Can someone check this NAT/ACL solution please?

After much head scratching and hair loss, I think I have a solution to my
port forward / NAT problem that I posted about last week. I would very much
appreciate if someone more knowledgeable than myself would take a look at my
config and see if I am missing any major holes.
The basic design spec is...
A device on the outside ( must be able to:
respond to snmp queries from devices on the inside LAN (
send snmp traps to inside host
respond to telnet connections from devices on the inside LAN
respond to pings from devices on the inside LAN
It must not be able to initiate any connections to either the router or any
inside hosts.
The inside hosts must see the outside host as if it was inside at IP
The router must respond to inside pings and telnet requests using the E0
secondary address
Note that my description reverses the interface NAT settings.
E0 is actually the inside interface despite the ip nat outside command. I
could not get nat working with ip nat inside on the E0 and ip nat outside on
the E1. If anyone can tell me why I would be grateful.
The config I have is...
interface Ethernet0
ip address secondary
ip address
ip access-group 101 in
ip nat outside
interface Ethernet1
ip address
ip access-group 102 in
ip nat inside
ip nat inside source static extendable
access-list 101 permit udp any host eq snmp
access-list 101 permit icmp any host
access-list 101 permit icmp any host
access-list 101 permit tcp any host eq telnet
access-list 101 permit tcp any host eq telnet
access-list 102 permit udp host any
access-list 102 permit icmp host any echo-reply
access-list 102 permit tcp host any established
Thanks -Rob-
Reply to
Rob Dover
Loading thread data ...
The problem with your NAT is that it's reversed. It will still work fine... but i see how its confusing when you look at the config and your ip nat inside is actually the outside int... To fix it:
ip nat inside destination static extendable
Then reverse E0 to be inside and E1 outside.
This way you will translate the destination IP in packets comming from your inside hosts going to destination address
In the config you have, you translate the source IP, which originating from inside will be your host IPs, not the one you want to translate. That is why when you tell it that your E1 is inside it works!
Your ACLs look fine... the only thing i see is that you allow only udp = snmp, going out (101), but all udp comming(102) in, unless you have a reason for that!
Hope this helps! Todd
Reply to
Thanks for the NAT tip Todd. I'll give that a try. As to the incoming udp I would prefer traps only go to the inside host but as soon as I changed the rule to access-list 102 permit udp host host eq snmp my internal snmp requests to 1.148 quit working. At least I think that's what happened. I've tried so many combos now I'm losing track :-P I'll give it another go. Thanks -Rob-
Reply to
Rob Dover Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.