines can get to 192.168.0.30 because currently anthing on the 10.36.1.X network can access it.

so possibly something like this.

ip nat inside source list 103 192.168.0.30 10.36.1.10    or something and the the ACL 103 should look something like this

access-list 103 permit ip 192.168.0.30 25 0.0.0.0 10.36.1.10 25 0.0.0.0

For full points please correct my assumtions with correcty syntax so I can just paste them in.

Thank you in advance.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18819386
Agree 100% with Mike
Your nat static was backward in your first attempt
  >ip nat ouside source static 10.36.1.30 192.168.0.30
should be as Mike stated..
  ip nat inside source static 192.168.0.30 10.36.1.30

And you never want to add a static route for any directly connected network

Note: Once you create that static NAT xlate, without an access-list applied to the interface, then ALL traffic to that IP is permitted to the server. VERY serious security issues.
0
 

Author Comment

by:rohmelec
ID: 18819592
I think this might be the correct ACL but I still need some assistance to get my configuration correct.

access-list 103 permit ip host 10.36.1.30 host 192.168.0.30

ip nat inside source list 103 interface Ethernet1/0

How do I go on to configure the port number?? 25 is all that needs to get through?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 18819638
ip nat inside source static tcp 192.168.0.30 25 10.36.1.30 25
access-list 103 permit tcp any host 10.36.1.30 eq 25
interface fast 1/0
 ip access-group 103 in

Done.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18819659
OOPS, we need to refine acl 103, because that will block a bunch of other stuff...

access-list 103 permit tcp any host 10.36.1.30 eq 25
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
interface fast 0/1
  ip access-group 103 in
0
 

Author Comment

by:rohmelec
ID: 18819663
10.36.1.30 is the IP address of the remote host.  SHouldn't the rule be the outside IP of the NAT router 10.36.1.10 ?
0
 

Author Comment

by:rohmelec
ID: 18819674
Also I all I need to get through is port 25 from 10.36.1.10 to 192.168.0.30 comming from remote host 10.36.1.30
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 18819740
That's what I was asking earlier- 1.30 is another host, not the address you want as part of your NAT.

Since you've put the whole 10.36.1.0 network on the outside interface, I would define the NAT address as something else altogether so it doesn't cause possible conflict on your router address:
ip nat inside source static tcp 192.168.0.30 25 10.36.1.50 25

access-list 103 permit tcp host 10.36.1.30 host 10.36.1.50 eq 25
access-list 103 permit udp any eq 53 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
interface fast 0/1
  ip access-group 103 in
0
 

Author Comment

by:rohmelec
ID: 18819810
Thank you for you help.  You suggestion worked correctly.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wireless WAP School 4 54
VPN Problems 3 52
server can't ping default gateway 25 89
How to use a IP block on cisco 877 3 27
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now