@Adam-Tyler said in NAT inbound?:
I am pretty comfortable getting an internal subnet to NAT with overload to a single public IP, but what if you wanted to go the other direction? Let's say I have a host on my internal subnet and I want someone from the public subnet to be able to RDP to an internal host? What would those commands look like?
For example, lets say my internal subnet is 192.168.98.0/24 and my external subnet is 10.10.10.0/30.. here is the basic config to allow for a many to one NAT to the public network. Now lets say I would like to allow someone on the 10.10.10.0/30 network or anywhere really to connect to a host at 192.168.98.4 on TCP port 3389. What commands would I use to add this to the config ?
ip nat outside
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip address 192.168.98.1 255.255.255.0
This part is ok here. The following I'm not sure if you need this or not. I've not tested it but you're essentially doing port forwarding on a Cisco router.
access-list 1 permit 192.168.98.0 0.0.0.255
ip nat pool testpool 10.10.10.1 10.10.10.1 netmask 255.255.255.252
ip nat inside source list 1 pool testpool overload
So instead of the above, you might be able to do the following as your example details a /30 network...I may not have the port number in the right place...use help to find out. (I'm not connected to a router to verify).
ip nat inside source static tcp 192.168.98.1 10.10.10.1 3389 extendable
ip nat inside source static tcp 192.168.98.1 10.10.10.2 3389 extendable
(After trying the configuration on a router the above two lines may not accept the port numbers):
ip nat inside source static 192.168.98.1 10.10.10.1 extendable
ip nat inside source static 192.168.98.1 10.10.10.2 extendable
*if the post above has answered the question, please mark the topic as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied support or guarantee by the ITProTV team.