We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

static nat / port forwarding a range

nbhasin
nbhasin asked
on
Medium Priority
625 Views
Last Modified: 2012-05-07
I am trying to setup 2 static nat entries with an acl to forward a range of ports to 2 internal servers.  When I setup the acl on fasteth0 the nat entries work only one way.  The public can access the internal servers, but if you try to browse the web or other internet protocols from the internal servers you can't.  See below:

IOS (tm) C2600 Software (C2600-I-M), Version 12.2(29b), RELEASE SOFTWARE (fc1

interface FastEthernet0/0
 ip address 207.164.206.23 255.255.255.224 secondary
 ip address 207.164.206.24 255.255.255.224 secondary
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 172.16.2.10 207.164.206.23
ip nat inside source static 172.16.2.11 207.164.206.24

access-list 100 permit tcp any host 207.164.206.22 eq 3393
access-list 100 permit tcp any host 207.164.206.23 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.22 eq 3389
access-list 100 deny   ip any any


Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
1) map the internal to the external (if applicable)

    ip nat outside source static 207.164.206.23 172.16.2.10
    ip nat outside source static 207.164.206.24 172.16.2.11

2) You do not need to list these as secondaries on the public interface:
    ip address 207.164.206.23 255.255.255.224 secondary
    ip address 207.164.206.24 255.255.255.224 secondary

3) modify the acl to allow traffic that originates from the inside to go out:
    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393
    access-list 100 permit tcp any host 207.164.206.23 eq 3394
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389
    access-list 100 deny   ip any any

Author

Commented:
I have modified as per your suggestion, still doesn't work see below.

interface FastEthernet0/0
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat outside source static 207.164.206.23 172.16.2.10
ip nat outside source static 207.164.206.24 172.16.2.11

access-list 100 permit tcp any 0.0.0.0 255.255.255.224 established
access-list 100 permit tcp any host 207.164.206.23 eq 3393
access-list 100 permit tcp any host 207.164.206.24 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.23 range 20000 20299
access-list 100 permit tcp any host 207.164.206.24 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.23 eq 3389
access-list 100 deny   ip any any

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
What does a "show log" indicate for a particular machine in question?

Author

Commented:
Not sure if this is what you are asking for?

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 26 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 30 message lines logged
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
sh log | i 207.164.206.23

and

sh log | i 207.164.206.24

You might also need to tweak your logging statements:
   logging buffered 32768 debugging
   logging on

Author

Commented:
this is all i get:

sh log | i 207.164.206.23
mhsystem#sh log | i 207.164.206.24
mhsystem#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 31 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 4 messages logged
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 35 message lines logged

Log Buffer (32769 bytes):

2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by console
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Do this:

    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393 log
    access-list 100 permit tcp any host 207.164.206.23 eq 3394 log
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299 log
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299 log
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389 log
    access-list 100 deny   ip any any log


Run a test and then please output:

show access-list 100

And:

sh log | i 207.164.206.22
sh log | i 207.164.206.23
sh log | i 207.164.206.24

Author

Commented:
this is what i get, by the way I don't get any output with the sh log | i 207.164.206.23, etc commands:

#sh access-list 100
Extended IP access list 100
    permit tcp any any established (1952 matches)
    permit tcp any host 207.164.206.23 eq 3393
    permit tcp any host 207.164.206.24 eq 3394
    permit tcp any any eq telnet
    permit tcp any host 207.164.206.23 range 20000 20299 (6 matches)
    permit tcp any host 207.164.206.24 range 30000 30299
    permit tcp any any eq domain
    permit udp any any eq domain
    permit tcp any host 207.164.206.23 eq 3389 (2 matches)
    deny ip any any (183 matches)
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.