I have read several articles/postings on the use of NAT/PAT, but
haven't been able to get it to work. I want to setup static NATs and
use PAT to connect to specific services port IP/port number pairs. I
need to be able to connect to individual IP/port number pairs and
IP/Multiple port number pairs i.e. The same IP running muliple
services..
Here are the revelant configuration settings:
interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.C.D 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
ip access-group 111 in
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.85 80
extendable
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
Trying to configure NAT/PAT after reading several articles -
9 posts
• Page 1 of 1
Trying to configure NAT/PAT after reading several articles -
by Guest » Thu Dec 15, 2005 12:21 pm
- Guest
Re: Trying to configure NAT/PAT after reading several articl
by Martin Kayes » Thu Dec 15, 2005 12:21 pm
Hi,
You need to change two parts of this line:
ip nat inside source list 1 interface FastEthernet0/1 overload
to be as follows:
ip nat inside source list NAT interface FastEthernet0/0 overload
and add the following to int E0/0:
interface FastEthernet0/0
ip nat outside
Regards,
Martin
You need to change two parts of this line:
ip nat inside source list 1 interface FastEthernet0/1 overload
to be as follows:
ip nat inside source list NAT interface FastEthernet0/0 overload
and add the following to int E0/0:
interface FastEthernet0/0
ip nat outside
Regards,
Martin
- Martin Kayes
Re: Trying to configure NAT/PAT after reading several articl
by Guest » Thu Dec 15, 2005 7:11 pm
Martin,
I made the changes that you suggested, but I still can't form a socket
connetion to port 80. I am attempting the connection as the PETER_HOME
entry in access-list 151. Also I can telnet to port 80 from an
internal box.
Attached is my routers current configuration.
CT_Router1#s config
Using 2052 out of 29688 bytes, uncompressed size = 3851 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
!
hostname CT_Router1
!
logging buffered 8192 debugging
aaa new-model
aaa authentication login default local
aaa authentication login AUTHEN_CON local
aaa authentication login AUTHEN_VTY local
enable secret 5 $1$bTzM$WNJgYiKLjclWl4NHuPbKc1
!
username ??? privilege 7 password 7 012726331A3C453B3B151D5940
username ??? password 7 14463C0F5D55
clock timezone EDT -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
ip domain-name indii.net
ip name-server 151.202.0.84
ip name-server 151.198.0.38
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.C.D 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
ip nat outside
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Ethernet1/0
description INDSIDE INTERFACE
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ntp disable
no cdp enable
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.D 80
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 71.125.24.D
no ip http server
ip http authentication local
!
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
access-list 131 permit ip any any
access-list 131 remark * ICMP rules
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo-reply
access-list 131 permit icmp any 0.0.0.66 255.255.255.0
administratively-prohibited
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 packet-too-big
access-list 131 permit icmp any 63.251.25.64 0.0.0.31 traceroute
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 unreachable
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 time-exceeded
access-list 131 deny ip any any log-input
access-list 151 remark * Peter Home
access-list 151 permit ip host 66.114.C.D any
access-list 151 remark * GLOBAL INBOUND RULES
access-list 151 remark * ANTI-SPOOFING RULES
access-list 151 deny ip host 0.0.0.0 any log-input
access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 151 deny ip host 255.255.255.255 any log-input
access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input
access-list 151 remark * ICMP rules
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo-reply
access-list 151 permit icmp any 71.125.24.66 0.0.0.28
administratively-prohibited
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 packet-too-big
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 traceroute
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 unreachable
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 time-exceeded
access-list 151 remark * Desktop Applet Settings
access-list 151 permit tcp any host 71.125.24.85 eq www
access-list 151 permit tcp any host 71.125.24.85 eq 4202
access-list 151 permit tcp any host 71.125.24.85 eq 6501
access-list 151 deny ip any any log-input
no cdp run
!
line con 0
exec-timeout 60 0
login authentication AUTHEN_CON
transport input none
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
login authentication AUTHEN_VTY
transport input telnet
!
no scheduler allocate
end
I made the changes that you suggested, but I still can't form a socket
connetion to port 80. I am attempting the connection as the PETER_HOME
entry in access-list 151. Also I can telnet to port 80 from an
internal box.
Attached is my routers current configuration.
CT_Router1#s config
Using 2052 out of 29688 bytes, uncompressed size = 3851 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
!
hostname CT_Router1
!
logging buffered 8192 debugging
aaa new-model
aaa authentication login default local
aaa authentication login AUTHEN_CON local
aaa authentication login AUTHEN_VTY local
enable secret 5 $1$bTzM$WNJgYiKLjclWl4NHuPbKc1
!
username ??? privilege 7 password 7 012726331A3C453B3B151D5940
username ??? password 7 14463C0F5D55
clock timezone EDT -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
ip domain-name indii.net
ip name-server 151.202.0.84
ip name-server 151.198.0.38
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.C.D 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
ip nat outside
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Ethernet1/0
description INDSIDE INTERFACE
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ntp disable
no cdp enable
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.D 80
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 71.125.24.D
no ip http server
ip http authentication local
!
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
access-list 131 permit ip any any
access-list 131 remark * ICMP rules
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo-reply
access-list 131 permit icmp any 0.0.0.66 255.255.255.0
administratively-prohibited
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 packet-too-big
access-list 131 permit icmp any 63.251.25.64 0.0.0.31 traceroute
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 unreachable
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 time-exceeded
access-list 131 deny ip any any log-input
access-list 151 remark * Peter Home
access-list 151 permit ip host 66.114.C.D any
access-list 151 remark * GLOBAL INBOUND RULES
access-list 151 remark * ANTI-SPOOFING RULES
access-list 151 deny ip host 0.0.0.0 any log-input
access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 151 deny ip host 255.255.255.255 any log-input
access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input
access-list 151 remark * ICMP rules
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo-reply
access-list 151 permit icmp any 71.125.24.66 0.0.0.28
administratively-prohibited
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 packet-too-big
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 traceroute
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 unreachable
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 time-exceeded
access-list 151 remark * Desktop Applet Settings
access-list 151 permit tcp any host 71.125.24.85 eq www
access-list 151 permit tcp any host 71.125.24.85 eq 4202
access-list 151 permit tcp any host 71.125.24.85 eq 6501
access-list 151 deny ip any any log-input
no cdp run
!
line con 0
exec-timeout 60 0
login authentication AUTHEN_CON
transport input none
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
login authentication AUTHEN_VTY
transport input telnet
!
no scheduler allocate
end
- Guest
Re: Trying to configure NAT/PAT after reading several articl
by Martin Kayes » Thu Dec 15, 2005 9:34 pm
At first glance it looks okay, however in your static statement you have the
word NAT in lower case rather than upper case; it should be upper case to
match the name of the access-list. Try this and let me know:
ip nat inside source list NAT interface FastEthernet0/0 overload
Regards,
Martin
word NAT in lower case rather than upper case; it should be upper case to
match the name of the access-list. Try this and let me know:
ip nat inside source list NAT interface FastEthernet0/0 overload
Regards,
Martin
- Martin Kayes
Re: Trying to configure NAT/PAT after reading several articl
by Guest » Thu Dec 15, 2005 10:50 pm
I capitilized the word NAT on the 'ip nat inside' command, but still no
luck. I will try removing access-list 151, but I don't feel that this
is going to help.
I will get back to you later.
luck. I will try removing access-list 151, but I don't feel that this
is going to help.
I will get back to you later.
- Guest
Re: Trying to configure NAT/PAT after reading several articl
by Guest » Fri Dec 16, 2005 1:01 am
I also removed all access-list from all interfaces and still couldn't
connect.
Does anyone have any ideas?
connect.
Does anyone have any ideas?
- Guest
Re: Trying to configure NAT/PAT after reading several articl
by Martin Kayes » Fri Dec 16, 2005 10:24 am
To do NAT is as simple as setting 'ip nat outside', 'ip nat inside',
access-list... and the static statement.
I have never tried using an Standard access-list for the NAT rules, I always
use advanced - maybe that is the last remaining problem, try changing it to
this instead:
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
If that fails to work then go to the conventional access-list format:
'access-list 100 permit.....'
Regards,
Martin
access-list... and the static statement.
I have never tried using an Standard access-list for the NAT rules, I always
use advanced - maybe that is the last remaining problem, try changing it to
this instead:
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
If that fails to work then go to the conventional access-list format:
'access-list 100 permit.....'
Regards,
Martin
- Martin Kayes
Re: Trying to configure NAT/PAT after reading several articl
by Martin Kayes » Fri Dec 16, 2005 12:20 pm
Can you give me the name of your IOS image from the show version output
please. I will check it for functionality and known bugs.
Regards,
Martin
please. I will check it for functionality and known bugs.
Regards,
Martin
- Martin Kayes
Re: Trying to configure NAT/PAT after reading several articl
by Guest » Fri Dec 16, 2005 12:20 pm
I tried both forms of the access-list (extended and access-list 100
permit' with no luck. I believe that the format of my configuraiton is
correct (ip nat inside, ip nat outside, ip nat inside source list 185
interface FastEthernet0/0 overload, ip nat inside source static tcp
192.168.1.200 80 71.125.24.D 80 extendable and ip access-list 185
permit ip 192.168.1.0 0.0.0.255 any) yet it isn't working.
I don't know where to go from here.
permit' with no luck. I believe that the format of my configuraiton is
correct (ip nat inside, ip nat outside, ip nat inside source list 185
interface FastEthernet0/0 overload, ip nat inside source static tcp
192.168.1.200 80 71.125.24.D 80 extendable and ip access-list 185
permit ip 192.168.1.0 0.0.0.255 any) yet it isn't working.
I don't know where to go from here.
- Guest
9 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests