Nat (inside) 0 access-list NoNAT_inside

Can someone Explain what the following does on my PIX firewall
nat (inside) 0 access-list NoNat_Inside
access-list NoNat_Inside line 1 permit ip lan 255.255.0.0 dmz 255.255.255.0
Lan = 10.10.0.0
DMZ= 172.172.172.0
I'm am under the impression it denies the DMZ from being nated as I can't access the internet directly from a server within the DMZ.
Kind regards,
Jake

That exempt traffic from LAN and DMZ and vice versa from being NATed.
If you would like to access internet from a server in DMZ, then you would need to configure NAT statement on DMZ:
nat (dmz) 1 172.172.172.0 255.255.255.0
Assuming that you already have "global (outside) 1 interface", or "global (outside) 1 " command.

Similar Messages

Static NAT using access-lists?

Hi,
i have an ASA5520 and im having an issue with static nat configuration.
I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
Thanks,
Des

Des,
You need to create an access-list to be used with the nat 0 statement.
access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
then use NAT 0 statement:
nat (inside) 0 access-list inside_nonat
to permit outside users to see inside addresses without NAT, flip this logic.
access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
nat (outside) 0 access-list outside_nonat
you'll also have to permit this traffic through the ACL of the outside interface.
access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
- Brandon

Nat (inside) 0

Friends,
Can anyone help me?
How do I configure "no nat" in version 8.4(4) of the ASA?
Example:
Local network: 192.168.135.0/24
Remote Network: 192.168.137.0/24
Before:
# access-list extended permit ip Nonat 192.168.135.0 255.255.255.0 192.168.137.0 255.255.255.0
#nat (inside) 0 access-list Nonat
How do these same settings in version 8.4(4) of the ASA?
When entering command "nat (inside) 0 access-list Nonat"
ERROR: This syntax of nat command Has Been deprecated.
Please refer to "help nat" command for more details.
Is this correct?
#object network network-local
#subnet 192.168.135.0 255.255.255.0
#object network network-remote
#subnet 192.168.137.0 255.255.255.0
#nat (inside,outside) source static rede-local rede-local destination static rede-remota rede-remota no-proxy-arp
#nat (outside,inside) source static rede-remota rede-remota destination static rede-local rede-local no-proxy-arp

You typically need only one NAT for that:
nat (inside,outside) source static rede-local rede-local destination static rede-remota rede-remota no-proxy-arp route-lookup
The other direction (outside,inside) is not needed. Depending on the rest of your setup you need to add the keyword "route-lookup".
And you should read Jounis very excellent document on ASA 8.3+ NAT:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Need to understand the nat with access-list

Please let me know what it means as it is configured on our ASA
global (mtaas) 5 10.224.128.4
nat (outside) 5 access-list EXIDE-MTAAS-PAT
access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.250
access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.250
access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.244
access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.244

Hi,
The configuration you mention in your post does the following:
Its a Policy PAT for traffic entering from networks behind "outside" to networks behind "mtaas"
Traffic that matches the access-list will get PAT translated (Port Address Translation) to the IP address of 10.224.128.4
The access-list tells what traffic needs to be translatedIn this case ANY IP traffic coming from source networks 10.0.0.0/8 and 1.1.1.4/32 will get translated WHEN they try to connect to the hosts 10.224.128.250 and 10.224.128.244
This Policy PAT configuration looks like a configuration for some VPN connection you have on the firewall. Its made so that the connections taken from the VPN connection get PATed to an IP address thats part of the destination network.
- Jouni

Remote Access VPN and NAT inside interface

Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
Mahesh

Hi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.50.1    255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar

Static nat with port redirection 8.3 access-list using un-nat port?

I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..

Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts

Packets not hitting the route-map's NAT access-list

Hi Everyone,
I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
interface GigabitEthernet0/1.102
description "xxx"
encapsulation dot1Q 102
ip address 10.300.301.1 255.255.255.0
ip access-group xxx_ACL in
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool xxx_POOL ??
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map xxx pool xxx_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip access-list extended xxx-VPN
remark VPN to xxx
permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
ip access-list extended xxx_ACL
deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip any any
ip access-list extended xxx_NAT
deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 10.300.301.0 0.0.0.255 any
route-map ??? permit 10
match ip address ???_NAT
route-map xxx permit 10
match ip address xxx_NAT
route-map ??? permit 10
match ip address NAT_???
route-map ??? permit 10
match ip address ???_NAT
control-plane
banner motd ^C

As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
So just a guess:
The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
HTH, Karsten

Extended IP access list for NAT

Hi, all.
Give me informations on access list for NAT.
Cisco IOS Master Command List, Release 12.4 describes the ip nat inside destination command, the ip nat inside source command, and the ip nat outside source command use standerd IP access list for dynamic NAT.
But the document follws uses extended IP access list for dynamic NAT in Difference between One-to-One Mapping and Many-to-Many section.
They leave me in confusion.
Regards

>But the document follws uses extended IP access list for dynamic NAT in Difference between One-to-One Mapping and Many-to-Many section.
Hyperlinking slipped my mind.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Regards

2800 NAT & Access Lists

Hi Folks,
Hope I'm posting in the right section...
I have a 2811 router that I want to configure the F/E 0/0 & 0/1 to be able to communicate.
FE 0/0 is configured with 192.168.16.1/24
FE 0/1 is configured with 10.10.10.10/24
     Physically attached to this port is going to be a wireless router configured with 10.10.10.1.
My question is how to configure and setup the routes properly and do I need to configure NAT and Access Lists.
TIA.

thanks for the reply...
I'll try to fill in some blanks but here's where I'm at.
I'm working with a remote 2811 and a TP-Link Wireless router. The 2811 is configured as follows...
interface FastEthernet0/0
ip address 192.168.16.1 255.255.255.0
duplex auto
speed auto
no keepalive
interface FastEthernet0/1
description fdrvacctv subnet
ip address 10.10.10.10 255.255.255.0
ip access-group 1 in
duplex auto
speed auto
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
         access-list 1 permit 192.168.11.0 0.0.0.255
         access-list 1 permit 192.168.16.0 0.0.0.255
         access-list 1 permit 192.168.17.0 0.0.0.255
         access-list 1 permit 10.10.10.0 0.0.0.255
Attached to F/E 0/1 is my wireless router via one of it's LAN ports. The LAN side on the wireless router is set with a static IP of 10.10.10.1.
From my 2811 I can ping 10.10.10.1 or 10.10.10.5 (a pc attached to that wireless). I can not ping 10.10.10.1 from 192.168.16.1
2811#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
#ping 10.10.10.1 source 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.16.1
Success rate is 0 percent (0/5)
2811#
It's this scenario that leads me to belive my problem is with either a static route, access-list, or both. Perhaps I need ot NAT something?

Router NAT IP block using Access List

Hi All
Strange issue we have here. First time I've come across this.
Question: Is it possible to use an access-list on a NAT IP address on a Cisco router? For example, say we have our internal mail server 192.168.1.5 and it's NATed to the outside on port 25 say to 222.1.1.5. Is there a way to apply an access list to this external IP so that only certain outside users can get to this server using port 25??
Thanks all!

Anyone?

NAT (INSIDE To OUTSIDE)

I need Configuration of this topology
At Outside Router
int f0/0
ip add 10.1.1.2 255.255.255.0
At Inside Router
int f0/0
ip add 192.168.1.2 255.255.255.0
At ASA
int e0
ip add 10.1.1.1 255.255.255.0
int e1
ip add 192.168.1.1 255.255.255.0
I want NAT from inside to outside and also need ACL configuration and attached diagram.
and version of ASA is 8.2
Navaz
Message was edited by: Navaz Wattoo

THIS MY ASA CONFIGURATION
ciscoasa(config)# sh running-config
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-group OUT in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
THIS MY OUTSIDE ROUTER CONFIGURATION
R1(config)#do sh run
Building configuration...
Current configuration : 877 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R1(config)#
THIS MY INSIDE ROUTER CONFIGURATION
R2(config)#do sh run
Building configuration...
Current configuration : 880 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 10.1.1.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R2(config)#
Navaz

Need help for access list problem

Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
         DENY       10.25.0.1 – 10.25.0.255
                          10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
                10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny   ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3

Hello,
Host will can't get internet connection
I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration ....      ip access-list extended 101
                                                            5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server.

Access-list problem ?

Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
What am I missing ?
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r01
boot-start-marker
boot-end-marker
logging buffered 15000
no logging console
no aaa new-model
clock timezone CET 1 0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.17.1.1 172.17.1.30
ip dhcp excluded-address 172.17.1.240 172.17.1.254
ip dhcp excluded-address 172.17.3.1 172.17.3.30
ip dhcp excluded-address 172.17.3.240 172.17.3.254
ip dhcp pool VLAN1
network 172.17.1.0 255.255.255.0
domain-name r1.local
default-router 172.17.1.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip dhcp pool VLAN100
network 172.17.3.0 255.255.255.0
domain-name r1_Guest
default-router 172.17.3.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip domain name r1.lan
ip name-server 212.54.40.25
ip name-server 212.54.35.25
multilink bundle-name authenticated
crypto pki token default removal timeout 0
object-group network temp
description dummy addresses
1.1.1.1 255.255.255.0
2.2.2.2 255.255.255.0
object-group network vlan1-lan
172.17.1.0 255.255.255.0
object-group network vlan100-guest
172.17.3.0 255.255.255.0
object-group network ziggo-dns
host 212.54.40.25
host 212.54.35.25
redundancy
ip ssh version 2
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address dhcp
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description r1.local lan
ip address 172.17.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description Vlan100 r1_Guest
encapsulation dot1Q 100
ip address 172.17.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.17.2.0 255.255.255.0 172.17.1.253
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip any object-group vlan100-guest
access-list 102 permit ip any any log
access-list 103 deny ip any object-group vlan1-lan
access-list 103 permit ip any any
access-list 104 permit tcp any any eq 22
access-list 104 permit udp any any eq snmp
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp object-group temp any echo
access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
access-list 104 deny ip any any log
no cdp run
control-plane
line con 0
login local
line aux 0
line 2
login local
no activation-character
no exec
transport preferred none
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
login local
transport input ssh
scheduler allocate 20000 1000
end

Hello,
I applied the rules and that works.
Only thing i have now.
Reboot router.
Interface 0/0 gets no dhcp address from isp.
I have to remove the 104 in from int 0/0
Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
Maybe i have to put in a static ip address on int0/0 ?
Thanks for your help !

Static NAT for FTP access

NAT overload has been done successfully as follows:
1. ip nat inside and ip nat outside configured on the appropriate interfaces i.e.fa0/0 and fa0/1
2. default route added on the router.
3.additional configuration is added:
ip nat inside source list 1 interface fa0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255
Now I am trying to use static NAT for FTP:
ip nat inside source static tcp 192.168.1.X 21 x.x.x.x 21 extendable
But this does not work please help. I am trying to access FTP server from LAN by entering public address in the browser. Can access the FTP server with private address but this defeats the purpose of FTP. Please help.

Router(config)#interface fa0/0
Router(config-if)#ip address 192.168.1.254 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#interface fa0/1
Router(config-if)#ip address 203.109.120.2 255.255.255.252
Router(config-if)#no shut
Router(config-if)#ip nat outside
Router(config)#ip route 0.0.0.0 0.0.0.0 interface fa0/1
Router(config)#ip nat inside source list 1 interface fa0/1 overlaod
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Port Forwarding & Access List Problems

Good morning all,
I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated! I've researched a lot lately but I'm still learning. Side note: I've replaced the external ip address with 1.1.1.1.
I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail. You may notice I dont have access-list 102 that i created on any interfaces. This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname pantera-office
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
aaa new-model
aaa authentication login default local
aaa session-id common
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.251 192.168.0.254
ip dhcp pool private
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name network.local
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-4211276024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4211276024
revocation-check none
rsakeypair TP-self-signed-4211276024
crypto pki certificate chain TP-self-signed-4211276024
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132
37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626
31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881
1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4
93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96
D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261
746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF
41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41
FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D
14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944
82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703
E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79
D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
quit
username pantera privilege 15 password 0 XXXX
username aneuron privilege 15 password 0 XXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 2.2.2.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0/0
description $ETH-WAN$
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Web Server ACL
access-list 102 permit tcp any any
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server enable traps rf
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
end
Any/All help is greatly appreciated! I'm sorry if I sound like a newby!
-Evan

Hello,
According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
If your provider assigns you a dynamic ipv4 address to the wan interface you can use
Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
Verify the settings with show ip nat translation.
Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
Best Regards
Lukasz

Nat (inside) 0 access-list NoNAT_inside

Similar Messages

Maybe you are looking for