WAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: NAT configuration on MSR20 routers

 
Occasional Collector

NAT configuration on MSR20 routers

Hello Guys.

 

I have an MSR20 routers and i need to configure NAT on it so that my internal clients can use the public IP address of the router when accessing the internet. What are the configuration commands for doing this ? please help.

 

thanks.

1 REPLY 1
Advisor

Re: NAT configuration on MSR20 routers

There are a ton of ways to configure NAT for either inbound or outbound usage.  I'll include a very basic one that does PAT (port address translation) that you can use on your MSR20 however note that its only one of MANY wanys to accomplish NAT. 

 

http://www.h3c.com/portal/products___solutions/technology/security_and_vpn/technology_white_paper/200808/613642_57_0.htm describes many of the different methods that can be used to represent NAT (altough no examples on that whitepaper... blah)

 

# only overloading a single address. You could specify a range if you expect more than 60k connections through this

# NAT device.  Note that even a single web page could temporarly use half a dozen connections to build the page.

#

nat address-group 1 206.123.99.226 206.123.99.226

#

# Only allow machines in the range of 10.1.1.1 - 10.1.1.191 to NAT outbound. Deny all others

acl number 2001 name authorized_nat_outbound

  # First off, deny addresses in the range that are not authorized

  rule 100 deny source 10.1.1.192 0.0.0.63 logging

  #

  # ...then authorize the rest of the block

  rule 110 permit source 10.1.1.0 0.0.0.255

  #

  # Deny everything else

  rule 999 deny logging

#

acl number 3001 name inbound-from-public

  #

  # First off permit the VRRP protocol to be transmitted

  rule 100 permit 112

  #

  # We know for a fact that we want to block out all "faked" transport packets from ever entering

  rule 110 deny ip destination 10.0.0.0 0.255.255.255 logging

  rule 120 deny ip destination 172.16.0.0 0.15.255.255 logging

  rule 130 deny ip destination 192.168.0.0 0.0.255.255 loggin

  #

  # ... additionally deny anything sourced from an RFC1918 address

  rule 140 deny ip source 10.0.0.0 0.255.255.255 logging

  rule 150 deny ip source 172.16.0.0 0.15.255.255 logging

  rule 160 deny ip source 192.168.0.0 0.0.255.255 logging

  #

  # Specifically allow some "router initiated things" to return to the router (such as NTP)

  rule 200 permit udp destination 206.123.99.26 0 destination-port eq ntp

  #

  # Allow specific protocols inbound to our site

  rule 300 permit tcp established

  rule 310 permit tcp destination 206.123.99.26 0 destination-port eq 80

  rule 320 permit tcp destination 206.123.99.26 0 destination-port eq 443

  #
  # Allow various types of ICMP probing or ICMP returns to occur.  This
  # should be reviewed for security concerns vs operation validation needs.
  #
  rule 950 permit icmp icmp-type echo
  rule 955 permit icmp icmp-type echo-reply
  rule 960 permit icmp icmp-type port-unreachable
  rule 965 permit icmp icmp-type net-unreachable
  rule 970 permit icmp icmp-type ttl-exceeded
  rule 975 deny icmp logging
  #
  # By default, everything else is invalid
  rule 999 deny ip logging

#

interface Ethernet 0/0

 port link-mode route

 description Public Connection to the Internet

 firewall packet-filter name inbound-from-public inbound

 nat outbound static

 nat outbound 2001 address-group 1

 nat server protocol tcp global 206.123.99.26 www inside 10.1.1.16 www

 nat server protocol tcp global 206.123.99.26 443 inside 10.1.1.16 443

 ip address 206.123.99.26 255.255.255.0

#

interface Eternet 0/1

 port link-mode route

 ip address 10.1.1.1 255.255.255.0

#

ip route-static 0.0.0.0 0.0.0.0 206.123.99.1

#

 ntp-service source-interface Ethernet 0/0

 ntp-service unicast-server 72.26.198.240
 ntp-service unicast-server 38.229.71.1