Cannot translate private to public IP address using NAT configur

edryanalburo1 · ‎05-05-2012

Equipments:

1. I have 5 workstations with 2 servers but the backup server (black) is shut down intentionally.

2. I have 1 cisco gigabit unmanaged 8 port switch and 1 cisco 1941 vpn router.

Scenario:

The cisco 1941 vpn router is configured for IPVPN connection to other branches.

Challenge:

1. Configure NAT to enable the 5 workstations to be connected to the internet thru the router to the ISP.

2. Configure NAT to enable the server to be accessed from outside using the public IP address provided by the ISP.

Workstation Settings: (sample workstation)

IP Address: 10.71.5.3

Subnet mask: 255.255.255.0

Default GW: 10.71.5.1

Cisco 1941 VPN Router settings:

GE0/0 : 10.71.5.1

GE0/1 : 24.6.18.222

Serial : 192.168.15.2

IP Route: 192.168.15.1 (configured thru CLI)

ISP settings from modem router with wifi:

Public IP: 24.6.18.221 (WAN IP Address)

Default GW: 24.6.18.1

Device IP Address : 10.71.5.100 255.255.255.0 (dhcp on wifi)

NAT configuration: (I have configured the following)

int ge0/0

ip nat inside

int ge0/1

ip nat outside

ip access-list INTERNET_ACCESS

permit 10.71.5.0 0.0.0.255

ip nat inside source list INTERNET_ACCESS interface ge0/1 overload

ip nat inside source static 10.71.5.2 interface ge0/1

Actual Configuration: (the above commands were removed because it wasn't working)

Building configuration...

Current configuration : 1887 bytes

!

! Last configuration change at 03:46:50 UTC Sat May 5 2012

! NVRAM config last updated at 03:50:52 UTC Sat May 5 2012

version 15.1

service config

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Test

!

boot-start-marker

boot-end-marker

!

enable password ********************

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1941/K9

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description LINE TO SWITCH

ip address 10.71.5.1 255.255.255.0

duplex full

speed 1000

!

interface GigabitEthernet0/1

description LINE TO INTERNET

ip address 24.6.18.222 255.255.255.254

no ip address

duplex full

speed auto

!

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

ip address 192.168.15.2 255.255.255.252

frame-relay interface-dlci 45

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.15.1

!

control-plane

!

line con 0

password ***************

login

line aux 0

password ***************

login

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 0 0

password ********************

logging synchronous

login

transport input all

!

scheduler allocate 20000 1000

end

Verification:

1. I can ping other pc on 10.71.5.0/24 network.

2. When I typed in the ISP's public ip address on the browser, i got into the modem user interface for configuration.

Problem:

1. I still can't connect to the internet. When i do tracert, it stops on the 192.168.15.1 hop and didnt continue. This shouldn't be the case since i want to connect using the GE0/1 outside port for the internet.

Guyz, please help. Thank you.

(NOTE: IP addresses are not the actual addresses.)

edryanalburo1 · ‎05-05-2012

When I was configuraing NAT (which doesn't work), the NVI0 interface appears with ip address assigned same with the router. is this necessary? how can i remove this interface?

2. When I typed in the ISP's public ip address on the browser, i got into the modem user interface for configuration.

^ this should be pointed into the web server based on my nat configuration..

Please help guys. Im trying my best. Hope someone can guide me on this. Thanks in advance.

johnlloyd_13 · ‎05-05-2012

hi ed,

try the commands below on your 1941:

no ip route 0.0.0.0 0.0.0.0 192.168.15.1

ip route 0.0.0.0 0.0.0.0 24.6.18.221

int g0/0

ip nat in

int g0/1

ip nat out

access-list 1 permit 10.71.5.0 0.0.0.255

ip nat inside source list 1 interface g0/1 overload

edryanalburo1 · ‎05-06-2012

hi john,

can i keep both ip routes? because the 192.168.15.1 route is for the ipvpn connection.

If ever, how to prioritize routes?

johnlloyd_13 · ‎05-06-2012

hi ed,

you can add more static routes if you want your 1941 to reach specific subnets behind the 192.168.15.1.

ip route 192.168.15.1

specific routes are consulted first on the routing table before sending packets via the default route (0.0.0.0/0).

edryanalburo1 · ‎05-07-2012

hi john,

thank you for that. I'll give it a try whenever all things on my network are setup.

by the way, i was asking on my first post if it would be possible if I can get in to my network or even just to my web server using the IP provided by the ISP on my internet by using NAT?

here's the command:

ip nat inside source static 10.71.5.2 interface ge0/1

the ip 10.71.5.2 is the sample IP of my web server and the interface ge0/1 is the port where my internet is connected.

the ip of ge0/1 is configured on the port.

can you guide me on this part sir.

Thank you.

johnlloyd_13 · ‎05-08-2012

hi ed,

yes, you can. i slightly modified your config to directly use the WAN IP address instead of using interface. you would usually choose the interface for static NAT if the WAN IP changes or is obtained dynamically (via DHCP) from the ISP.

ip nat inside source static tcp 10.71.5.2 80 24.6.18.222 80

please help rate useful post. thanks!

Cannot translate private to public IP address using NAT configuration for internet access