NAT on a 3 interface router with a DMZ

Discussion in 'Cisco' started by John Jacob, Aug 5, 2004.

  1. John Jacob

    John Jacob Guest

    I have a rather complicated NAT scenario that I need help with. My
    company
    has a router we are placing on the other end of a satellite connection
    that will be used for customers. The picture below illustrates what
    this slice of our network looks like. What I need to achieve is to be
    able to basically have both inside (DMZ) and (Remote) LAN have full
    access to the WAN. I also need to be able from the WAN side to port
    forward to the 2 PC's that are shown on the inside network. The third
    part is to be able to port forward from the DMZ to the PC in the
    Remote LAN and likewise port forward from the Remote LAN to the PC in
    the DMZ. This is the part I don't understand how to do. I have a
    friend that says that I should be able to just do a static command for
    each side of the inside network and then use access lists for ingress
    and egress filtering as needed. I've been asked why not just route
    instead of NAT for the remote
    LAN's. The reason is we will have multiple remote LAN's and I want to
    be able
    to restrict remote LAN to remote LAN traffic for security reasons.
    That way our
    customers won't be able to hack into each others systems without a
    great deal
    of effort. I haven't tried the below configuration settings yet. I
    would like
    an opinion if this is the right way to go about this. I'm not yet an
    expert
    on the underlying mechanics of NAT.

    ! -- Set up access list for outbound traffic -----------------
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ! -- Set port forward for DMZ PC VNC port on WAN interface --
    ip nat inside source static UDP 192.168.0.1 5900 192.168.47.254 5900
    extendable
    ! -- Set port forward for DMZ PC VNC port on Remote LAN interface --
    ip nat inside source static UDP 192.168.0.1 5900 192.168.34.254 5900
    extendable
    ! -- Set port forward for Remote LAN PC VNC port on WAN interface --
    ip nat inside source static UDP 192.168.34.101 5901 192.168.47.254
    5901 extendable
    ! -- Set port forward for Remote LAN PC VNC port on DMZ interface --
    ip nat inside source static UDP 192.168.34.101 5901 192.168.0.254 5901
    extendable

    ! --- General Access list to allow traffic from inside networks
    ! --- Permit outbound traffic from the two inside networks
    !
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 1 permit 192.168.34.0 0.0.0.255




    | Satellite network WAN segment
    | Private WAN Server 192.168.47.221 and
    Internet Access
    | (255.255.255.0)
    |
    |
    | Office Private WAN 192.168.47.254 -
    F0/0
    | (NAT - Outside)
    |
    |
    |-----------------|
    | |
    | Cisco |
    | 2621 Router |
    | |
    |-----------------|
    | |
    Remote DMZ | | Remote LAN
    192.168.0.254 | | 192.168.34.254
    (NAT - Inside) | | (NAT - Inside)
    | |
    | |
    | |
    | |
    | Linux Server 192.168.34.101
    | (255.255.255.0)
    | VNC port 5901
    |

    DirecWay Windows 2000 Professional
    Internet Connection Sharing
    VNC Port 5900
    Remote Admin PC 192.168.0.1
    (255.255.255.0)
    Public IP 66.15.25.77
    (made up for discussion purposes, not real)
     
    John Jacob, Aug 5, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrea
    Replies:
    0
    Views:
    875
    Andrea
    Apr 19, 2004
  2. JohnC
    Replies:
    9
    Views:
    867
    Walter Roberson
    Dec 7, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,902
    Walter Roberson
    Sep 25, 2005
  4. morten
    Replies:
    4
    Views:
    1,235
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    681
Loading...

Share This Page