DComTalk.com

Guest

I have read several articles/postings on the use of NAT/PAT, but
haven't been able to get it to work. I want to setup static NATs and
use PAT to connect to specific services port IP/port number pairs. I
need to be able to connect to individual IP/port number pairs and
IP/Multiple port number pairs i.e. The same IP running muliple
services..

Here are the revelant configuration settings:

interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.C.D 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
ip access-group 111 in
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.85 80
extendable
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255

Martin Kayes · Guest

Hi,

You need to change two parts of this line:
ip nat inside source list 1 interface FastEthernet0/1 overload
to be as follows:
ip nat inside source list NAT interface FastEthernet0/0 overload

and add the following to int E0/0:
interface FastEthernet0/0
ip nat outside

Regards,

Martin

Guest

Martin,

I made the changes that you suggested, but I still can't form a socket
connetion to port 80. I am attempting the connection as the PETER_HOME
entry in access-list 151. Also I can telnet to port 80 from an
internal box.

Attached is my routers current configuration.

CT_Router1#s config
Using 2052 out of 29688 bytes, uncompressed size = 3851 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
!
hostname CT_Router1
!
logging buffered 8192 debugging
aaa new-model
aaa authentication login default local
aaa authentication login AUTHEN_CON local
aaa authentication login AUTHEN_VTY local
enable secret 5 $1$bTzM$WNJgYiKLjclWl4NHuPbKc1
!
username ??? privilege 7 password 7 012726331A3C453B3B151D5940
username ??? password 7 14463C0F5D55
clock timezone EDT -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
ip domain-name indii.net
ip name-server 151.202.0.84
ip name-server 151.198.0.38
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.C.D 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
ip nat outside
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Ethernet1/0
description INDSIDE INTERFACE
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ntp disable
no cdp enable
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.D 80
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 71.125.24.D
no ip http server
ip http authentication local
!
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
access-list 131 permit ip any any
access-list 131 remark * ICMP rules
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo-reply
access-list 131 permit icmp any 0.0.0.66 255.255.255.0
administratively-prohibited
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 packet-too-big
access-list 131 permit icmp any 63.251.25.64 0.0.0.31 traceroute
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 unreachable
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 time-exceeded
access-list 131 deny ip any any log-input
access-list 151 remark * Peter Home
access-list 151 permit ip host 66.114.C.D any
access-list 151 remark * GLOBAL INBOUND RULES
access-list 151 remark * ANTI-SPOOFING RULES
access-list 151 deny ip host 0.0.0.0 any log-input
access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 151 deny ip host 255.255.255.255 any log-input
access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input
access-list 151 remark * ICMP rules
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo-reply
access-list 151 permit icmp any 71.125.24.66 0.0.0.28
administratively-prohibited
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 packet-too-big
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 traceroute
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 unreachable
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 time-exceeded
access-list 151 remark * Desktop Applet Settings
access-list 151 permit tcp any host 71.125.24.85 eq www
access-list 151 permit tcp any host 71.125.24.85 eq 4202
access-list 151 permit tcp any host 71.125.24.85 eq 6501
access-list 151 deny ip any any log-input
no cdp run
!
line con 0
exec-timeout 60 0
login authentication AUTHEN_CON
transport input none
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
login authentication AUTHEN_VTY
transport input telnet
!
no scheduler allocate
end

Martin Kayes · Guest

At first glance it looks okay, however in your static statement you have the
word NAT in lower case rather than upper case; it should be upper case to
match the name of the access-list. Try this and let me know:

ip nat inside source list NAT interface FastEthernet0/0 overload

Regards,

Martin

Guest

I capitilized the word NAT on the 'ip nat inside' command, but still no
luck. I will try removing access-list 151, but I don't feel that this
is going to help.

I will get back to you later.

Guest

I also removed all access-list from all interfaces and still couldn't
connect.

Does anyone have any ideas?

Martin Kayes · Guest

To do NAT is as simple as setting 'ip nat outside', 'ip nat inside',
access-list... and the static statement.

I have never tried using an Standard access-list for the NAT rules, I always
use advanced - maybe that is the last remaining problem, try changing it to
this instead:

ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any

If that fails to work then go to the conventional access-list format:
'access-list 100 permit.....'

Regards,

Martin

Martin Kayes · Guest

Can you give me the name of your IOS image from the show version output
please. I will check it for functionality and known bugs.

Regards,

Martin

Guest

I tried both forms of the access-list (extended and access-list 100
permit' with no luck. I believe that the format of my configuraiton is
correct (ip nat inside, ip nat outside, ip nat inside source list 185
interface FastEthernet0/0 overload, ip nat inside source static tcp
192.168.1.200 80 71.125.24.D 80 extendable and ip access-list 185
permit ip 192.168.1.0 0.0.0.255 any) yet it isn't working.

I don't know where to go from here.

Trying to configure NAT/PAT after reading several articles -

	DComTalk.com Forum Index -> Cisco	All times are GMT
Page 1 of 1