NAT - Internet to Internal

[bullagent]

Hi,

I am having a problem with NAT. Not sure if anyone can help me.

What im trying to do is get anything coming into my Cisco router on a certain port (6989) to be forwarded to a machine on my LAN (192.9.207.1 on port 6989). Please note these are not the real ip addresses (not that I don't trust you all !!!).

Here's the config.....(warning ascii art).

Internet
|
|
| Serial 0 (1.1.1.1)
Router
| Ethernet 0 (192.168.12.1)
|
|
| (192.168.12.2)
Firewall
| (192.9.207.254)
|
|
| (192.9.207.1)
Server (LAN)

The firewall side of things im pretty sure i know what to do. However my cisco skills are not so good. I have looked at Cisco's web site and have tried out a few things to no avail. Any help would be greatly appreciated.

Thanks

bullagent

 

[neutec]

You will need to do something like:

ip nat inside source static tcp 192.9.207.1 6989 xxx.xxx.xxx.xxx 6989

You will then need to designate S0 as inside and S1 as outside or viceversa. So tpye:

int S0
Ip nat outside

int S1
ip nat inside

I would assume you already have Nat up and running.

 

[Frenchie2069]

Try this:

ip nat inside source static tcp 192.9.207.1 6989 1.1.1.1 6989

This document is fairly straightforward (as far as Cisco docs go):

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

HTH,
Michael.

 

[bullagent]

Thanks for your replies. Just a quick note. I do have nat working for our internal LAN to access a machine directly on the internet (Sametime server).

ie

Ethernet0
ip nat inside

Serial0
ip nat outside

Is this going to be ok for my new config or do I need to add Ethernet0 ip nat outside and Serial0 ip nat inside ???

Thanks

 

[neutec]

that should be fine but you will need to set up NAT with a Nat Pool.

Sample Config:

interface Ethernet0
ip address 66.215.146.140 255.255.255.128
ip nat outside
!
interface Ethernet1
ip address 192.168.100.1 255.255.255.0
ip nat inside
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip nat pool mynatpool 66.215.146.140 66.215.146.140 netmask 255.255.255.128
ip nat inside source list 7 pool mynatpool overload
ip nat inside source static tcp 192.168.100.2 53 interface Ethernet0 53
ip nat inside source static tcp 192.168.100.2 25 interface Ethernet0 25
ip nat inside source static tcp 192.168.100.2 110 interface Ethernet0 110
ip nat inside source static tcp 192.168.100.2 80 interface Ethernet0 80
ip nat inside source static udp 192.168.100.2 53 interface Ethernet0 53
ip nat inside source static tcp 192.168.100.2 4899 interface Ethernet0 4899
ip nat inside source static tcp 192.168.100.2 135 interface Ethernet0 135
ip nat inside source static tcp 192.168.100.2 143 interface Ethernet0 143
ip nat inside source static tcp 192.168.100.2 993 interface Ethernet0 993
ip nat inside source static tcp 192.168.100.2 995 interface Ethernet0 995
ip nat inside source static tcp 192.168.100.3 53 66.215.146.182 53 extendable
ip nat inside source static udp 192.168.100.3 53 66.215.146.182 53 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 66.215.146.102
no ip http server
!
access-list 7 permit 192.168.100.0 0.0.0.255


as you can see Im using Eth0 as my outside connection. Just change to work foryour config. You would use S0 instead of E0. As long as you make you S0 as ip nat outside and Eo as inside you should be fine.

Let me know if you have any more questions

 

[bullagent]

Sorry to be a pain. I still can't get it to work. This is the config on the router (don't mind the netmasks....the ip adresses aren't the correct ones).

When I Telnet to 1.1.1.1 from the Internet it comes back and says "Connecting To 1.1.1.1...Could not open a connection to host on port 6989 : Connect failed"

Any ideas ???


Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption

interface Ethernet0
ip address 192.168.12.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address 1.1.1.1 255.255.255.240
no ip directed-broadcast
ip nat outside
frame-relay interface-dlci 16
!
ip nat pool frominternet 192.168.12.1 192.168.12.1 netmask 255.255.255.0
ip nat inside source list 102 pool frominternet overload

access-list 102 permit tcp any eq 6989 host 192.9.207.1 eq 6989
access-list 102 permit udp any eq 6989 host 192.9.207.1 eq 6989

Thanks again

 

[neutec]

If you do add a password for Telnet, it will not work. Try FROM CONFIG T

line con 0
logging synchronous
line vty 0 4
password mypassword

After that you should be able to connect with the password mypassword. Of course you can chabge it to whatever you like.

 

[bullagent]

Sorry I might not have given you enough information. I have a password to telnet to the router. However the error message I posted just before "Connecting To 1.1.1.1...Could not open a connection to host on port 6989 : Connect failed" was from me trying to telnet to 1.1.1.1 on port 6968. What I am trying to do is telnet to a server on my internal LAN (192.9.207.1 on port 6968). As far as I am aware the only way to do this is to telnet to the router on port 6968 and have the router forward this to 192.9.207.1 6968. I can not telnet directly to this server as its real ip address is not routable on the internet.

Thanks

 

[neutec]

I have a very similar setup. You should use
ip nat inside source static tcp 192.9.207.1 6968 1.1.1.1 6968

This will forward all request on ip 1.1.1.1 port 6968 to ip 192.9.207.1 port 6968.

Im not sure about you access list. The access-list I suggested would allow outbound traffic.

Add that Ip nat and see if that works

 

[bullagent]

ip nat inside source static tcp 192.9.207.1 6968 1.1.1.1 6968

It worked . Thanks so much for all your help and for being so patient with me.