1 2 Previous Next 25 Replies Latest reply: Apr 5, 2012 1:29 PM by Erick Go to original post RSS
      • 15. Re: Please help with inbound NAT
        aaceituno

        Heyyy!!!!.

         

        Your last config is not a ip nat outside nat......

         

        This will not work if configured as outside, as i said before....

         

        The ip nat inside source, will translate the souce address of a inside to outside flow (local inside address), to a global outside address. So you translate any 192.168.0.0 address to the outside ethernet 0/1 address.

         

          This will not work from outside unless you configure the statica translation, but only the static translation will work alone, you dont need the nat pool.

         

         

          Br

          Alex.

         

         

          The trick, of static or inside nat, is that

        • 16. Re: Please help with inbound NAT
          learning cookie monster

          Alex is correct. I just removed ip nat inside source list 1 interface FastEthernet0/1 overload and I still can hit R5. Thanks for clearing up

          • 17. Re: Please help with inbound NAT
            aaceituno

               The static inside nat entry will always work, the point is to understand the ip nat outside behaviour.

             

               From outside to inside, i always use ip nat inside static configurations, because you want to match an external ip address and port to a internal ip address and port. I have never used a nat pool, there is no way to know to which internal ip address you are going forward the request to an internal nat pool address.

             

            In that case, its better to use the SLB (server load balancing) feature, you will forward the external request to an internal server. You will have to configure a virtual server instead of the 23.0.0.10 address, and the inside address or nat pool will be a real server ip address in a real servers farm. Problem, static configurations, but you have dhcp to isp.

             

               SLB is other way to do nat, from outside to inside. And you could always configure a virtual server 0.0.0.0 with port 49001.

             

                As i told you, the ip nat outside will translate the ip source address packets, from outside to inside. So, this will never translate the ip destination ip address thas is what Bourbon what to do.

             

                So you can only configure ip nat inside source, or ip nat inside static to get it work. From inside to outside the source ip address is 192.168.254.200. From outside to inside the destination address is the ip destination field, 23.0.0.10.

             

                The ip nat inside source static 192.168.254.200 interface ethernet 0/1, what does is translate the inside source local address 192.168.254.200, to outside global address ethernet 0/1, 23.0.0.10. Where you could find this address in a ip packet is based on the rules i told you before, if not the nat rule will not match.

                This will work for outbound or inbound traffic because this is a static entry.

             

                 The ip nat inside source list 1 interface ethernet 0/1 overload (overload means pat), will only translate outgoing request from inside to outside. Unless there is a translation that match outbout traffic to an inside ip address and port, this will not work for incoming traffic from outside to inside.

                  This is because there is no way to match an incoming packet from outside, to an inside address and port, unless the nat translation does already exists. There is no way to know to which inside local address forward the incoming packet. IP access list could be as in your configuration 255 ip address long. There is no way to know to which ip address forward the request unless there is a previous translation from inside to outside, the nat translation will allow and translate return or response traffic.

             

                So the translation ip nat outside is not going work for this scenario.

             

                 If Boubon could use other port like 49001, then you could configure static translations, for port 49001 to port 23. Or even could configure ports for every terminal line, 49001 -- 2033, 49002 -- 2034, and so on. 20XX depends on your current hardware and terminal line numbering. Each 20xx is a line number. Line vty 33  is port 2033 terminal server port 1, 2035 is terminal server port 2, and so on.

             

                This way you could match every external port to an internal terminal server line, and connect directly to a console line. This will be good if for security you use the L&K feature at the terminal server. This way you could connect to every terminal line, but only if you authenticate via ssh for example. You could forward port 4022 to port 22 at the terminal server, authenticate against a Lock and Key access list, and from this connecti directly to every terminal line.

             

                I have this configured in a router with a static public ip address. First i have to authenticate, from this i could connect to every inside translated port to inside address, using external static ports.

             

             

               Br

               Alex.

            • 18. Re: Please help with inbound NAT
              Bourbon, CCNP, CCIE Candidate

              Check this out - works perfectly - suggested on ieoc.com's forums:

               

              interface Ethernet0/0

              ip address 192.168.254.3 255.255.255.0

              ip nat inside

              ip virtual-reassembly

              half-duplex

              !

              interface Ethernet0/1

              ip address dhcp hostname EDGE

              ip nat outside

              ip virtual-reassembly

              half-duplex

              !

              ip nat inside source static tcp 192.168.254.200 3001 23.0.0.10 3001 extendable

               

              R3#sh ip nat trans

              Pro Inside global      Inside local       Outside local      Outside global

              tcp 23.0.0.10:3001     192.168.254.200:3001 23.0.0.2:52057   23.0.0.2:52057

              tcp 23.0.0.10:3001     192.168.254.200:3001 ---              ---

              R3#

              • 19. Re: Please help with inbound NAT
                aaceituno

                But this is what i said you about the static translation. This will work on both directions. Also have to use the rotary group 1 under the line vty configuration.

                • 20. Re: Please help with inbound NAT
                  Brian

                  You need to configure static and dynamic NAT concurrently.  Like so:

                   

                  interface Ethernet0/0
                  ip address 192.168.254.3 255.255.255.0
                  ip nat inside
                  ip virtual-reassembly
                  !
                  interface Ethernet0/1
                  ip address 23.0.0.10 255.255.255.0
                  ip nat outside
                  ip virtual-reassembly
                  !
                  ip nat inside source list 1 interface Ethernet 0/1 overload
                  !
                  ip nat inside source static tcp 192.168.254.200 23 23.0.0.10 23
                  !
                  access-list 1 permit 192.168.254.0 0.0.0.255

                  The above allows other users in the private space 192.168.254.0/24 to originate traffic to the internet.  The static translation allows traffic to be originated in either direction.

                   

                  Brian

                  • 21. Re: Please help with inbound NAT
                    learning cookie monster

                    Thanks Brian. Looks like we have gotten to the bottom of this thing and your explanation fits well. i used the overload when testing outbound from r5 then added static when testing inbound from r2. the overload is overkill if all that is being done is inbound telnet.

                     

                    alex is correct again with respect to the port range Bourbon is attempting to use. enabling rotary  under vty will change port to 3001 by defaut. anyways. all good stuff and i think this problem was slayed well.

                    • 22. Re: Please help with inbound NAT
                      Bourbon, CCNP, CCIE Candidate

                      Thanks for all your help and assistance on this one you guys.  You've all contributed, so I'm going to try to distribute Points.  I really appreciate it.

                      • 23. Re: Please help with inbound NAT
                        aaceituno

                        Thx!!.

                         

                        Brian, check the configuration without the dynamic nat, this will work on both directions, you dont need the dynamic.

                         

                        Br

                        Alex.

                        • 24. Re: Please help with inbound NAT
                          Bourbon, CCNP, CCIE Candidate

                          I'm getting ready to implement this at home, pulled the cabling, terminated it, racked the equipment.  I changed the NAT statement on the edge router though - it occured to me that I'd have a problem if my DHCP address changes:

                           

                          ip nat inside source static tcp 10.1.1.200 3001 23.0.0.10 3001 extendable

                           

                          Where 23.0.0.10 is an address learned from the ISP via DHCP.  I shut/no shut the interface and sure enough, got a new IP from my "isp" of 23.0.0.11.  And with the NEW NAT statement, it worked like a charm.  Here's the new NAT:

                           

                          ip nat inside source static tcp 10.1.1.200 3001 interface Ethernet0/1 3001

                          • 25. Re: Please help with inbound NAT
                            Erick

                            You can also use dynamic DNS and access your rack through hostname instead of IP address.

                             

                            http://dnslookup.me/dynamic-dns/

                            1 2 Previous Next