Master CCNA

How to Master CCNA Ebook

 

 

My book will help you Master CCNA

Master CCNP SWITCH

How to master CCNP SWITCH ebook

 

 

My book will help you Master CCNP SWITCH

Master CCNP ROUTE

How to master CCNP ROUTE Ebook

 

 

My book will help you Master CCNP ROUTE

Print

Static PAT (Port Forwarding)

Written by Rene Molenaar on . Posted in Network Services

Scenario:

You are a trainee for a large international website covering a wide range of topics on automobiles. You are using NAT and PAT for connectivity to the Internet but you also have a number of hosts on your internal network. You need to make sure that the Webserver and Mailserver are reachable from the Internet.

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure router PAT so all internal devices are able to reach the Internet.
  • Configure router PAT so the Web- and Mailserver are reachable from the Internet.
  • Ensure router Internet doesn't know about the 192.168.123.0 /24 network.

IOS:

c3640-jk9o3s-mz.124-16.bin

Topology:

Static PAT Port Forwarding

Video Solution:

You need to a flashplayer enabled browser to view this YouTube video

You need to register to download the GNS3 Topology File. (Registration is Free!)

Only registered users can write comments!

Comments (3)

  • avatar
    bluecavalry
    2012-01-24 09:47:01

    Hi Rene,
    Not a big problem, but I am curious about the last task.
    "Ensure router Internet doesn't know about the 192.168.123.0 /24 network."

    Although the translations continue to work correctly, the Internet router can still ping the internal devices.

    Ping 192.168.123.2 (from Internet router)
    This still translates, but it allows the Internet to know the internal IP addressing.
    This is small issue, but I am curious how I might block this ability (in this scenario).

    Thanks.
    Mark

  • avatar
    ReneMolenaar
    2012-01-29 22:41:54

    Hello Mark,

    Once we configure NAT or PAT in this scenario the Internet router will only see the 192.168.45.4 IP address because of the translation. That doesn't stop it from using a static route or something to reach the 192.168.123.0 /24 network. If you want to block this 100% you'll just need to use an access-list.

    If this were a real network you should have an access-list on the inbound interface of the NAT/PAT router so not all traffic will be accepted. It's even better to configure a reflexive access-list, it will make sure that inbound traffic from the Internet will always be dropped unless it was originated from the LAN. If you never configured a reflexive access-list before than you should take at my lab:

    http://gns3vault.com/Security/reflexive-access-list.html

    Let me know if you have more questions.

    Rene

  • avatar
    bluecavalry
    2012-01-30 01:25:01

    aaaaah okay. That was the answer I was looking for -- Reflexive Access-Lists. I knew there was a solution.

    Thanks again for your website. FYI: I lost my CCDP, and I am starting from the beginning again (from CCNA). Your labs completely made me slow down this time, and practice more (not just trying to pass another exam).

    I am getting your CCNP book. Big Value, considering all of the free labs.