After much head scratching and hair loss, I think I have a solution to my port forward / NAT problem that I posted about last week. I would very much appreciate if someone more knowledgeable than myself would take a look at my config and see if I am missing any major holes.
The basic design spec is...
A device on the outside (192.168.1.148) must be able to: respond to snmp queries from devices on the inside LAN (192.168.253.0/24) send snmp traps to inside host 192.168.253.242 respond to telnet connections from devices on the inside LAN respond to pings from devices on the inside LAN It must not be able to initiate any connections to either the router or any inside hosts. The inside hosts must see the outside host as if it was inside at IP
192.168.253.148 The router must respond to inside pings and telnet requests using the E0 secondary address 192.168.253.254Note that my description reverses the interface NAT settings. E0 is actually the inside interface despite the ip nat outside command. I could not get nat working with ip nat inside on the E0 and ip nat outside on the E1. If anyone can tell me why I would be grateful.
The config I have is...
interface Ethernet0 ip address 192.168.253.254 255.255.255.0 secondary ip address 192.168.253.148 255.255.255.0 ip access-group 101 in ip nat outside ! interface Ethernet1 ip address 192.168.1.254 255.255.255.0 ip access-group 102 in ip nat inside ! ip nat inside source static 192.168.1.148 192.168.253.148 extendable ! access-list 101 permit udp any host 192.168.253.148 eq snmp access-list 101 permit icmp any host 192.168.253.148 access-list 101 permit icmp any host 192.168.253.254 access-list 101 permit tcp any host 192.168.253.148 eq telnet access-list 101 permit tcp any host 192.168.253.254 eq telnet access-list 102 permit udp host 192.168.1.148 any access-list 102 permit icmp host 192.168.1.148 any echo-reply access-list 102 permit tcp host 192.168.1.148 any established
Thanks -Rob-