How to configure Network Address
Translation (NAT) so that
computers on the Internet could access a internal Web and mail server through
a Cisco router. This requires configuring a static NAT translation between the
dedicated public IP address and the internal private IP address.
NAT transforms private IP addresses to public IP address so users can access the public Internet. Most of us use a form of NAT calledPort Address Translation (PAT), which Cisco refers to as NAT overload. ( “How to Set up NAT using the Cisco IOS” and “How to Set up PAT (Port Address Translation) in the Cisco IOS.”)
Figure A a diagram to help visualize the network.
Goal: To configure a static IP translation through the router from the outside (i.e., Internet) network to the inside (i.e., private) network.
Here’s the information we need for the example:
Note: However, make sure that whatever you’re using for your firewall it also allows this traffic in.
Whether you’re using basic Access Control Lists (ACLs) or the Cisco IOS firewall feature set, make sure you understand how to configure your firewall for the right IP addresses (public or private). In other words, what happens first — NAT translation or firewall filtering? For example, when using ACLs, a check of the input ACL occurs before NAT translation. So, you need to write ACLs with the public IP addresses in mind.
Basic configuration:
The following configuration can also be used if you have been assigned and are using a block of IP addresses. If you don’t, you can use the outside IP address on your router (Serial 0/0 in this case), and configure it like this:
In addition to configuring static NAT, you may want to use dynamic NAT at the same time. With this, your inside PCs could access the Internet using dynamic NAT (i.e., NAT overload or PAT). This type of configuration could be a little more complex. I've used this type of setup in the past and if you don't document your configurations correctly, things can get out of hand quickly.
NAT transforms private IP addresses to public IP address so users can access the public Internet. Most of us use a form of NAT calledPort Address Translation (PAT), which Cisco refers to as NAT overload. ( “How to Set up NAT using the Cisco IOS” and “How to Set up PAT (Port Address Translation) in the Cisco IOS.”)
Figure A a diagram to help visualize the network.
Goal: To configure a static IP translation through the router from the outside (i.e., Internet) network to the inside (i.e., private) network.
Here’s the information we need for the example:
- Router inside interface E0/0: IP 10.1.1.1
- Router outside interface S0/0: IP 63.63.63.1
- Web/mail server private IP: 10.1.1.2
- Web/mail server public IP: 63.63.63.2
- NAT configuration
- Firewall configuration
Note: However, make sure that whatever you’re using for your firewall it also allows this traffic in.
Whether you’re using basic Access Control Lists (ACLs) or the Cisco IOS firewall feature set, make sure you understand how to configure your firewall for the right IP addresses (public or private). In other words, what happens first — NAT translation or firewall filtering? For example, when using ACLs, a check of the input ACL occurs before NAT translation. So, you need to write ACLs with the public IP addresses in mind.
Basic configuration:
interface Serial0/0We need the NAT translations to translate the outside IP address of the Web/mail server from 63.63.63.2 to 10.1.1.2 (and from 10.1.1.2 to 63.63.63.2). Here’s the command to link between the outside and inside NAT configurations:
ip address 63.63.63.1 255.255.255.0
ip nat outside
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
Router (config)# ip nat inside source static tcp 10.1.1.2 25 63.63.63.2 25We used the specific port numbers, 25,443,80,110, because they fit the description of what we want to do. I chose port 25 for SMTP (sending mail), port 443 for HTTPS (secure Web), port 80 for HTTP (Web traffic), and port 110 for POP3 (receiving mail from the mail server when out on the Internet).
Router (config)# ip nat inside source static tcp 10.1.1.2 443 63.63.63.2 443
Router (config)# ip nat inside source static tcp 10.1.1.2 80 63.63.63.2 80
Router (config)# ip nat inside source static tcp 10.1.1.2 110 63.63.63.2 110
The following configuration can also be used if you have been assigned and are using a block of IP addresses. If you don’t, you can use the outside IP address on your router (Serial 0/0 in this case), and configure it like this:
Router (config)# ip nat inside source static tcp 10.1.1.2 25 interface serial 0/0 25You can also use this command if you have a dynamic DHCP IP address from your ISP on the outside of your router.
In addition to configuring static NAT, you may want to use dynamic NAT at the same time. With this, your inside PCs could access the Internet using dynamic NAT (i.e., NAT overload or PAT). This type of configuration could be a little more complex. I've used this type of setup in the past and if you don't document your configurations correctly, things can get out of hand quickly.
No comments:
Post a Comment