Solved NAT inbound?

---

I am pretty comfortable getting an internal subnet to NAT with overload to a single public IP, but what if you wanted to go the other direction? Let's say I have a host on my internal subnet and I want someone from the public subnet to be able to RDP to an internal host? What would those commands look like?

For example, lets say my internal subnet is 192.168.98.0/24 and my external subnet is 10.10.10.0/30.. here is the basic config to allow for a many to one NAT to the public network. Now lets say I would like to allow someone on the 10.10.10.0/30 network or anywhere really to connect to a host at 192.168.98.4 on TCP port 3389. What commands would I use to add this to the config ?

interface gi0/0
ip nat outside
ip address 10.10.10.1 255.255.255.252
no shut

interface gi0/1
ip nat inside
ip address 192.168.98.1 255.255.255.0
no shut

access-list 1 permit 192.168.98.0 0.0.0.255

ip nat pool testpool 10.10.10.1 10.10.10.1 netmask 255.255.255.252
ip nat inside source list 1 pool testpool overload

@Adam-Tyler said in NAT inbound?:

I am pretty comfortable getting an internal subnet to NAT with overload to a single public IP, but what if you wanted to go the other direction? Let's say I have a host on my internal subnet and I want someone from the public subnet to be able to RDP to an internal host? What would those commands look like?

For example, lets say my internal subnet is 192.168.98.0/24 and my external subnet is 10.10.10.0/30.. here is the basic config to allow for a many to one NAT to the public network. Now lets say I would like to allow someone on the 10.10.10.0/30 network or anywhere really to connect to a host at 192.168.98.4 on TCP port 3389. What commands would I use to add this to the config ?

interface gi0/0
ip nat outside
ip address 10.10.10.1 255.255.255.252
no shut

interface gi0/1
ip nat inside
ip address 192.168.98.1 255.255.255.0
no shut

This part is ok here. The following I'm not sure if you need this or not. I've not tested it but you're essentially doing port forwarding on a Cisco router.

access-list 1 permit 192.168.98.0 0.0.0.255

ip nat pool testpool 10.10.10.1 10.10.10.1 netmask 255.255.255.252
ip nat inside source list 1 pool testpool overload

So instead of the above, you might be able to do the following as your example details a /30 network...I may not have the port number in the right place...use help to find out. (I'm not connected to a router to verify).

ip nat inside source static tcp 192.168.98.1 10.10.10.1 3389 extendable
ip nat inside source static tcp 192.168.98.1 10.10.10.2 3389 extendable

(After trying the configuration on a router the above two lines may not accept the port numbers):

ip nat inside source static 192.168.98.1 10.10.10.1 extendable
ip nat inside source static 192.168.98.1 10.10.10.2 extendable

This command seemed to do the trick.. Why do you suppose you are able to specify the port number twice? Port address translation perhaps? Like I could hit 10.10.10.1 on TCP 3389, but after it is translated to the internal IP I could also translate the port?

ip nat inside source static tcp 192.168.98.4 3389 10.10.10.1 3389 extendable

@Adam-Tyler,

When you want to translate a specific port from source to the specific port on the destination then you must specify.

I tried just allowing any source port to the specific destination port and I couldn't see the command allow me to do this so I just left it as I showed.