Cisco 831 NAT problems 1

[cookie101]

I have a network with limited IP external IP addresses. I have several computers inside the network that need to be accessed through NAT addresses at the router.

The end user would type in a http:// address, then would download software from internal servers.

There needs to be an internal IP address for each system, of course, so we're set up for one-to-one static NAT. However, we need to have multiple ports available since many users will be accessing the internal systems.

Summary:
5 external addresses
5 NAT'd Internal addresses
30 ports per address


I have the following running-config (ip's are different):


no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Q/A_DSL_Router
enable secret 5 cisco
clock timezone Central -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Sep 2:00
ip subnet-zero
no ip domain lookup
ip name-server x.x.x.x
ip name-server x.x.x.x
ip audit notify log
ip audit po max-events 100
interface Ethernet0
description Internal LAN
ip address 10.1.0.1 255.255.0.0
ip nat inside
no shutdown
hold-queue 100 out
interface Ethernet1
description DSL/Internet
ip address 66.15.x.x 255.255.255.0
ip nat outside
no shutdown
ip nat pool SP 66.15.x.x prefix 29
ip nat pool UK 66.15.x.x prefix 29
ip nat pool DK 66.15.x.x prefix 29
ip nat pool NL 66.15.x.x prefix 29
ip nat inside source list 1 pool one overload
ip nat inside source list 2 pool two overload
ip nat inside source list 3 pool three overload
ip nat inside source list 4 pool four overload
ip classless
access-list 1 permit 10.1.0.3 255.255.255.255
access-list 2 permit 10.1.0.4 255.255.255.255
access-list 3 permit 10.1.0.5 255.255.255.255
access-list 4 permit 10.1.0.6 255.255.255.255
privilege exec level 1 show
line con 0
password 7 cisco
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 cisco
login
scheduler max-task-time 5000
end

 

[pmesjar]

You want static NAT, however your current supplied NAT configuration is for Dynamic NAT - and specifically NAPT (Network address Port translation). Your NAT setup is only useful if you try to establish connections from computers 10.0.1.3 through 6, and those are on the inside. If you need your internal machines to be accessed from outside, setup something like:

ip nat inside source static <INSIDE-LOCAL> <INISIDE-GLOBAL>

where
INSIDE-LOCAL - ip address of a host on inside address you want outside hosts to be accessed
INSIDE-GLOBAL - ip address allocated to you by your ISP and which users from outside really use to make connections.
This is one-to-one mapping with full range of TCP/UDP ports available.

Like you want to have server accessed on lots of ports and its inside assigned address is 10.0.1.3. You want users to access this server from outside on address 66.15.66.15. Use:

ip nat inside source static 10.0.1.3 66.15.66.15

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[cookie101]

Peter,

Thanks for your help.

Now, I'm assuming that

>>ip nat inside source list 1 pool one overload

will need to be removed. Is this true? Also, what about the access lists? Is it necessary to keep these if the static NAT is stated?

Garrett

 

[pmesjar]

For your static NAT setup you don't need any of these commands:

ip nat pool SP 66.15.x.x prefix 29
ip nat pool UK 66.15.x.x prefix 29
ip nat pool DK 66.15.x.x prefix 29
ip nat pool NL 66.15.x.x prefix 29
ip nat inside source list 1 pool one overload
ip nat inside source list 2 pool two overload
ip nat inside source list 3 pool three overload
ip nat inside source list 4 pool four overload
access-list 1 permit 10.1.0.3 255.255.255.255
access-list 2 permit 10.1.0.4 255.255.255.255
access-list 3 permit 10.1.0.5 255.255.255.255
access-list 4 permit 10.1.0.6 255.255.255.255

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.