Link to home
Start Free TrialLog in
Avatar of nbhasin
nbhasin

asked on

static nat / port forwarding a range

I am trying to setup 2 static nat entries with an acl to forward a range of ports to 2 internal servers.  When I setup the acl on fasteth0 the nat entries work only one way.  The public can access the internal servers, but if you try to browse the web or other internet protocols from the internal servers you can't.  See below:

IOS (tm) C2600 Software (C2600-I-M), Version 12.2(29b), RELEASE SOFTWARE (fc1

interface FastEthernet0/0
 ip address 207.164.206.23 255.255.255.224 secondary
 ip address 207.164.206.24 255.255.255.224 secondary
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 172.16.2.10 207.164.206.23
ip nat inside source static 172.16.2.11 207.164.206.24

access-list 100 permit tcp any host 207.164.206.22 eq 3393
access-list 100 permit tcp any host 207.164.206.23 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.22 eq 3389
access-list 100 deny   ip any any


Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
1) map the internal to the external (if applicable)

    ip nat outside source static 207.164.206.23 172.16.2.10
    ip nat outside source static 207.164.206.24 172.16.2.11

2) You do not need to list these as secondaries on the public interface:
    ip address 207.164.206.23 255.255.255.224 secondary
    ip address 207.164.206.24 255.255.255.224 secondary

3) modify the acl to allow traffic that originates from the inside to go out:
    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393
    access-list 100 permit tcp any host 207.164.206.23 eq 3394
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389
    access-list 100 deny   ip any any
Avatar of nbhasin
nbhasin

ASKER

I have modified as per your suggestion, still doesn't work see below.

interface FastEthernet0/0
 ip address 207.164.206.22 255.255.255.224
 ip access-group 100 in
 ip nat outside
 speed 100
 full-duplex

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat outside source static 207.164.206.23 172.16.2.10
ip nat outside source static 207.164.206.24 172.16.2.11

access-list 100 permit tcp any 0.0.0.0 255.255.255.224 established
access-list 100 permit tcp any host 207.164.206.23 eq 3393
access-list 100 permit tcp any host 207.164.206.24 eq 3394
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 207.164.206.23 range 20000 20299
access-list 100 permit tcp any host 207.164.206.24 range 30000 30299
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any host 207.164.206.23 eq 3389
access-list 100 deny   ip any any

Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
What does a "show log" indicate for a particular machine in question?
Avatar of nbhasin
nbhasin

ASKER

Not sure if this is what you are asking for?

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 26 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 30 message lines logged
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
sh log | i 207.164.206.23

and

sh log | i 207.164.206.24

You might also need to tweak your logging statements:
   logging buffered 32768 debugging
   logging on
Avatar of nbhasin
nbhasin

ASKER

this is all i get:

sh log | i 207.164.206.23
mhsystem#sh log | i 207.164.206.24
mhsystem#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 31 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 4 messages logged
    Logging Exception size (4096 bytes)
    Trap logging: level informational, 35 message lines logged

Log Buffer (32769 bytes):

2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by vty0 (207.164.206.10)
2d23h: %SYS-5-CONFIG_I: Configured from console by console
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Do this:

    no access-list 100
    access-list 100 permit tcp any 207.164.206.0 255.255.255.224 established
    access-list 100 permit tcp any host 207.164.206.22 eq 3393 log
    access-list 100 permit tcp any host 207.164.206.23 eq 3394 log
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit tcp any host 207.164.206.22 range 20000 20299 log
    access-list 100 permit tcp any host 207.164.206.23 range 30000 30299 log
    access-list 100 permit tcp any any eq domain
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any host 207.164.206.22 eq 3389 log
    access-list 100 deny   ip any any log


Run a test and then please output:

show access-list 100

And:

sh log | i 207.164.206.22
sh log | i 207.164.206.23
sh log | i 207.164.206.24
Avatar of nbhasin
nbhasin

ASKER

this is what i get, by the way I don't get any output with the sh log | i 207.164.206.23, etc commands:

#sh access-list 100
Extended IP access list 100
    permit tcp any any established (1952 matches)
    permit tcp any host 207.164.206.23 eq 3393
    permit tcp any host 207.164.206.24 eq 3394
    permit tcp any any eq telnet
    permit tcp any host 207.164.206.23 range 20000 20299 (6 matches)
    permit tcp any host 207.164.206.24 range 30000 30299
    permit tcp any any eq domain
    permit udp any any eq domain
    permit tcp any host 207.164.206.23 eq 3389 (2 matches)
    deny ip any any (183 matches)
ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial