Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
4
Replies

4321 PBX Static NAT Issue

koliveira07
Level 1
Level 1

‎10-18-2022 04:01 PM - edited ‎10-18-2022 04:05 PM

Hello,

 

I am having an issue configuring a one-to-one NAT for a local PBX server to a Single WAN IP, while also Dynamically NATing all other local traffic to another block of IPs provided by the same ISP on the same physical WAN connection. Here is my dilemma:

We were given a public ip of 1.1.1.2/30 which we have to use for the PBX (local 192.168.1.42) and 10.10.10.0/29 as a usable range as well on the same link for any other traffic. I am currently using 10.10.10.2/29 and I can access the router remotely with this IP address and the pbx is able to receive and make calls without issue, but while on the network, users are not able to browse to any site. I can confirm internet access from the router's local interface by pinging google and it works without issue but web-traffic just doesn't seem to work at all. I have stripped down all configurations to the bare bones (no firewall rules or ACLs filtering any web traffic, the router is just routing packets) and have added them below. 

There is a Secondary router configured in the same exact way but without the PBX configurations and that device works without issue. Looking at all the NAT translations, it seems like DNS specifically isn't working as that is almost all the traffic I see in the NAT table but I don't see why that would not work.

 

 

ip dhcp pool LAN

network 10.0.0.0 255.255.255.0

default-router 10.0.0.1

dns-server 208.67.222.222 208.67.220.220

 

interface Gigabitethernet0/0/0

ip address 10.10.10.2 255.255.255.248 secondary  <--Public LAN IP

ip address 1.1.1.2 255.255.255.252  <--Public IP

ip nat outside

 

interface gigabit 0/0/1

ip add 10.0.0.1 255.255.255.0

ip nat inside

 

 

ip nat pool WAN2 10.10.10.2 10.10.10.2 netmask 255.255.255.248

ip nat inside source static udp 192.168.1.42 5060 1.1.1.2 5060 extendable

ip nat inside source static tcp 192.168.1.42 8089 1.1.1.2 8089 extendable

ip nat inside source static 192.168.1.42 1.1.1.2 route-map PBX-ACL-RM extendable

ip nat source route-map NAT-RM interface GigabitEthernet0/0/0 overload

ip nat inside source list NAT pool WAN2 overload

 

ip route 0.0.0.0 0.0.0.0 1.1.1.1

 

ip access-list ext NAT

permit ip 10.0.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extend PBX-ACL

permit host 192.168.1.42 host x.x.x.x

permit host 192.168.1.42 host x.x.x.x

permit host 192.168.1.42 host x.x.x.x

 

route-map PBX-ACL-rm permit 20

match ip address PBX-ACL

 

route-map NAT-RM permit 10

match ip address NAT

 

 

Pinging 8.8.8.8 sourcing from a local interface succeeds and the PBX is able to reach out to the specific hosts without issue but local LAN web traffic just doesn't resolve anything. Any help would be greatly appreciated.

Labels:
0 Helpful
4 Replies 4

Elliot Dierksen
VIP
VIP

‎10-19-2022 06:58 AM

You can't use a single IP for 1 to 1 NAT and a pool. Also, you have a public and private IP on the same interface. That is a very vulnerable configuration from a security perspective.

0 Helpful

koliveira07
Level 1
Level 1
In response to Elliot Dierksen

‎10-20-2022 06:19 PM

Sorry I used random Ips as placeholders. Its safe to assume both IP addresses on the WAN interface (interface Gigabitethernet0/0/0) are the WAN IP and the public LAN ip).

0 Helpful

paul.driver
Level 1
Level 1

‎10-22-2022 12:06 PM - edited ‎10-22-2022 12:07 PM

Hello

@koliveira07 wrote:

Hello,

 am having an issue configuring a one-to-one NAT for a local PBX server to a Single WAN IP, while also Dynamically NATing all other local traffic to another block of IPs provided by the same ISP on the same physical WAN connection

Try the following:

no ip nat source route-map NAT-RM interface GigabitEthernet0/0/0 overload

route-map PBX-ACL-rm permit 20
set ip next hop <secondary nexthop?





0 Helpful

paul driver
VIP
VIP

‎10-23-2022 11:27 AM

Hello

@koliveira07 wrote:

Hello,

 am having an issue configuring a one-to-one NAT for a local PBX server to a Single WAN IP, while also Dynamically NATing all other local traffic to another block of IPs provided by the same ISP on the same physical WAN connection

Try the following:

no ip nat source route-map NAT-RM interface GigabitEthernet0/0/0 overload

route-map PBX-ACL-rm permit 20
set ip next hop <secondary nexthop?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card