Hello, I need help with destination NAT. I want configure HTTPS access from outside to a device on the inside. But my configuration does not work. I am looking for a working config.
I have ADSL on atm0.1 as the external network and the 10.10.10.2 is the device on the inside. I used the firewall wizard and add the configuration I need.
list firewall_wiz-WAN interface atm 0.1
list firewall_wiz-RFC-1918-LIST prefix 10.0.0.0/8 prefix 172.16.0.0/12 prefix 192.168.0.0/16 prefix 0.0.0.0/8 prefix 127.0.0.0/8
match-list match_vlan1
1 ip prefix 192.168.0.0/24 any
2 ip prefix 10.10.0.0/24 any
3 ip prefix 10.20.0.0/16 any
4 ip prefix 10.10.0.0/16 any
5 ip prefix 10.30.0.0/16 any
6 ip prefix 172.25.24.0/24 any
match-list firewall_wiz-all-packets
1 ip list firewall_wiz-RFC-1918-LIST any
match-list firewall_wiz-WAN-IN-Deny-ICMP
1 icmp any any icmp-type 8
2 icmp any any icmp-type 5
3 icmp any any
match-list firewall_wiz-WAN-IN-Allow-ICMP
1 icmp any any icmp-type 0
2 icmp any any icmp-type 3
3 icmp any any icmp-type 11
match-list firewall_wiz-WAN-OUT-Deny-ICMP
1 icmp any any icmp-type 3
2 icmp any any icmp-type 11
3 icmp any any
match-list firewall_wiz-WAN-OUT-Allow-ICMP
1 icmp any any icmp-type 8
2 icmp any any icmp-type 4
match-list firewall_wiz-WAN-IN-Deny-TCP
1 tcp any any service lt 21
2 tcp any any service eq 161
3 tcp any any service eq 162
4 tcp any any service range 600 6003
match-list firewall_wiz-WAN-IN-Deny-UDP
1 udp any any service lt 21
2 udp any any service eq 161
3 udp any any service eq 162
4 udp any any service range 600 6003
match-list firewall_wiz-WAN-IN-Allow-Mgmt
match-list match_list2
1 ip any interface atm 0.1
match-list match_https
1 tcp any interface atm 0.1 service https
!
!
! Filter Policy configuration
!
ip filter firewall_wiz-WAN-IN
19 match any match_https permit
20 match any firewall_wiz-WAN-IN-Deny-ICMP deny
30 match any firewall_wiz-WAN-IN-Deny-TCP deny
40 match any firewall_wiz-WAN-IN-Deny-UDP deny
50 match any firewall_wiz-WAN-IN-Allow-ICMP permit
60 match any firewall_wiz-WAN-IN-Allow-Mgmt permit
default deny
top
!
interface atm0.1
ip filter in firewall_wiz-WAN-IN
top
!
ip filter firewall_wiz-WAN-OUT
10 match any firewall_wiz-WAN-OUT-Deny-ICMP deny
20 match any firewall_wiz-WAN-OUT-Allow-ICMP permit
30 match any firewall_wiz-all-packets permit
default deny
top
!
interface atm0.1
ip filter out firewall_wiz-WAN-OUT
top
!
!
!
! NAT Policy configuration
!
ip nat nat_list1
10 match any match_vlan1 source-nat
top
!
interface atm0.1
ip nat out nat_list1
top
!
ip nat nat_list2
10 match any match_https destination-nat host 10.10.10.2 port 443
top
!
interface atm0.1
ip nat in nat_list2
ip nat statistics in
I have 3.x software on my router.
Please help me. Thanks.
Christian
Need help with Destination NAT
-
chapman1507
- Member
- Posts: 32
- Joined: 22 May 2009 03:52
- Location: Germany
Need help with Destination NAT
Christian
I need an english upgrade
I need an english upgrade
Re: Need help with Destination NAT
Hi, here is a config I have for Public interface on FE port and internal on switchport. Sorry I have not set up atm bur the general rules should be the same.
interface FastEthernet0
description WAN
ip address 121.98.115.170/30
no shutdown
top
!
interface Vlan10
description LAN
ip address 192.168.80.254/24
no shutdown
top
!
interface Vlan35
description Orcon
no shutdown
top
!
interface Vlan60
description lab network
ip address 192.168.60.100/24
no shutdown
top
!
interface Vlan1968
description callplus
ip address 10.12.80.10/24
shutdown
top
!
interface switchport0
switchport access vlan 10
no shutdown
top
!
interface switchport1
switchport access vlan 10
no shutdown
top
!
interface switchport2
shutdown
top
!
interface switchport3
switchport access vlan 60
switchport trunk allowed vlan 1968
no shutdown
top
!
interface atm0
shutdown
top
!
!
ip route 0.0.0.0/0 121.98.115.169
!
match-list sipout
1 udp any host 60.234.18.31 service sip
match-list teamwork
1 tcp any host 121.98.115.170 service http
2 tcp any host 121.98.115.170 service https
3 tcp any host 121.98.115.170 service 8080
!
!
! Filter Policy configuration
!
!
!
! NAT Policy configuration
!
ip nat Teamwork
10 match any teamwork destination-nat host 192.168.60.16 port 443
top
!
interface FastEthernet0
ip nat in Teamwork
top
!
ip nat oxe
20 match any sipout source-nat host 121.98.115.170 static
top
!
interface FastEthernet0
ip nat out oxe
top
interface FastEthernet0
description WAN
ip address 121.98.115.170/30
no shutdown
top
!
interface Vlan10
description LAN
ip address 192.168.80.254/24
no shutdown
top
!
interface Vlan35
description Orcon
no shutdown
top
!
interface Vlan60
description lab network
ip address 192.168.60.100/24
no shutdown
top
!
interface Vlan1968
description callplus
ip address 10.12.80.10/24
shutdown
top
!
interface switchport0
switchport access vlan 10
no shutdown
top
!
interface switchport1
switchport access vlan 10
no shutdown
top
!
interface switchport2
shutdown
top
!
interface switchport3
switchport access vlan 60
switchport trunk allowed vlan 1968
no shutdown
top
!
interface atm0
shutdown
top
!
!
ip route 0.0.0.0/0 121.98.115.169
!
match-list sipout
1 udp any host 60.234.18.31 service sip
match-list teamwork
1 tcp any host 121.98.115.170 service http
2 tcp any host 121.98.115.170 service https
3 tcp any host 121.98.115.170 service 8080
!
!
! Filter Policy configuration
!
!
!
! NAT Policy configuration
!
ip nat Teamwork
10 match any teamwork destination-nat host 192.168.60.16 port 443
top
!
interface FastEthernet0
ip nat in Teamwork
top
!
ip nat oxe
20 match any sipout source-nat host 121.98.115.170 static
top
!
interface FastEthernet0
ip nat out oxe
top
Best Regards
Murray
ACSE 10.0 corporate
ACSE 6.x IPT data
Murray
ACSE 10.0 corporate
ACSE 6.x IPT data
-
chapman1507
- Member
- Posts: 32
- Joined: 22 May 2009 03:52
- Location: Germany
Re: Need help with Destination NAT
At Firts. Thanks for the quick info.
I think, I had find the problem. I does not use the ip address of the outside for the match list. I use the interface name (atm 0.1) and this does not work. If I change it to the external address it works. But I have a dynamic external address. Every 24h the port reconnect and get a new IP.
So I'm still looking for a solution.
Christian
I think, I had find the problem. I does not use the ip address of the outside for the match list. I use the interface name (atm 0.1) and this does not work. If I change it to the external address it works. But I have a dynamic external address. Every 24h the port reconnect and get a new IP.
So I'm still looking for a solution.
Christian
Christian
I need an english upgrade
I need an english upgrade
Re: Need help with Destination NAT
ok, so the interface in the matchlist is not reconised. is the ip@ refreshed within a range? if so maybe you could try a range i.e tcp any prefix 121.98.115.0/24 service https
Best Regards
Murray
ACSE 10.0 corporate
ACSE 6.x IPT data
Murray
ACSE 10.0 corporate
ACSE 6.x IPT data
