topic Re: Trouble with NAT in Routing and SD-WAN

Trouble with NAT

Lilleman79 — Mon, 04 Mar 2019 18:29:55 GMT

Goday

I have some trouble with my NAT-configuration

On my network I have two cameras that i want to be connectable from the Internet.

!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.0.109 121.183.XXX.XXX
ip nat inside source static 192.168.0.110 121.183.XXX.XXX
!

when i try to use these settings I get warnings in the log about multiple ip addresses ( 192.168.......) and the comunication to the cameras does´nt work

What am i doing wrong?

Regards

Linus

Re: Trouble with NAT

cadet alain — Thu, 18 Nov 2010 09:59:48 GMT

You can't have 2 static nats pointing to the same public address unless you specify the protocol/port.

Re: Trouble with NAT

enkhbat.n — Thu, 18 Nov 2010 10:09:44 GMT

Hey Linus,

I'm not sure, but I think "ip nat pool" can work for what you need.

You can read about that from http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Good luck

Re: Trouble with NAT

mrdogantr — Thu, 18 Nov 2010 10:34:28 GMT

Hi Linus,

for example; camera port = tcp 8888

!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.109 8888 121.183.XXX.XXX 8888
ip nat inside source static tcp 192.168.0.110 8888 121.183.XXX.XXX 8889
!

if connect 121.183.XXX.XXX 8888 --------- answer from 192.168.0.109

if connect 121.183.XXX.XXX 8889 --------- answer from 192.168.0.110

-----------------------

hope to help

Muammer

Re: Trouble with NAT

Lilleman79 — Thu, 18 Nov 2010 12:18:51 GMT

First of all, thanks for all the answers

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.109 121.183.XXX.X21
ip nat inside source static tcp 192.168.0.110 121.183.XXX.X22

I do have three public ip-addresses that i´m trying to use, so ím not trying to merge the two cameras into one ip-address.

My router is a cisco 871, and i´m using cisco cp to configure it.

If I just follow the guide and let the program write the config file, the lines above is what I get. Shouldn't that be enough??

Never the less it doesn't work

Do i have to add these lines? never done this before, but you probably already had figured that out

if connect 121.183.XXX.XXX 8888 --------- answer from 192.168.0.109

if connect 121.183.XXX.XXX 8889 --------- answer from 192.168.0.110

I´m stuck

Regards Linus

Re: Trouble with NAT

cadet alain — Thu, 18 Nov 2010 13:11:57 GMT

if connect 121.183.XXX.XXX 8888 --------- answer from 192.168.0.109 if connect 121.183.XXX.XXX 8889 --------- answer from 192.168.0.110

These are not commands, just to demonstrate what effect the previous commands would have.

These are hardware cameras which have their dedicated IP addresses?

if so then you can try this

Try changing the access-list used for dynamic mappings:

no access-list 1

access-list 1 deny host 192.168.0.109

access-list 1 deny host 192.168.0.110

access-list 1 permit 192.168.0.0 0.0.0.255

ip nat inside source list 1 interface f0/4 overload

Re: Trouble with NAT

mrdogantr — Thu, 18 Nov 2010 22:36:45 GMT

Hi Linus,

Can you send your conf file or nat inside and outside interfaces configs.

Re: Trouble with NAT

Lilleman79 — Fri, 19 Nov 2010 07:17:10 GMT

Building configuration...

Current configuration : 11139 bytes
!
! Last configuration change at 15:23:25 PCTime Thu Nov 18 2010 by XXX

! NVRAM config last updated at 13:40:15 PCTime Wed Nov 17 2010 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$HoHN$fuRjhmlQ5TprszWAk/btT1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1829044327
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1829044327
revocation-check none
rsakeypair TP-self-signed-1829044327
!
!
crypto pki certificate chain TP-self-signed-1829044327
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383239 30343433 3237301E 170D3032 30333031 30303039
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323930
34343332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B681 828052B9 2217C287 81B2EBC2 AF9D2C25 131A7B3C D29DFCE5 1F03D50F
15A4ED2D 59A02CEF AC2C2B4F EBD35027 EE488A0D B2B3D6C5 6674338D 6AC302A1
4C706481 2ADDE61A 69A07D05 B718F60D E71886BA 3B7BB698 B964504A 678967D3
DCBC0155 D19E71DB E4A9EAC2 E131641D D1B774B1 F5B215C2 ABBE7701 40D13C51
95010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 149CE370 95778325 AFF90CBB DC74812B 60DD2092
9F301D06 03551D0E 04160414 9CE37095 778325AF F90CBBDC 74812B60 DD20929F
300D0609 2A864886 F70D0101 04050003 8181005F AF2494E0 FBC692A2 DE43B867
055A8EBA 7BA47F5E B195556A 057BACEF 192E3145 F8FC17A9 2DFC295A 2346DED8
50216D3E A851DD9E 5EA11125 FE3A8C00 9E588F54 25CEACBF 81AA9B89 B15F3AA8
B86E614D B1B10E4F 734B5528 47C74A21 CA8C3052 5589E711 BC1E1A5F AFB762A6
589B04E6 8F511979 217B834A 8D09E644 988A11
   quit
dot11 syslog
no ip source-route
!
!
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 19X.XXX.XXX.XXX XXX.XXX.XXX.XXX
   lease infinite
!
!
ip cef
no ip bootp server
ip name-server 19X.XXX.XXX.XXX
ip name-server 19X.XXX.XXX.XXX
ip name-server 192.168.0.250
ip port-map user-ctcp-ezvpnsvr port tcp 10000
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username XXXXX privilege 15 secret 5 $1$42Ij$KN6ZQBxJ.zmTkoGdZeU5W.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group

key XX

pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
match identity group XXX

client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-all sdm-nat--1
match access-group 101
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match protocol user-ctcp-ezvpnsvr
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-nat--2
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat--1
pass log
class type inspect sdm-nat--2
pass log
class class-default
pass log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 212.181.XXX.XX2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.0.10 192.168.0.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 212.181.XXX.XXX
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.0.109 212.183.XX.XX3
ip nat inside source static 192.168.0.110 212.183.XX.XX4
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 212.181.XXX.XX0 0.0.0.7 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.109
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.0.110
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^C
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

The Config-file

Regards Linus

Re: Trouble with NAT

mrdogantr — Fri, 19 Nov 2010 10:39:07 GMT

Hi Linus,

can you try configuration below.

interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 212.181.XXX.XX2 255.255.255.248

ip address 212.181.XXX.XX3 255.255.255.255 secondary

ip address 212.181.XXX.XX4 255.255.255.255 secondary

hope to help

Muammer

Re: Trouble with NAT

Daniel Bethke — Fri, 19 Nov 2010 21:00:53 GMT

I was having this same problem and watching your thread for suggestions.
I tried to add two addresses similar to how M.D suggested (with mask 255.255.255.255) but I got an error about adding the /32 secondary addresses

I then used a subnet mask that was more appropriate for my network and it worked!

(I also had to add access rule to permit anyone to those additional addresses)

Here's all the parts I think are important::

interface FastEthernet0/0

description to ISP (untrusted)

ip address 77.77.77.250 255.255.255.240

ip address 77.77.77.246 255.255.255.240 secondary

ip address 77.77.77.247 255.255.255.240 secondary

ip nat outside

ip access-group 100 in

interface FastEthernet0/1

description Internal (trusted)

ip address 10.10.10.1

ip nat inside

ip nat pool PUBLICIPPOOL 77.77.77.250 77.77.77.250 prefix-length 28

ip nat inside source list permit_local_networks pool PUBLICIPPOOL overload

ip nat inside source static 10.10.10.71 77.77.77.246

ip nat inside source static 10.10.10.72 77.77.77.247

ip access-list standard permit_local_networks

remark permit all local networks

permit 10.10.10.0 0.0.0.255

ip access-group 100 in

access-list 100 remark ACL for outside interface (f0/0 in)

access-list 100 permit ip any host 77.77.77.246

access-list 100 permit ip any host 77.77.77.247