Can someone please answer this simple question?

[GeneralDzur]

What would the below statement do?

ip nat outside source static tcp 140.175.xx.xx 4350 192.168.25.6 4350

I'm trying to allow external web servers to initiate connections with my internal servers on port 4350

- stephan

 

[ChrisAC]

Providing that the rest of the config is correct, that would NAT the live external address to the internet address on port TCP 4350.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[GeneralDzur]

Thank-you, that's what I needed to know.

So I wouldn't say "ip nat INSIDE source" then?

thanks again

- stephan

 

[ChrisAC]

Ah, no .. I mis-read that. You should use 'ip nat inside'.

You can verify the configuration using 'sh ip nat trans'.

My mistake.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[GeneralDzur]

But should I switch around the IP's in that case? (If I'm using 'ip nat inside')

- stephan

 

[ChrisAC]

Yes, I would use,

interface ethernet0
ip nat inside
!
interface <ext_int>
ip nat outside
!
ip nat inside source static tcp <lan_IP> <port> <ext_int> <port>
!

I'm not really paying attention today. It's been a slow day.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[GeneralDzur]

Don't worry about being slow...happens to the best of us.

Using the setup you layed out above, it would allow an EXTERNAL (public/internet) server to INITIATE a connection with my internal (private/lan) server?

- stephan

 

[ChrisAC]

Correct. If you do a "sh ip nat trans" you should see the mapping from the global address to the internal address.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[GeneralDzur]

Hey thanks chris, you've been a big help

- stephan

 

[GeneralDzur]

Sorry, another question. I see that you have an interface listed in the 'ip nat inside' statement, as opposed to an IP address. Is that a security risk - translating ANY source traffic destined for those ports?

- stephan

 

[ChrisAC]

Stephan,

It doesn't matter if you use an IP address or an interface on the 'ip nat inside' or a port. On the routers where I have this set up I have the live IP address configured on the loopback 0 interface and so my NAT statements use that interface so that the translation uses the IP address of that interface. If your external IP address was on say interface atm0.1 then you could use 'atm0.1' in your NAT config. If you were using another IP address that wasn't configured on an interface then you would use an IP address. Generally, if the IP address that I want translating is on an interface then I'll use that interface in the NAT statement.

If I want to only allow certain IP's to connect to the external address then I'll put an access list in place to filter traffic to my router. I generally configure NAT mappings and then also have access lists to filter and monitor connections.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[GeneralDzur]

Ah, got it. Thanks again

- stephan