Can someone check this NAT/ACL solution please?

After much head scratching and hair loss, I think I have a solution to my
port forward / NAT problem that I posted about last week. I would very much
appreciate if someone more knowledgeable than myself would take a look at my
config and see if I am missing any major holes.
The basic design spec is...
A device on the outside (192.168.1.148) must be able to:
respond to snmp queries from devices on the inside LAN (192.168.253.0/24)
send snmp traps to inside host 192.168.253.242
respond to telnet connections from devices on the inside LAN
respond to pings from devices on the inside LAN
It must not be able to initiate any connections to either the router or any
inside hosts.
The inside hosts must see the outside host as if it was inside at IP
192.168.253.148
The router must respond to inside pings and telnet requests using the E0
secondary address 192.168.253.254
Note that my description reverses the interface NAT settings.
E0 is actually the inside interface despite the ip nat outside command. I
could not get nat working with ip nat inside on the E0 and ip nat outside on
the E1. If anyone can tell me why I would be grateful.
The config I have is...
interface Ethernet0
ip address 192.168.253.254 255.255.255.0 secondary
ip address 192.168.253.148 255.255.255.0
ip access-group 101 in
ip nat outside
!
interface Ethernet1
ip address 192.168.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
!
ip nat inside source static 192.168.1.148 192.168.253.148 extendable
!
access-list 101 permit udp any host 192.168.253.148 eq snmp
access-list 101 permit icmp any host 192.168.253.148
access-list 101 permit icmp any host 192.168.253.254
access-list 101 permit tcp any host 192.168.253.148 eq telnet
access-list 101 permit tcp any host 192.168.253.254 eq telnet
access-list 102 permit udp host 192.168.1.148 any
access-list 102 permit icmp host 192.168.1.148 any echo-reply
access-list 102 permit tcp host 192.168.1.148 any established
Thanks -Rob-
Reply to
Rob Dover
Loading thread data ...
Rob,
The problem with your NAT is that it's reversed. It will still work fine... but i see how its confusing when you look at the config and your ip nat inside is actually the outside int... To fix it:
ip nat inside destination static 192.168.253.148 192.168.1.148 extendable
Then reverse E0 to be inside and E1 outside.
This way you will translate the destination IP in packets comming from your inside hosts going to destination address 192.168.253.148.
In the config you have, you translate the source IP, which originating from inside will be your host IPs, not the one you want to translate. That is why when you tell it that your E1 is inside it works!
Your ACLs look fine... the only thing i see is that you allow only udp = snmp, going out (101), but all udp comming(102) in, unless you have a reason for that!
Hope this helps! Todd
Reply to
Todd
Thanks for the NAT tip Todd. I'll give that a try. As to the incoming udp I would prefer traps only go to the inside host 192.168.253.242 but as soon as I changed the rule to access-list 102 permit udp host 192.168.1.148 host 192.168.1.254 eq snmp my internal snmp requests to 1.148 quit working. At least I think that's what happened. I've tried so many combos now I'm losing track :-P I'll give it another go. Thanks -Rob-
Reply to
Rob Dover

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.