Solved: IOS NAT issue - Page 2

peter.williams · ‎05-21-2010

I am trying to create a NAT statement to allow an Internet address to translate to an inside address with all ports open between them. Can somebody help with some code examples or suggestions.

For example 208.7.xx.xx ---> 10.0.107.xx

Thank you

peter.williams · ‎05-24-2010

The only way I was able to get the ip address to ping is to do this -

ip nat inside source static 10.0.107.11 208.9.113.111
ip nat outside source static 208.9.113.111 10.0.107.11

Now I can't get the application to work. Is the statements above correct?

peter.williams · ‎05-24-2010

Now it does not seem that the translation is working from 208.9.113.111 to 10.0.107.11.

Please let me know if I need some kind of ACL in this to work.

Thank you for your help

Federico Coto Fajardo · ‎05-24-2010

Peter,

To answer some questions:
To check that proxy arp is enabled on the interface do ''sh ip interface fas 0/0''
From the two statements that you post:
ip nat inside source static 10.0.107.11 208.9.113.111
ip nat outside source static 208.9.113.111 10.0.107.11
Only the first one is correct please remove the second one:
no ip nat outside source static 208.9.113.111 10.0.107.11
Do a ''clear ip nat trans *''
Try again...
Note: No need for ACLs to create translations.

Federico.

peter.williams · ‎05-24-2010

I check ther proxy ARP and it on enabled.

I remove the statement that you requested and also cleared the nat translation and now the IP address does not ping. When I do a sh ip nat translation I get -

Pro Inside global Inside local Outside local Outside global
icmp 208.9.113.111:40360 10.0.107.11:40360 208.9.113.110:40360 208.9.113.110:40360
--- 208.9.113.111 10.0.107.11 --- ---

Please let me know if that is correct

Thank you for your help!

Federico Coto Fajardo · ‎05-24-2010

Peter,

The translation is taking place fine as the output you posted.
If you cannot PING, let's do the following:

You're trying to PING from which IP to which IP (source and destination IP addresses)

Please post the current ouput of the following:
sh run | i ip nat
sh run | i ip access-list
sh ip int brief | ex una

Federico.

peter.williams · ‎05-24-2010

I am trying to ping from another location 12.21.171.109

sh run | i ip nat
ip nat outside
ip nat inside
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 10.0.107.11 208.9.113.111

sh run | i ip access-list
There are no access-lists

sh ip int brief | ex una
FastEthernet0/0 208.9.113.111 YES manual up up
FastEthernet0/1 10.0.107.15 YES manual up up

Thank you

Federico Coto Fajardo · ‎05-24-2010

Peter,

You are trying to PING 208.9.113.111 from 12.21.171.109 correct?
If this is so, then traffic will come to the router on its Fas0/0 interface.
Since there are no ACLs the traffic will be permitted.

If the PING fails, try this:
Do a traceroute to that IP and see if the path reaches your router.
i.e
From a windows machine you can do ''tracert 208.9.113.111'' and check the path and the last hops.

Also,
Can you PING 10.0.107.11 from the router itself?
Please check that the default gateway for 10.0.107.11 is 10.0.107.15

Federico.

peter.williams · ‎05-24-2010

I was told ny my security engineer that the ASA is blocking the pings from the router that I am trying to setup. Since we cannot translate the router over the ASA, I am going to configure that ASA to do the translation instead of the router. I was trying to bypass the ASA all together but it did not work.

Thank you everybody for your support!