• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1801
  • Last Modified:

Static route from external IP to internal IP

I would like help adding the appropriate commands to map one of our external IPs to and internal IP. From the outside I want the computer to be seen using the external IP but still have an internal IP on our network. I want all inbound and outbound traffic for my internal IP to go through my external IP. I have multiple IPs setup in my router already so this is just an extra IP that I'm setting up on a machine that I want to be wide open to the outside.

I have "ip nat inside source static tcp ..." commands setup for my other IPs with specific ports. For this IP I want all ports open.

I also haev an access-list setup for inbound traffic which I assume I need to add a map for all traffic comming in on that IP. This is the header for the access-list

ip access-list extended FILTERS_INBOUND_ON_EXTERNAL

For outbound I'm only blocking smtp for any computers other than our server. The last line of the access-list for external traffic is "permit ip any any".

I thought I had it working earlier but I went to a website that showed what my external IP was and it was showing the main IP of the router as it's IP instead of the IP I was trying to map my machine to.

For my IP to show up as the IP I'm trying to map it to do I also have to add a command to not NAT my internal IP?
0
GijimaAst
Asked:
GijimaAst
  • 7
  • 4
1 Solution
 
srgilaniCommented:
you have to put static nat outside as well for that ip.

0
 
lrmooreCommented:
ip nat inside source static <inside ip> <public ip>
Notice no "tcp" or port listed. This is a 1-1 static nat
You may have to clear existing nat translations first
router#clear ip nat trans *
0
 
GijimaAstAuthor Commented:
I added the "ip nat inside source static ..." command in there and now when I go to whatsmyip.org it shows me the right IP address. When I try using their port tests though it shows that they are all closed. I added " permit ip any host 123.0.0.1" to my access-list for inbound traffic (where 123.0.0.1 would be my external IP). Before I added that line to the access-list the port tests would time out. Now they say they are closed.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
GijimaAstAuthor Commented:
I tried adding a static nat outside command in but as soon as I did that I lost connectivity within my network.
0
 
lrmooreCommented:
Do not use static outside command.
I would be very careful of using permit ip any host access-list. Permit only the ports that you want open. make sure the host doesn't have its firewall turned on, or allows the ports you want open.
0
 
GijimaAstAuthor Commented:
I changed it to "permit tcp any host 123.0.0.1". Changed ip to tcp (as per a suggestion from someone in my office). It still says all my ports are closed.
I do understand the implications of opening all the ports. This is just something I was testing and isn't going to stay like this. My computer has Windows Firewall turned off so it shouldn't be blocking anything.
0
 
GijimaAstAuthor Commented:
New test ... I changed "permit tcp any host 123.0.0.1" to "permit tcp any host 209.91.144.110 eq 666" just to test with one port. Now when it scans the ports it says 666 is closed and the rest time out.
0
 
GijimaAstAuthor Commented:
Sorry ... that should read

New test ... I changed "permit tcp any host 123.0.0.1" to "permit tcp any host 123.0.0.1 eq 666" just to test with one port. Now when it scans the ports it says 666 is closed and the rest time out.
0
 
lrmooreCommented:
Isn't that what you want?
0
 
GijimaAstAuthor Commented:
No ... when I put in "permit tcp any host 123.0.0.1" it says all ports are Closed. Shouldn't it say all ports are Open?
0
 
lrmooreCommented:
Not necessarily. It depends on whether or not your have the router firewall feature set and inspects turned on, and any other access-lists that you have enabled.
Open the ports you want accessible in your access-list and test to see if those applications are available via that public IP from a system that is actually, physically, outside of your network..
0
 
GijimaAstAuthor Commented:
Ok I see what you mean. The ports are open but the Cisco just may not be sending the reply when the port scanner is checking to see if they are open. I will do some more testing but I'm confident it's working as expected.
Thanks for the help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now