Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

One to One NAT

Status
Not open for further replies.
MattSavage

MattSavage

IS-IT--Management
Joined
Aug 20, 2003
Messages
54
Location
US
I am running NAT on our 1760 router and our private addresses 192.168.10.x are being mapped to the public address 64.x.x.x. Our domain server is using the private addresses 192.168.10.3 and 192.168.10.4. I would like to set up a 1-1 NAT so that any traffic coming into the router bound for the address 65.x.x.3 or 65.x.x.4 will be delivered to the respective port on the server. How can I do this?
 
Sort by date Sort by votes
I'm sure there are other ways to accomplish this, but this should work:

ip nat inside source static 192.168.10.3 64.X.X.3
ip nat inside source static 192.168.10.4 64.X.X.4
 
Upvote 0 Downvote
If you know the specific ports your servers use then as an added security precaution you can just map the ports:

ip nat inside source static tcp 192.168.10.3 80 64.x.x.3 80
ip nat inside source static tcp 192.168.10.4 80 64.x.x.4 80
etc.


 
Upvote 0 Downvote
thank you itd17, however i am not sure if it it working properly. I am using an Ethernet port as a DMZ on the router. From a pc on the DMZ, i am pinging 65.x.x.3 and 65.x.x.4 to see if the 1-1 nat is working. I disabled both ports on the LAN server, so i should not be able to ping either one. But, when I ping the public addresses I get relies every time. It is as if the router is replying to these addresses regardless of whether the private address is active. What is happening here?
 
Upvote 0 Downvote
Are you currently using access-lists that would permit/deny that traffic?
 
Upvote 0 Downvote
Here is my running config:


Current configuration : 4464 bytes
!
! Last configuration change at 08:54:20 PCTimeZ Thu Feb 12 2004
! NVRAM config last updated at 13:27:38 PCTimeZ Wed Feb 11 2004
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname 1760
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
no logging buffered
enable secret 5 $1$..Ty$EcDzN5fmi1zrdJDQoYPPM/
!
username cisco privilege 15 password 0 cisco
clock timezone PCTimeZone -5
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip domain name phoenixworldwide.com
ip name-server 192.168.10.4
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.10.251 192.168.10.254
!
ip dhcp pool sdm-pool1
network 192.168.10.0 255.255.255.0
domain-name phoenixworldwide.com
dns-server 192.168.10.4
default-router 192.168.10.200
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$Phoenix LAN DHCP NAT
ip address 192.168.10.200 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect DEFAULT100 in
speed auto
no cdp enable
!
interface Serial0/0
description $FW_OUTSIDE$Phoenix WAN
ip address 65.86.196.226 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
no fair-queue
no cdp enable
!
interface Ethernet1/0
description $FW_DMZ$$ETH-LAN$
ip address 65.86.198.8 255.255.255.224
ip access-group 101 in
ip inspect dmzinspect out
half-duplex
no cdp enable
!
ip nat pool NAT 192.168.10.10 192.168.10.99 netmask 255.255.255.0
ip nat inside source list 7 interface Serial0/0 overload
ip nat inside source static 192.168.10.3 65.86.198.3 extendable
ip nat inside source static 192.168.10.4 65.86.198.4 extendable
ip classless
ip http server
ip http authentication local
no ip http secure-server
!
!
!
access-list 7 deny 192.168.10.3
access-list 7 deny 192.168.10.4
access-list 7 remark SDM_ACL Category=2
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny ip 65.86.196.224 0.0.0.3 any
access-list 100 deny ip 65.86.198.0 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp host 65.86.198.5 eq smtp any eq smtp
access-list 101 permit ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=0
access-list 102 deny ip 192.168.10.0 0.0.0.255 any
access-list 102 deny ip 65.86.198.0 0.0.0.31 any
access-list 102 permit icmp any host 65.86.196.226 echo-reply
access-list 102 permit icmp any host 65.86.196.226 time-exceeded
access-list 102 permit icmp any host 65.86.196.226 unreachable
access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 65.86.198.5 eq ftp
access-list 102 permit tcp any host 65.86.198.6 eq ftp
access-list 102 permit tcp any host 65.86.198.7 eq www
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
!
scheduler interval 500
!
end



What could be causing the router to reply to the public addresses each time even though the computers that the addresses are NAT'ed to are not available?
 
Upvote 0 Downvote
At first glance, I noticed FA0/1 does not include the "ip nat inside" syntax. As time permits, I'll look deeper into it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
393
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
545
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
568
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
787
madwok
madwok
PThomp3344
  • Locked
  • Question Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
671
nt8d09
nt8d09

Part and Inventory Search

Sponsor

Back
Top