Here I would like to describe some NAT variants based on real life example.
First, some definitions:
In our internal network we have a web server with address 192.168.1.2
We need to forward port 1.1.1.1:80 to 192.168.1.2:80 that people from the Internet are able to reach our web server.
First, mark interface 1.1.1.1 as outside:
Router(config-if)#ip nat outside
Then mark interface 192.168.1.1 as inside:
Router(config-if)#ip nat inside
Next configure NAT for port forwarding:
ip nat inside source static tcp 192.168.1.2 80 1.1.1.1 80
That's all, port forwarding is ready.
I suppose, our web server will need to access the Internet as well, for example in order to get software updates. To configure it, we are going to use NAT overload or PAT(Port Address Translation).
In the beginning, we add an access list, where we define what networks can access the Internet via PAT:
In this case network 192.168.1.0/24 will have access.
After this we add NAT rule:
Router(config)#ip nat inside source list 1 interface FastEthernet 0/0 overload
Where FastEthernet 0/0 is the name of the interface which is connected to the Internet.
This is the end, now web server can reach Internet hosts.
To sum up, there are only 5 rows to configure port forwarding and Internet access via one public address. I consider this is quite simple. Based on this configuration it is possible to configure access to other servers form the Internet.
First, some definitions:
- Inside global - public ip address of NAT router.
- Inside local - ip address of host in enterprise network.
- Outside local - outside host with private address.
- Outside global - public internet address.
In our internal network we have a web server with address 192.168.1.2
We need to forward port 1.1.1.1:80 to 192.168.1.2:80 that people from the Internet are able to reach our web server.
First, mark interface 1.1.1.1 as outside:
Router(config-if)#ip nat outside
Then mark interface 192.168.1.1 as inside:
Router(config-if)#ip nat inside
Next configure NAT for port forwarding:
ip nat inside source static tcp 192.168.1.2 80 1.1.1.1 80
That's all, port forwarding is ready.
I suppose, our web server will need to access the Internet as well, for example in order to get software updates. To configure it, we are going to use NAT overload or PAT(Port Address Translation).
In the beginning, we add an access list, where we define what networks can access the Internet via PAT:
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
In this case network 192.168.1.0/24 will have access.
After this we add NAT rule:
Router(config)#ip nat inside source list 1 interface FastEthernet 0/0 overload
Where FastEthernet 0/0 is the name of the interface which is connected to the Internet.
This is the end, now web server can reach Internet hosts.
To sum up, there are only 5 rows to configure port forwarding and Internet access via one public address. I consider this is quite simple. Based on this configuration it is possible to configure access to other servers form the Internet.
No comments:
Post a Comment