Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1637
Views
0
Helpful
2
Replies

Defining outgoing IP address

schoo
Level 1
Level 1

‎12-03-2017 01:54 PM - edited ‎03-05-2019 09:35 AM

I am using an older Cisco 892 at our client's. I must use ppp to set up communication - so my primary interface is Dialer0. The config is getting IP from IPCP (ip address negotiated) and is getting a static address, x.x.x.97/32. I have another IP routed to this interface from the provider, x.x.x.96/32. (x.x.x is the same for both).

 

I need to have the traffic from my network routed to the primary address (.97), and I have a mail server which should use the secondary address.

 

If I configure 

ip nat inside source static 10.1.10.15 x.x.x.96

 

everything works fine and this server is presenting itself to the outside world with .96.

Now I need to break things up and map certain ports to this server, certain ports to another server (implementing a new mail server and I need port 443, for starters, to point to another server). Hence, I do

 

ip nat inside source route-map NAT-INTERNET-BACKUP interface Dialer0 overload ip nat inside source static tcp 10.1.10.15 22 x.x.x.96 22 extendable

ip nat inside source static tcp 10.1.10.15 25 x.x.x.96 25 extendable

ip nat inside source static tcp 10.1.10.15 110 x.x.x.96 110 extendable

ip nat inside source static tcp 10.1.10.15 143 x.x.x.96 143 extendable

ip nat inside source static tcp 10.1.10.66 443 x.x.x.96 443 extendable

ip nat inside source static tcp 10.1.10.15 465 x.x.x.96 465 extendable

ip nat inside source static tcp 10.1.10.15 993 x.x.x.96 993 extendable

ip nat inside source static tcp 10.1.10.24 53 x.x.x.97 53 extendable

ip nat inside source static tcp 172.29.127.100 80 x.x.x.97 80 extendable

ip nat inside source static tcp 172.29.127.100 443 x.x.x.97 443 extendable

ip route 0.0.0.0 0.0.0.0 Dialer0 50

 

and

 

route-map NAT-INTERNET-BACKUP permit 10

match ip address 100

match interface Dialer0

 

Now, the traffic from both .15 and .66 is presented to the outside world as coming from .97. Inbound traffic to .96 is still flowing OK though, no problems there.

 

How do I persuade the thing to use outside IP .96 for inside IPs .15 and .66?

 

I have somehow come to:

no ip nat inside source route-map NAT-INTERNET-BACKUP interface Dialer0 overload

ip access-list extended SUBNET_NAT

deny ip host 10.1.10.66 any

permit ip 10.1.0.0 0.0.255.255 any

 

ip access-list extended HOST_NAT

permit ip host 10.1.10.66 any

 

route-map HOST_POOL permit 10

match ip address HOST_NAT

match interface Dialer0

 

route-map NAT_OVRLD permit 10

match ip address SUBNET_MAP

match interface Dialer0

 

ip nat pool mypool x.x.x.96 x.x.x.97 prefix-length 32

ip nat inside source route-map HOST_POOL pool mypool overload

ip nat inside source route-map NAT_OVRLD interface Dialer0

 

What I'm struggling with is the definition of pool (both addresses are /32) and the question whether this will work at all and where to use my existing access-list 100.

 

Anybody able to offer some help to a Cisco noob? ;)

Labels:
0 Helpful
2 Replies 2

Sam Smiley
Level 3
Level 3

‎12-09-2017 11:19 AM - edited ‎12-10-2017 03:16 AM

Hi Schoo,

In order to do this you have to create two NAT processes; one for x.x.x.96/32 and one for x.x.x.97/32. You would exclude through access list. The configuration would look something like something found in the following thread:

 

https://supportforums.cisco.com/t5/wan-routing-and-switching/multiple-wan-ip-addresses-and-multiple-inside-hosts/td-p/2181351

 

The example in the above thread uses 5 public address; one assigned to the WAN interface (Dia0 in your case) the other addresses will be assigned with the NAT pool. The config would look something like this:

 

gi0/1
ip address x.x.x.96 255.255.255.248 (use mask given to you by your ISP)

 

ip nat pool server x.x.x.97 x.x.x.97 netmask 255.255.255.248

 

ip nat inside source list 101 interface Dialer0 overload <------- Default NAT

ip nat inside source list 102 pool server overload

 

access-list 101 deny   ip 10.1.10.16 0.0.0.15 any
access-list 101 permit ip 10.1.10.0 0.0.0.255 any

 

access-list 102 permit ip 1.10.10.16 0.0.0.15 any

 

In this scenario any machine with an IP address from 10.1.10.17 - 10.1.10.31 will go out on IP x.x.x.97. Everything else in the network will go out x.x.x.96

 

You can then apply your inbound port translations as needed.

 

Cheers,

Sam

0 Helpful

schoo
Level 1
Level 1
In response to Sam Smiley

‎12-10-2017 11:43 PM

Hi Sam,

 

thank you for your feedback. Did a lot of digging and enlisted also some local guru help, so now I finally understand the concept a little better. In the end it all came down to a couple of simple modifications to the config:

 

1st, deny the usage of the standard assigned IP on Dia0:

 

ip access-list extended 100

1 deny ip host 10.1.10.15 any

2 deny ip host 10.1.10.66 any

 

Make new ACL for the servers I want to push out the other IP:

access-list 108 permit ip host 10.1.10.15 any

access-list 108 permit ip host 10.1.10.66 any

 

Make new NAT Pool for the other IP 

ip nat pool IP96 x.x.x.96 x.x.x.96 netmask 255.255.255.0

 

And make assignment

ip nat inside source list 108 pool IP96 overload

 

Thanks to the Cisco community, the system is working now as it should.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card