Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Quick newbie general NAT question 1

Status
Not open for further replies.
IllegalOperation

IllegalOperation

Technical User
Jan 27, 2003
206
US
Noob question...

I was told that if any router is running with NAT enabled, that it completely prevents the "outside" from accessing the private interior. I am assuming that all ports are closed/blocked from all "outside" traffic then, regardless of the source?

With that being said, what is the easiest way to allow a specific registered IP address to pass through a router that has NAT enabled (besides VPN)? For example, a server from site A (with a public IP) needs to connect to a server (with a private IP) behind the NATTED router (1721) from site B. Can I virtually map a public IP address to the server located behind this router, or is there a better way?

Thanks in advance....
 
Sort by date Sort by votes
That is not entirely true of NAT. If the inside addresses are routable from the internet (ie not 10.x.x.x, 192.168.x.x, 172.16-31.x.x) then the hosts inside are not protected unless you have an access-list configured. If you are connected to the internet then you should ALWAYS configure an access-list anyway, as addresses can be spoofed and your network opened up to the world.

Once you have NAT set up, you can map an external IP address to an internal IP Address like this:

ip nat source inside static x.x.x.x y.y.y.y

where x.x.x.x is the internal address and y.y.y.y is the external. Note that when configuring your access-list you should use the external address for an access-list on the outside interface (inbound) and the internal address for outbound packets.

While debugging your access-lists you should add this to the bottom:

access-list 100 deny ip any any log

so that you can see any packets that are being dropped. It is up to you whether or not you leave it there - it can generate lots of log entries.

If your router has the firewall feature set then you should also investigate CBAC (Context Based Access Control) it gives a lot more security than standard access-lists. It is configured with the ip inspect commands.
 
Upvote 0 Downvote
Thanks for your help Frenchie, I will let you know how everything goes when I get my 1721 in a week or so....
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
477
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
332
burtsbees
burtsbees
azrael2000
  • Locked
  • Question
quick question...re layer 3 with routing
Replies
1
Views
306
chieftan
chieftan
darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
337
darktriad
darktriad
netguy2000
  • Locked
  • Question
Cisco router 1841 NAT/PAT problem
Replies
0
Views
248
netguy2000
netguy2000

Part and Inventory Search

Sponsor

Back
Top