08-15-2024 02:22 PM
Hi,
Am trying to NAT from OUTSIDE to Inside (with redline), but unfortunetely not working properly. At same time from Inside to Outside(with Greenline) it is working fine. Configuration is mentioned below and thank for your assistance.
ISP01#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.202.200.100:61294 10.10.13.200:61294 192.168.2.100:61294 192.168.2.100:61294
icmp 202.202.200.100:61806 10.10.13.200:61806 192.168.2.100:61806 192.168.2.100:61806
icmp 202.202.200.100:62318 10.10.13.200:62318 192.168.2.100:62318 192.168.2.100:62318
icmp 202.202.200.100:62830 10.10.13.200:62830 192.168.2.100:62830 192.168.2.100:62830
--- 202.202.200.100 10.10.13.200 --- ---
ISP01#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 202.202.200.100:6767 10.10.13.200:6767 192.168.2.100:6767 192.168.2.100:6767
icmp 202.202.200.100:7279 10.10.13.200:7279 192.168.2.100:7279 192.168.2.100:7279
icmp 202.202.200.100:7791 10.10.13.200:7791 192.168.2.100:7791 192.168.2.100:7791
icmp 202.202.200.100:61294 10.10.13.200:61294 192.168.2.100:61294 192.168.2.100:61294
icmp 202.202.200.100:61806 10.10.13.200:61806 192.168.2.100:61806 192.168.2.100:61806
icmp 202.202.200.100:62318 10.10.13.200:62318 192.168.2.100:62318 192.168.2.100:62318
icmp 202.202.200.100:62830 10.10.13.200:62830 192.168.2.100:62830 192.168.2.100:62830
--- 202.202.200.100 10.10.13.200 --- ---
SP01#show running-config | sec ip nat
ip nat inside
ip nat outside
ip nat pool POOL28-13 202.202.200.100 202.202.200.150 netmask 255.255.255.0
ip nat pool POOLOUT 202.202.200.50 202.202.200.100 netmask 255.255.255.0
ip nat inside source list 1 pool POOL28-13
ISP01#show running-config | sec access
access-list 1 permit 10.10.28.0 0.0.0.255 log
access-list 1 permit 10.10.13.0 0.0.0.255 log
SP01#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 20.20.20.2 YES NVRAM up up
GigabitEthernet0/1 202.202.200.2 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM down down
GigabitEthernet0/3 unassigned YES NVRAM down down
Loopback0 10.10.100.5 YES NVRAM up up
NVI0 20.20.20.2 YES unset up up
ISP01#show running-config
interface Loopback0
ip address 10.10.100.5 255.255.255.255
!
interface GigabitEthernet0/0
ip address 20.20.20.2 255.255.255.252
ip nat inside
interface GigabitEthernet0/1
ip address 202.202.200.2 255.255.255.0
ip nat outside
router ospf 1
router-id 10.10.100.5
network 0.0.0.0 255.255.255.255 area 0
!
ip nat pool POOL28-13 202.202.200.100 202.202.200.150 netmask 255.255.255.0
ip nat pool POOLOUT 202.202.200.50 202.202.200.100 netmask 255.255.255.0
ip nat inside source list 1 pool POOL28-13
ip nat outside source list ACLOUT pool POOLOUT add-route
!
ip access-list standard ACLOUT
permit 202.202.200.0 0.0.0.255 log
access-list 1 permit 10.10.28.0 0.0.0.255 log
access-list 1 permit 10.10.13.0 0.0.0.255 log
!
--------------------------------------------------------------------------
VPC2-100 NOT WORKING From OUTSIDE-INSIDE
VPCS> show
NAME IP/MASK GATEWAY GATEWAY
VPCS1 192.168.2.100/24 192.168.2.1
fe80::250:79ff:fe66:681c/64
VPCS> ping 10.10.13.200
10.10.13.200 icmp_seq=1 timeout
10.10.13.200 icmp_seq=2 timeout
10.10.13.200 icmp_seq=3 timeout
--------------------------------------------------------------------------
VPC13-200 WORKING From INSIDE-OUTSIDE
VPCS> show
NAME IP/MASK GATEWAY GATEWAY
VPCS1 10.10.13.200/24 10.10.13.1
fe80::250:79ff:fe66:6821/64
VPCS> ping 192.168.2.100
84 bytes from 192.168.2.100 icmp_seq=1 ttl=60 time=7.621 ms
84 bytes from 192.168.2.100 icmp_seq=2 ttl=60 time=4.970 ms
84 bytes from 192.168.2.100 icmp_seq=3 ttl=60 time=4.098 ms
84 bytes from 192.168.2.100 icmp_seq=4 ttl=60 time=3.770 ms
^C
--------------------------------------------------------------------------
08-15-2024 02:28 PM
you use dynamic NAT which is unidirectional
you need static NAT which is bidirectional
ip nat inside source static <real IP> <mapped IP>
MHM
08-16-2024 06:05 AM
by this I can do one-to-one static mapping not muliple ip . right?
08-16-2024 06:16 AM - edited 08-16-2024 08:30 AM
Yes friend one to one is only NAT that it bidirectional
Note:- one to one can IP to IP or port to port' in case of port to port you can use many internal IP mapped to one IP but using l4 port. Just want to clarify this point.
MHM
08-16-2024 07:35 AM
Hello
@MHM Cisco World wrote:
one to one is only NAT that it bidirectional
This is incorrect, as I have said nat reversible can be used
08-16-2024 08:46 AM
Friend I follow your statement and hop you share lab using reversible' pool of IP to list of IP how router map this IP to this IP.
Anyway maybe I am wrong
But that what I know
MHM
08-16-2024 09:43 AM - edited 08-16-2024 09:56 AM
Hello
not completed a lab for a while but here you go as requested..see attached..
08-16-2024 09:52 AM - edited 08-16-2024 09:53 AM
Friend the ping from out to in is allow for short time' this time map-real IP entry appear in NAT table.
What you do is pung from In To out the NAT router add entry and then try ping from out to in success since there is entry
Try instead ping directly from out to in without first ping from in to out.
The ping will failed sure.
He need static entry in NAT table and this need static NAT ip to ip or port to port.
MHM
08-16-2024 01:04 PM
Hello
@MHM Cisco World wrote:
Try instead ping directly from out to in without first ping from in to out.
That is not a feature of nat reversible , it requires an initiation from the internal host first, to create the 121 mapping, but thereafter the extendable mapping are not required- the other way is indeed multiple static mappings but then youll need a lot of static map statements plus you’ll have no control over traffic initiation
08-16-2024 07:36 AM
To update ypu there is other cisco solution for one to many NAT access from outside check link below
MHM
08-16-2024 08:26 AM
Hello
@MHM Cisco World wrote:
This is Dnat, which isnt applicable to the OP request. Dnat can be used for example when you have a internal server cluster which you would like to LB using a single inside global ip address.
08-15-2024 11:39 PM
Hello
You can reverse the nat connection on dynamic NAT, to create the 1-to-1 mapping required so external hosts can have the ability to connect back inside even when the extended nat states expires , however please note that the 1-to-1 mapping will only be valid until nat table is manually cleared then initiation by the inside host is required again to re-create those nat entrys.
no ip nat pool POOLOUT 202.202.200.50 202.202.200.100 netmask 255.255.255.0
no ip nat outside source list ACLOUT pool POOLOUT add-route
ip nat inside source list 1 pool POOL28-13 reversible
08-16-2024 06:07 AM
I have edited config with reversible option (now shown below), but still not working
ISP01#show running-config | sec ip nat
ip nat inside
ip nat outside
ip nat pool POOL28-13 202.202.200.100 202.202.200.150 netmask 255.255.255.0
ip nat inside source list 1 pool POOL28-13
ISP01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISP01(config)#do show run | sec acce
ISP01(config)#do show run | sec acce
ip access-list standard ACLOUT
permit 202.202.200.0 0.0.0.255 log
access-list 1 permit 10.10.28.0 0.0.0.255 log
access-list 1 permit 10.10.13.0 0.0.0.255 log
access-list 1 permit 10.10.22.0 0.0.0.255 log
ISP01(config)#end
08-16-2024 07:30 AM - edited 08-16-2024 10:08 AM
Hello
You probably need to change the nat statement to use a route-map for the reversible to be appended correctly.
Example:
conf t
no ip nat inside source list 1 pool POOL28-13
route-map NAT
match ip address 1
match interface gig01
ip nat inside source route-map NAT pool POOL28-13 reversible
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide