Can someone check this NAT/ACL solution please?

Discussion in 'Cisco' started by Rob Dover, Dec 22, 2005.

  1. Rob Dover

    Rob Dover Guest

    After much head scratching and hair loss, I think I have a solution to my
    port forward / NAT problem that I posted about last week. I would very much
    appreciate if someone more knowledgeable than myself would take a look at my
    config and see if I am missing any major holes.

    The basic design spec is...

    A device on the outside (192.168.1.148) must be able to:
    respond to snmp queries from devices on the inside LAN (192.168.253.0/24)
    send snmp traps to inside host 192.168.253.242
    respond to telnet connections from devices on the inside LAN
    respond to pings from devices on the inside LAN
    It must not be able to initiate any connections to either the router or any
    inside hosts.
    The inside hosts must see the outside host as if it was inside at IP
    192.168.253.148
    The router must respond to inside pings and telnet requests using the E0
    secondary address 192.168.253.254

    Note that my description reverses the interface NAT settings.
    E0 is actually the inside interface despite the ip nat outside command. I
    could not get nat working with ip nat inside on the E0 and ip nat outside on
    the E1. If anyone can tell me why I would be grateful.

    The config I have is...

    interface Ethernet0
    ip address 192.168.253.254 255.255.255.0 secondary
    ip address 192.168.253.148 255.255.255.0
    ip access-group 101 in
    ip nat outside
    !
    interface Ethernet1
    ip address 192.168.1.254 255.255.255.0
    ip access-group 102 in
    ip nat inside
    !
    ip nat inside source static 192.168.1.148 192.168.253.148 extendable
    !
    access-list 101 permit udp any host 192.168.253.148 eq snmp
    access-list 101 permit icmp any host 192.168.253.148
    access-list 101 permit icmp any host 192.168.253.254
    access-list 101 permit tcp any host 192.168.253.148 eq telnet
    access-list 101 permit tcp any host 192.168.253.254 eq telnet
    access-list 102 permit udp host 192.168.1.148 any
    access-list 102 permit icmp host 192.168.1.148 any echo-reply
    access-list 102 permit tcp host 192.168.1.148 any established

    Thanks -Rob-
     
    Rob Dover, Dec 22, 2005
    #1
    1. Advertising

  2. Rob Dover

    Todd Guest

    Rob,

    The problem with your NAT is that it's reversed. It will still work
    fine... but i see how its confusing when you look at the config and
    your ip nat inside is actually the outside int...
    To fix it:

    ip nat inside destination static 192.168.253.148 192.168.1.148
    extendable

    Then reverse E0 to be inside
    and E1 outside.

    This way you will translate the destination IP in packets comming from
    your inside hosts going to destination address 192.168.253.148.

    In the config you have, you translate the source IP, which originating
    from inside will be your host IPs, not the one you want to translate.
    That is why when you tell it that your E1 is inside it works!

    Your ACLs look fine... the only thing i see is that you allow only udp
    = snmp, going out (101), but all udp comming(102) in, unless you have a
    reason for that!

    Hope this helps!
    Todd
     
    Todd, Dec 22, 2005
    #2
    1. Advertising

  3. Rob Dover

    Rob Dover Guest

    Thanks for the NAT tip Todd. I'll give that a try.
    As to the incoming udp I would prefer traps only go to the inside host
    192.168.253.242 but as soon as I changed the rule to access-list 102 permit
    udp host 192.168.1.148 host 192.168.1.254 eq snmp my internal snmp requests
    to 1.148 quit working. At least I think that's what happened. I've tried so
    many combos now I'm losing track :p
    I'll give it another go.
    Thanks -Rob-

    "Todd" <> wrote in message
    news:...
    > Rob,
    >
    > The problem with your NAT is that it's reversed. It will still work
    > fine... but i see how its confusing when you look at the config and
    > your ip nat inside is actually the outside int...
    > To fix it:
    >
    > ip nat inside destination static 192.168.253.148 192.168.1.148
    > extendable
    >
    > Then reverse E0 to be inside
    > and E1 outside.
    >
    > This way you will translate the destination IP in packets comming from
    > your inside hosts going to destination address 192.168.253.148.
    >
    > In the config you have, you translate the source IP, which originating
    > from inside will be your host IPs, not the one you want to translate.
    > That is why when you tell it that your E1 is inside it works!
    >
    > Your ACLs look fine... the only thing i see is that you allow only udp
    > = snmp, going out (101), but all udp comming(102) in, unless you have a
    > reason for that!
    >
    > Hope this helps!
    > Todd
    >
     
    Rob Dover, Dec 22, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doc Holliday
    Replies:
    5
    Views:
    764
    Ron Bandes
    Dec 28, 2003
  2. Shad T
    Replies:
    0
    Views:
    701
    Shad T
    Jun 29, 2004
  3. =?Utf-8?B?S2ltYmVybHk=?=

    How can I check my email from someone else's pc?

    =?Utf-8?B?S2ltYmVybHk=?=, Apr 24, 2006, in forum: Microsoft Certification
    Replies:
    1
    Views:
    2,739
    =?Utf-8?B?Sm9obiBTdHJvaGVja2Vy?=
    Apr 24, 2006
  4. yadap

    acl+Static nat+Dynamic Nat

    yadap, Aug 31, 2006, in forum: Cisco
    Replies:
    0
    Views:
    679
    yadap
    Aug 31, 2006
  5. Vimokh
    Replies:
    3
    Views:
    5,796
    Vimokh
    Sep 6, 2006
Loading...

Share This Page