Hi Lin,

woolh · ‎12-14-2016

Hi,

I have the following configuration in my cisco router 881

I added 2 new NAT Mappings recently, but they doesn't seem to work.

All the existing NAT mappings are working fine.

------ Extract of the configuration file ---

version 15.0
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
no service dhcp
!
hostname CE-5880068001_Company
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 10
!
ip source-route
!
ip dhcp excluded-address 192.168.1.0 192.168.1.219
ip dhcp excluded-address 192.168.1.251 192.168.1.255
!
ip dhcp pool LAN
   network 192.168.1.0 255.255.255.0
   dns-server 203.116.1.78 203.116.1.94
   default-router 192.168.1.252
!
!
ip cef
ip name-server 203.116.1.78
ip name-server 203.116.1.94
no ipv6 cef

license udi pid CISCO881-K9 sn FGL162622UM
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description SW-E SID 5880068001 NC SID FB0001-NEUC-033971 2Mbps StarHub NGNB SW_E
ip address 172.24.67.106 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
interface Vlan1
description to_Customer_LAN
ip address 192.168.1.252 255.255.255.0 secondary
ip address 123.231.211.17 255.255.255.240
ip access-group LAN_IN in
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface Vlan1 overload
ip nat inside source static tcp 192.168.1.33 5445 123.231.211.18 5445 extendable
ip nat inside source static tcp 192.168.1.33 6446 123.231.211.18 6446 extendable
ip nat inside source static tcp 192.168.1.34 5445 123.231.211.19 5445 extendable
ip nat inside source static tcp 192.168.1.34 6446 123.231.211.19 6446 extendable
ip nat inside source static tcp 192.168.1.205 20 123.231.211.20 20 extendable
ip nat inside source static tcp 192.168.1.205 21 123.231.211.20 21 extendable
ip nat inside source static tcp 192.168.1.205 25 123.231.211.20 25 extendable
ip nat inside source static tcp 192.168.1.205 80 123.231.211.20 80 extendable
ip nat inside source static tcp 192.168.1.205 88 123.231.211.20 88 extendable
ip nat inside source static tcp 192.168.1.205 143 123.231.211.20 143 extendable
ip nat inside source static tcp 192.168.1.205 236 123.231.211.20 168 extendable
ip nat inside source static tcp 192.168.1.205 80 123.231.211.20 169 extendable
ip nat inside source static tcp 192.168.1.205 22 123.231.211.20 222 extendable
ip nat inside source static tcp 192.168.1.205 10000 123.231.211.20 10101 extendable
ip nat inside source static tcp 192.168.1.18 3389 123.231.211.21 889 extendable
ip nat inside source static tcp 192.168.1.18 5900 123.231.211.21 5999 extendable
ip nat inside source static tcp 192.168.1.35 5445 123.231.211.22 5445 extendable
ip nat inside source static tcp 192.168.1.35 6446 123.231.211.22 6446 extendable
ip nat inside source static tcp 192.168.1.36 5445 123.231.211.23 5445 extendable
ip nat inside source static tcp 192.168.1.36 6446 123.231.211.23 6446 extendable
ip nat inside source static 192.168.1.10 123.231.211.24
ip nat inside source static tcp 192.168.1.24 22 123.231.211.25 222 extendable
ip route 0.0.0.0 0.0.0.0 172.24.67.105
!
ip access-list extended LAN_IN
permit tcp host 192.168.1.205 any eq smtp
deny   tcp any any eq smtp log
permit ip any any
!
access-list 10 permit 192.168.1.0 0.0.0.255
!

----------- End of File----

Only the line highlighted in RED

"ip nat inside source static tcp 192.168.1.24 22 123.231.211.25 222 extendable"

doesn't work.

Pls advise if there is a limit on the number of NAT mapping per router?

Thank you.

Georg Pauwen · ‎12-15-2016

Hello,

there is no limit on the number of NAT entries other than available memory.

Try a route map instead of a list as the source for your dynamic NAT and check if that makes a difference. I have marked the additions/changes in bold:

version 15.0
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
no service dhcp
!
hostname CE-5880068001_Company
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 10
!
ip source-route
!
ip dhcp excluded-address 192.168.1.0 192.168.1.219
ip dhcp excluded-address 192.168.1.251 192.168.1.255
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
dns-server 203.116.1.78 203.116.1.94
default-router 192.168.1.252
!
!
ip cef
ip name-server 203.116.1.78
ip name-server 203.116.1.94
no ipv6 cef

license udi pid CISCO881-K9 sn FGL162622UM
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description SW-E SID 5880068001 NC SID FB0001-NEUC-033971 2Mbps StarHub NGNB SW_E
ip address 172.24.67.106 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
interface Vlan1
description to_Customer_LAN
ip address 192.168.1.252 255.255.255.0 secondary
ip address 123.231.211.17 255.255.255.240
ip access-group LAN_IN in
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map DYNAMIC_NAT interface Vlan1 overload
ip nat inside source static tcp 192.168.1.33 5445 123.231.211.18 5445 extendable
ip nat inside source static tcp 192.168.1.33 6446 123.231.211.18 6446 extendable
ip nat inside source static tcp 192.168.1.34 5445 123.231.211.19 5445 extendable
ip nat inside source static tcp 192.168.1.34 6446 123.231.211.19 6446 extendable
ip nat inside source static tcp 192.168.1.205 20 123.231.211.20 20 extendable
ip nat inside source static tcp 192.168.1.205 21 123.231.211.20 21 extendable
ip nat inside source static tcp 192.168.1.205 25 123.231.211.20 25 extendable
ip nat inside source static tcp 192.168.1.205 80 123.231.211.20 80 extendable
ip nat inside source static tcp 192.168.1.205 88 123.231.211.20 88 extendable
ip nat inside source static tcp 192.168.1.205 143 123.231.211.20 143 extendable
ip nat inside source static tcp 192.168.1.205 236 123.231.211.20 168 extendable
ip nat inside source static tcp 192.168.1.205 80 123.231.211.20 169 extendable
ip nat inside source static tcp 192.168.1.205 22 123.231.211.20 222 extendable
ip nat inside source static tcp 192.168.1.205 10000 123.231.211.20 10101 extendable
ip nat inside source static tcp 192.168.1.18 3389 123.231.211.21 889 extendable
ip nat inside source static tcp 192.168.1.18 5900 123.231.211.21 5999 extendable
ip nat inside source static tcp 192.168.1.35 5445 123.231.211.22 5445 extendable
ip nat inside source static tcp 192.168.1.35 6446 123.231.211.22 6446 extendable
ip nat inside source static tcp 192.168.1.36 5445 123.231.211.23 5445 extendable
ip nat inside source static tcp 192.168.1.36 6446 123.231.211.23 6446 extendable
ip nat inside source static 192.168.1.10 123.231.211.24
ip nat inside source static tcp 192.168.1.24 22 123.231.211.25 222 extendable
ip route 0.0.0.0 0.0.0.0 172.24.67.105
!

route-map DYNAMIC_NAT permit 10

match ip address 10

!
ip access-list extended LAN_IN
permit tcp host 192.168.1.205 any eq smtp
deny tcp any any eq smtp log
permit ip any any
!
access-list 10 permit 192.168.1.0 0.0.0.255

Amit Goyal · ‎12-15-2016

In Addition to above you can try below option as well.

exclude 192.168.1.24 from access-list 10.

ip nat inside source list 10 interface Vlan1 overload

access-list 10 permit 192.168.1.0 0.0.0.255

HTH

-Amit

woolh · ‎12-20-2016

can you advise what is the command to exclude 192.168.1.24 from access-list 10?

sorry, I am a newbie at this...

Amit Goyal · ‎12-20-2016

(config)#ip access-list standard 10

(config)#5 deny 192.168.1.24 0.0.0.0

HTH

-Amit

woolh · ‎12-28-2016

I suspect there might be something wrong with my current router. Tested using another router and I was able to map my internal IP to a public IP.

Thank you for all the responses.

Best Regards,

Lin Hon

Amit Goyal · ‎12-28-2016

Hi Lin,

Have you tried excluding the IP address from the ACL as suggested in previous reply?

HTH

-Amit

woolh · ‎12-20-2016

I tested configuration of above, but still doesn't work. :-(

Georg Pauwen · ‎12-20-2016

Hello,

try and add the route map to your static NAT entry:

ip nat inside source static tcp 192.168.1.24 22 123.231.211.25 222 extendable route-map DYNAMIC_NAT

woolh · ‎12-20-2016

I did some further testing.

weirdly the following NAT mapping work:

ip nat inside source static tcp 192.168.1.33 5445 123.231.211.25 222 extendable

ip nat inside source static tcp 192.168.1.205 80 123.231.211.25 80 extendable

I also tested the following NAT mapping which doesn't work:

ip nat inside source static tcp 192.168.1.24 22 123.231.211.18 222 extendable

the device I am trying to link up is a ubuntu server 16.04.1 LTS.

ALL the firewall on the ubuntu are set to accept all incoming and outgoing.

I also tested the ports of the ubuntu server in LAN, the ports are working.

Not sure why when they are being mapped, they simply doesn't work.

Georg Pauwen · ‎12-20-2016

Hello,

I think we were under the assumption that your one static NAT entry doesn't show up in the NAT translation table of the Cisco.

Are you using Ubuntu's Uncomplicated Firewall ?

paul driver · ‎12-22-2016

Hello

ip nat inside source list 10 interface Vlan1 overload

Performing Nat on an inside interface ?

Shouldn't this be your outside interface of FastEthernet4?

ip nat inside source list 10 interface FastEthernet4 overload

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Additional NAT Mapping not active