Cisco – Understanding CISCO Outbound NAT

cisconat;

We have the following configuration:

 interface Dialer0
 ip nat outside
 ip access-group 101 in
 exit

 interface GigabitEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip access-group 104 out
 exit

 ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80

192.168.2.15 is a www server and our customers can access it from outside. The problem is, there is no internet from inside the network going out.
Requests are coming in, and the router can ping the outside world. Just no internet from within the network.

Is there a way to give access to the internet for a specific number of machines ie:
ip nat outside source static tcp 192.168.2.5 interface Dialer0 80
ip nat outside source static tcp 192.168.2.10 interface Dialer0 80

Update

Bellow is the complete config:

write erase
reload
!
enable
!
conf t
!
ntp server 192.168.2.15
ip name-server 192.168.2.5
ip name-server 8.8.8.8
!
hostname rymax
ip domain-name example.com
no ip domain lookup
! no logging console
!         
! crypto key generate rsa
! username root priv 15 secret <password>
! aaa new-model
service password-encryption
enable secret 0 <password>
line vty 0 4
transport input ssh
exit
line con 0
password <password>
exit
line aux 0
password <password>
exit
!
access-list 10 permit 192.168.2.100 log
line vty 0 4
access-class 10 in
exit
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip tcp adjust-mss 1452
ip flow ingress
ip route-cache policy
encapsulation ppp
ppp authentication pap callin
ppp pap sent-username <username> password 0 <password>
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
ip nat outside
ip access-group 101 in
!ip access-group 102 out
dialer pool 1
dialer-group 1
no cdp enable
no shut
exit
!
interface GigabitEthernet0/0
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
no shut
no ip redirects
exit
!         
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
! ip access-group 103 in
ip access-group 104 out
no cdp enable
no ip redirects
no shut
exit
!
do clear ip nat trans *
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip nat service sip udp port 5060
no ip nat service sip udp port 5080
!
ip nat inside source static tcp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static udp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.15 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 587 interface Dialer0 587
ip nat inside source static tcp 192.168.2.10 993 interface Dialer0 993
ip nat inside source static tcp 192.168.2.10 995 interface Dialer0 995
ip nat inside source static udp 192.168.2.5 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.2.20 5080 interface Dialer0 5080
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
ip access-list extended 101
deny icmp any any echo
deny icmp any any redirect
deny icmp any any timestamp-request
deny icmp any any information-request
deny icmp any any mask-request
permit ip any any
exit
!
ip access-list extended 102
permit ip any any
exit
!
ip access-list extended 103
permit ip any any
exit
!

ip access-list extended 104
permit tcp any host 192.168.2.5 eq 53
permit udp any host 192.168.2.5 eq 53
permit tcp any host 192.168.2.10 eq 25
permit tcp any host 192.168.2.10 eq 587
permit tcp any host 192.168.2.10 eq 993
permit tcp any host 192.168.2.10 eq 995
permit tcp any host 192.168.2.15 eq 80
permit tcp any host 192.168.2.15 eq 443
permit udp host 205.205.22.186 host 192.168.2.5 eq 5060
permit udp host 205.205.74.186 host 192.168.2.5 eq 5060
permit udp host 70.83.45.11 host 192.168.2.5 eq 5060
permit udp any host 192.168.2.20 eq 5080
permit udp any host 192.168.2.5 range 8000 65535
permit tcp any eq 25 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.5 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.15 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.20 range 1024 65535 established
permit udp any eq 53 host 192.168.2.5 range 1024 65535
permit udp any eq 53 host 192.168.2.10 range 1024 65535
permit udp any eq 53 host 192.168.2.15 range 1024 65535
permit udp any eq 53 host 192.168.2.20 range 1024 65535
permit tcp any eq 80 host 192.168.2.5 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.15 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.20 range 1024 65535 established
deny ip any host 192.168.2.5 log
deny ip any host 192.168.2.10 log
deny ip any host 192.168.2.15 log
deny ip any host 192.168.2.20 log
permit ip any any
exit
! Stops pinging but needed for RTP relay
ip nat inside source static 192.168.2.5 77.77.77.77 route-map voip-rtp extendable
!
! dialer-list 1 protocol ip permit
! route-map voip-rtp permit 1
! match ip address 104
! exit
!
!
! QOS
class-map voice
match protocol rtp audio
exit
!
policy-map wan-qos
class voice
bandwidth percent 60
exit
exit
!
policy-map parent
class class-default
shape average 10000000
service-policy wan-qos
exit
exit
!
interface GigabitEthernet0/0
bandwidth 10000
service-policy output wan-qos
exit
!
!
! Securing Cisco
ip tcp synwait-time 30
ip inspect name InspectRule icmp
ip inspect name InspectRule tcp
ip inspect name InspectRule udp


no service dhcp
no ip bootp server
no service finger
no ip http server
no ip http secure-server
no snmp-server
no service config
no ip gratuitous-arps 
no ip source-route
ip options drop
!
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime 
!         

do write mem

The config works as expected (ie, allows and blocks). There are parts however

  1. Those two lines do not really do anything. Do I really need them?
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip nat inside source static 192.168.2.5 77.77.77.77 route-map voip-rtp extendable

ii) More importantly, I am trying to remove the dynamic route:

 ip nat inside source list 1 interface Dialer0 overload

I suspect the dynamic route as the cause for crashing of the router however, if I remove this line, the servers still serve up services (ie, SMTP HTTP, SIP) bidirectional however, other computers in the network have no internet.

I tried many things to exclude the dynamic route map by everything has failed.

Thanks in advance,

Nick.

Best Answer

The majority of websites now try HTTPS first so may you need to forward port 443 as well as port 8080.

Related Topic