Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT OVERLOAD 1

Status
Not open for further replies.
tameika74

tameika74

IS-IT--Management
Aug 14, 2008
8
US
Background:
I have a cisco 2600 with version 12.3(11) which is connected to a trunking port on a 2950. Basically I setup router on a stick. The internal networks are 192.168.7, 192.168.49, 192.168.99. I have this part working as well as nat overload.
So I have accomplished the many to one.

So my fa0/0 is my internal and fa0/1 is my external to the outside world

Problem:
I want to be able to ssh to an internal machine by doing portforwarding so if someone comes from the given external ip on a particular 4505 they should then be forwarded to 4505 on the internal machine.
Now i was able to achieve this without encapsulation on the fa0/0 port but I need encapsulation on that interface so that I can do vlans and trunking.

Am I missing something?


So the overall goal is to have .99,.7.49 communicate to each other and being able to ssh to an internal machine on a particular port. Is this possible
 
Sort by date Sort by votes
interface FastEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.7
encapsulation dot1Q 7
ip address 192.168.7.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!

interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address xx.xx.xx.42 255.255.255.0
ip access-group 100 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.1
!
!
no ip http server
no ip http secure-server
ip nat pool OUTSIDE xx.xx.xx.42 xx.xx.xx.42 netmask 255.255.255.0
ip nat inside source list 10 pool OUTSIDE overload
!
access-list 10 permit 192.168.7.0 0.0.0.255
access-list 10 permit 192.168.49.0 0.0.0.255
access-list 10 permit 192.168.99.0 0.0.0.255

 
Upvote 0 Downvote
ip nat inside source static tcp 192.168.x.x 4505 int fa0/1 4505

Burt
 
Upvote 0 Downvote
Do I need to add this or take the overload away ?
 
Upvote 0 Downvote
I gave that a shot with the overload statement still in place and that did not work.
 
Upvote 0 Downvote
No overload...

Your NAT pool (which you actually don't need) will still do the port address translation,which is the overload part. If you want to ssh to a LAN server from the outside, you of course need to statically NAT the inside to the outside to a specific port---this case you wanted 4505, TCP, I suppose, though ssh is port 22.

The best way to do NAT with a single public ip address is with an acl and ip nat inside source list (or route map, if there are other things that you may want to do, like excluding vpn addresses from NAT, etc)...

access-list 101 deny ip any 192.168.1.0 0.0.0.7
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 101 int fa0/1 over

for ssh to 192.168.1.69...

ip nat inside source static tcp 192.168.1.69 22 int fa0/0 21

See? If you add overload to static NAT, it won't work---the whole idea of a static nat translation is to map one IP with one port number, inside to outside.

Burt
 
Upvote 0 Downvote
Thanks for your help burtbees. I tried what you suggested that didn't work for me. Here is my new configuration

interface FastEthernet0/0
no ip address
ip access-group 101 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.7
encapsulation dot1Q 7
ip address 192.168.7.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address xx.xx.xx.42 255.255.255.0
ip access-group 100 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

ip nat inside source static tcp 192.168.7.20 4505 xx.xx.xx.42 4505 extendable
!
access-list 100 permit tcp xx.xx.xx.0 0.0.0.255 any
access-list 100 permit udp xx.xx.xx.0 0.0.0.255 any
access-list 100 permit tcp 192.168.7.0 0.0.0.255 any
access-list 100 permit tcp 192.168.99.0 0.0.0.255 any
access-list 100 permit tcp 192.168.49.0 0.0.0.255 any
access-list 100 permit udp 192.168.49.0 0.0.0.255 any
access-list 100 permit udp 192.168.7.0 0.0.0.255 any

access-list 101 permit tcp xx.xx.xx.0 0.0.0.255 any
 
Upvote 0 Downvote
Take acl 100 and 101 out (remove them from the interfaces), then try. Are you wanting to ssh to port 4505 from the outside? Am I understanding this as your goal?

Burt
 
Upvote 0 Downvote
Yes that is the goal but I take the acls out and I still don't connect.

I leave just this line:
ip nat inside source static tcp 192.168.7.20 4505 xx.xx.xx.42 4505 extendable

That line did not work.

I thought when you nat you have to have two way communication. Right now I see this:

Pro Inside global Inside local Outside local Outside global
tcp xx.xx.xx.42:4505 192.168.7.20:4505 --- ---

But should I see this
inside global = xx.xx.xx.42:4505
outside global = 192.168.7.20:4505
inside local = 192.168.7.20:4505
outside global = xx.xx.xx.42:4505

So right now you come in on that port but it does not go back out on that port. Is that a correct assumption?


 
Upvote 0 Downvote
interface FastEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.7
encapsulation dot1Q 7
ip address 192.168.7.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.198
encapsulation dot1Q 198
ip address xx.xx.xx.3 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address xx.xx.xx.42 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.1
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.7.20 4505 xx.xx.xx.42 4505 extendable
 
Upvote 0 Downvote
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
ip nat inside source list 101 int fa0/1 over

no ip nat inside source static tcp 192.168.7.20 4505 xx.xx.xx.42 4505 extendable

ip nat inside source static tcp 192.168.7.20 4505 int fa0/1 4505

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
151
darktriad
darktriad
netguy2000
  • Locked
  • Question
Cisco router 1841 NAT/PAT problem
Replies
0
Views
100
netguy2000
netguy2000
ngtri
  • Locked
  • Question
Please, need your help to check my configurations. NAT and HSRP
Replies
0
Views
91
ngtri
ngtri
DarthPanda
  • Locked
  • Question
No Telnet after NAT outside
Replies
2
Views
109
DarthPanda
DarthPanda
jmkelly
  • Locked
  • Question
Partly-dynamic / partly-static NAT
Replies
2
Views
111
jmkelly
jmkelly

Part and Inventory Search

Sponsor

Back
Top