10-16-2012 01:02 PM - edited 03-11-2019 05:10 PM
I have a client that has 6 public IP addresses. He needs to use 3 of them. One for workstations which is currently working fine. It is using the default gateway IP. One for a email/web server which has a statis NAT and is also working fine. But we need an additional NAT but it is for 3 servers that all need to go out as the smae public IP. I am not sure and been unsuccessful getting those to go out as the same IP. I either cannot get them to exit the same IP or it breaks the workstation NAT.
Workstations would be 10.0.0.100 - 200 going oput the FE1 interface or I think x.x.94.122
Email would be 10.0.0.5 going out the statis NAT of x.x.94.123
I then need 10.0.0.2 - 4 to go out x.x.94.124
I removed some ACLs and IP info for security.
Attached is the current config.
Thanks in advance.
Todd
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address x.x.4.240 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
shutdown
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet1
ip address X.X.94.122 255.255.255.248
ip access-group 110 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$$ES_LAN$
ip address 10.0.0.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool SDM_POOL_1 192.168.12.1 192.168.12.254
ip route 0.0.0.0 0.0.0.0 X.X.94.121
!
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 200
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.0.0.4 5900 interface FastEthernet0 5900
ip nat inside source static tcp 10.0.0.2 5001 interface FastEthernet0 5001
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
ip nat inside source static 10.0.0.5 X.X.94.123 route-map SDM_RMAP_2
ip nat inside source static 10.0.0.2 X.X.94.124 route-map SDM_RMAP_3
ip nat inside source static 10.0.0.4 X.X.94.125 route-map SDM_RMAP_4
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip host 10.0.0.5 192.168.12.0 0.0.0.255
access-list 105 permit ip host 10.0.0.5 any
access-list 110 remark auto generated by SDM firewall configuration
access-list 110 remark SDM_ACL Category=1
!
!
!
route-map SDM_RMAP_4 permit 1
match ip address 107
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
route-map SDM_RMAP_2 permit 1
match ip address 105
!
route-map SDM_RMAP_3 permit 1
match ip address 106
!
10-16-2012 09:11 PM
Hello T,
Not sure if I understood this correctly but basically you want to do the following:
Nat Workstations range 10.0.0.100 - 200 to the IP x.x.94.122
Email would be 10.0.0.5 looking on the outside as x.x.94.123
I then need 10.0.0.2 - 4 to look on the outside as x.x.94.124
You can do it with route-maps but for simplicity I will do it just with ACL's
1) Ip access-list extended Workstation_B
permit ip host 10.0.0.2 any
permit ip host 10.0.0.3 any
permit ip host 10.0.0.4 any
ip nat inside source list Workstation_B x.x.94.122 overload
2) ip nat inside source static 10.0.0.5 x.x.94.123
3) ip nat inside source dynamic any x.x.94.122
Is there a way you could try that and let me know the result,
Any other question..Sure..Just remember to rate all of the helpful posts
Julio
10-16-2012 09:41 PM
Here is what I tried but I don’t think the 10.0.0.2 - 4 is working?
ip nat pool VoIP x.x.94.124 x.x.94.124 netmask 255.255.255.248 type rotary
ip nat inside source list VoIP pool VoIP overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
ip nat inside source static 10.0.0.5 x.x.94.123 route-map SDM_RMAP_2
!
ip access-list extended VoIP
permit ip host 10.0.0.2 any
permit ip host 10.0.0.3 any
permit ip host 10.0.0.4 any
Thanks
Todd
10-16-2012 09:48 PM
Hello Tyon,
Can you try what I wrote down on the order I wrote it,
Any other question..Sure,,Just remember to rate all of the support answers.
10-16-2012 10:19 PM
No I cannot. when I run this command
ip nat inside source list Workstation_B x.x.94.122 overload
I can only do
ip nat inside source list Workstation_B
and then I need to do interface or pool?
The config looks clsoe but I also need the workstation_B to go out x.x.94.124
Thanks
Todd
10-16-2012 11:08 PM
Hello,
See what you mean
ip local pool TEST x.x.94.124 x.x.94.124
Now use that on the NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide