01-30-2019 01:55 PM - edited 02-21-2020 08:43 AM
Our ISP has issued us two subnets: one is a /30 subnet and the other is a /28. For the sake of this discussion (with false IPs) the /30 is 46.181.101.212/30 with the provider assigned .213 and our WAN on .214. The /28 is 46.181.101.112/28. They are routing the 46.181.101.112/28 to our WAN interface. We have NAT for all users to come from our WAN (48.181.101.214) with a default route pointing to 48.181.101.213.
We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with.
Can anyone give us some insight? Thanks!
Solved! Go to Solution.
01-30-2019 02:17 PM
Assuming this is 8.3 or later code it is probably to do with the ordering of your NAT statements.
On 8.3 or later NAT is split in 3 sections and it goes through the sections in order so what is probably happening is that the traffic outbound is being caught by the wrong NAT statement and the solution may be as simple as reordering your statements.
Have a read of this document which explains the above in more detail and gives some recommendations as to how to configure your NAT statements -
Jon
01-30-2019 03:58 PM
We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with.
object network REAL
host 10.0.0.25
!
object network MAPPED
host 46.181.101.214
!
nat (inside,outside) source static REAL MAPPED
!
access-list OUT-IN exten permit tcp any object REAL eq 443
access-group OUT-IN in interface outside
01-30-2019 02:17 PM
Assuming this is 8.3 or later code it is probably to do with the ordering of your NAT statements.
On 8.3 or later NAT is split in 3 sections and it goes through the sections in order so what is probably happening is that the traffic outbound is being caught by the wrong NAT statement and the solution may be as simple as reordering your statements.
Have a read of this document which explains the above in more detail and gives some recommendations as to how to configure your NAT statements -
Jon
01-30-2019 02:44 PM
Hi Jon, I thought about that previously and created the NAT as a NAT before Network Object and moved it all the way to the top of the list.
When I run a packettracer test as well is shows that it should be picking up this NAT.
01-30-2019 03:58 PM
We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with.
object network REAL
host 10.0.0.25
!
object network MAPPED
host 46.181.101.214
!
nat (inside,outside) source static REAL MAPPED
!
access-list OUT-IN exten permit tcp any object REAL eq 443
access-group OUT-IN in interface outside
01-31-2019 07:12 AM
This was actually a "stupid" mistake on my part. We are in the process of changing to a new server for this and when I was setting up the NAT I was using the new server inside IP address but I still had the old server relaying the traffic. So in essence, I have the NAT set up correctly, I was just using the wrong IP address for the REAL server.
I just needed an overnight break to realize that!!!
Thank you both. I accept both as a resolution since NAT was the issue the the commands provide by Sheraz were correct. Thank you both!
01-31-2019 07:15 AM
@LegusolI did noticed that wrong ip address in your packet tracer and i was curious why you doing this. also i was tired too and this also get over looked from me other wise i have mentioned to you.
anyway good to hear all sorted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide