October 23rd, 2003, 02:32 AM
Nat is very simple you configure.
1 ip nat inside - under an interface (usually the inside ethernet interface)
2 ip nat outside - under an interface (usually the outside serial or ethernet interface)
3 access-list 10 permit 192.168.1.0 0.0.0.255 - an access list to permit your internal network ips to use nat. configure this as your internal ip addresses
4 ip nat inside source list 10 interface (outside interface) - lets say you dont want to waste ip addresses you are going to use PAT. this will have all your internal ips use the outside interface address to route on the internet.
heres an example
ip address 192.168.10.1
ip nat inside
ip address 188.8.131.52
ip nat outside
ip nat inside source list 8 interface ethernet1
access-list 8 permit 192.168.10.0 0.0.0.255
October 23rd, 2003, 07:57 PM
thank you for that simple breakdown, i think that more than anything i get caught up in the numbers, and confuse myself beyond what i think i need to be. taking that example one step further, is it wise to do any type of port forwarding (ie, 'conduit permit tcp [port] any any') type of commands in a Router configuration or is that better left for a separate firewall configuration, OR am i being a complete id10t and those are apples and oranges?
thank you for your enlightment, appreciate your time
October 25th, 2003, 12:23 PM
conduit statements are only in firewalls. you wont have to put conduit statements in your router. port forwarding means that say when someone connects to a particular port they are forwarded to a different port. an example if someone connects to port 21 but the ftp server is port 4000 you would have a command that states any ftp connections on port 21 forward to port 4000
what you are looking at are maybe static nat statements as well. if you have a server on the inside network that people from the outside network need to access you can do 1 of 2 things.
1. configure a static nat statment ( this opens all ports to the server and is not very secure)
ip nat inside source static localipaddress publicipaddress
the other thing you can do is open the ports that the public need to access. my example is a website
ip nat inside source static tcp 10.0.0.10 80 184.108.40.206 80
the 10.0.0.10 is the actual ip address of the server. the 80 is port 80 for a web site and the 220.127.116.11 is the ip address that the internet uses to connect to the web server.