- Cisco Community
- Technology and Support
- Networking
- Routing
- IPSec, NAT, Port Forwarding Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2010 02:11 PM - edited 03-04-2019 10:41 AM
I'm relatively new to Cicso hardware but have been in the IT community for over a decade and I am a little perplexed as to why this router is doing what it is. Here goes..
I have a 2911 configured to connect to the Internet on gig0/0 with DHCP enabled and configured as the outside NAT interface. Further, I have NAT set up with gig0/1 as the internal interface. I have configured the firewall (Basic Mode) to allow required traffic to pass between the interfaces. There are several ports forwarded through NAT, including SMTP, RDP, and SSL. All traffic is flowing as expected except traffic through the IPSec tunnels to the ports on the hosts that have been forwarded to through NAT. In words, I can connect to file shares, ping, remotely manage the systems through the tunnel, etc, but I can't use the services associated with the port that has been forwarded through NAT. To give a specific example, I have need to send email through the IPSec tunnel to the host that has SMTP forwarded to it through NAT. The host responds to telneting to port 25 on its local network and through the Internet (sans tunnel) but won't respond on that port through the tunnels. If I remove the NAT forwarding, it works great through the tunnels, however I need both to function. Does anyone know if this can be fixed and/or how it might be done? It would be much appreciated if someone can point me in the right direction.
Solved! Go to Solution.
- Labels:
-
Routing Protocols
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2010 03:53 PM
Hi Richard,
This is what I believe is happening: you try to connect to the internal IP address of your SMTP server. The connection request will traverse through the IPsec tunnel and eventually reach the SMTP server. However, when the server replies, the reply will first hit the static NAT entry and get translated. The translated entry most probably does not even traverse the IPsec tunnel because its source IP address no more matches your ACL that specifies the interesting traffic for the IPsec tunnel. Even if the reply arrives at the original sender, it comes from a different IP address because of the NAT, and therefore is not accepted.
The ip nat inside source static command can be enhanced using a route-map construct so that it applies only when the server talks to clients not behind the IPsec tunnel. However, this route-map can only be used if this command uses an explicitly specified external IP address instead of referencing the outside interface. As I see, your Gi0/0 acquires its IP address through DHCP. Is this IP address stable, or can it change over time?
If it is stable then we can modify the configuration. If the IP address is varying, however, some other workaround will have to be devised.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2010 03:19 PM
Hi Richard,
It would be very helpful to post your configuration here (without sensitive information, of course) and to indicate what combination of source/destination does not work with the IPsec and NAT both enabled.
What I am thinking of right now is the order of operation with NAT and IPsec configured. According to this document:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
the NAT happens before encryption. It may be that the servers you are trying to contact are receiving your packets with an incorrect addressing information (mangled by the NAT), resulting in their inability to respond correctly. If this is confirmed then the NAT rules would need to be amended so that they do not apply to traffic that is going to pass through the tunnel.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2010 09:17 PM
I appreciate your quick reply. Below is my configuration.
Current configuration : 19450 bytes
!
!
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot system flash0 c2900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 102400
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
ipv6 unicast-routing
ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
no ip bootp server
ip domain name
ip name-server 192.168.0.100
ip port-map user-RDP port tcp 3389
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM tcp router-traffic
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM gdoi
ip inspect name CCP_MEDIUM isakmp
ip inspect name CCP_MEDIUM ipsec-msft
ip inspect name CCP_MEDIUM ssp
ip inspect name CCP_MEDIUM r-winsock
ip inspect name CCP_MEDIUM netbios-ssn
ip inspect name CCP_MEDIUM netbios-dgm
ip inspect name CCP_MEDIUM msexch-routing
ip inspect name CCP_MEDIUM ms-sql-m
ip inspect name CCP_MEDIUM ms-sql
ip inspect name CCP_MEDIUM ms-sna
ip inspect name CCP_MEDIUM ms-dotnetster
ip inspect name CCP_MEDIUM microsoft-ds
ip inspect name CCP_MEDIUM ms-cluster-net
ip inspect name CCP_MEDIUM dbcontrol_agent
ip inspect name CCP_MEDIUM giop
ip inspect name CCP_MEDIUM net8-cman
ip inspect name CCP_MEDIUM orasrv
ip inspect name CCP_MEDIUM oem-agent
ip inspect name CCP_MEDIUM oracle
ip inspect name CCP_MEDIUM oraclenames
ip inspect name CCP_MEDIUM oracle-em-vp
ip inspect name CCP_MEDIUM rdb-dbs-disp
ip inspect name CCP_MEDIUM rtc-pm-port
ip inspect name CCP_MEDIUM ttc
ip inspect name CCP_MEDIUM exec
ip inspect name CCP_MEDIUM telnet
ip inspect name CCP_MEDIUM telnets
ip inspect name CCP_MEDIUM rtelnet
ip inspect name CCP_MEDIUM login
ip inspect name CCP_MEDIUM ssh
ip inspect name CCP_MEDIUM shell
ip inspect name CCP_MEDIUM sshell
ip inspect name CCP_MEDIUM pcanywheredata
ip inspect name CCP_MEDIUM pcanywherestat
ip inspect name CCP_MEDIUM x11
ip inspect name CCP_MEDIUM xdmcp
ip inspect name CCP_MEDIUM gtpv1
ip inspect name CCP_MEDIUM gtpv0
ip inspect name CCP_MEDIUM l2tp
ip inspect name CCP_MEDIUM pptp
ip inspect name CCP_MEDIUM ddns-v3
ip inspect name CCP_MEDIUM dnsix
ip inspect name CCP_MEDIUM ldap-admin
ip inspect name CCP_MEDIUM ldap
ip inspect name CCP_MEDIUM ldaps
ip inspect name CCP_MEDIUM netbios-ns
ip inspect name CCP_MEDIUM wins
ip inspect name CCP_MEDIUM daytime
ip inspect name CCP_MEDIUM ntp
ip inspect name CCP_MEDIUM time
ip inspect name CCP_MEDIUM timed
ip inspect name CCP_MEDIUM bgp
ip inspect name CCP_MEDIUM hsrp
ip inspect name CCP_MEDIUM router
ip inspect name CCP_MEDIUM fragment maximum 256 timeout 1
ip inspect name CCP_MEDIUM snmp
ip inspect name CCP_MEDIUM snmptrap
ip inspect name CCP_MEDIUM syslog
ip inspect name CCP_MEDIUM syslog-conn
ip inspect name CCP_MEDIUM tacacs
ip inspect name CCP_MEDIUM kerberos
ip inspect name CCP_MEDIUM radius
ip inspect name CCP_MEDIUM tacacs-ds
ip inspect name CCP_MEDIUM ident
ip inspect name CCP_MEDIUM ace-svr
ip inspect name CCP_MEDIUM bootpc
ip inspect name CCP_MEDIUM bootps
ip inspect name CCP_MEDIUM dhcp-failover
ip inspect name CCP_MEDIUM discard
ip inspect name CCP_MEDIUM echo
ip inspect name CCP_MEDIUM finger
ip inspect name CCP_MEDIUM gopher
ip inspect name CCP_MEDIUM igmpv3lite
ip inspect name CCP_MEDIUM ipx
ip inspect name CCP_MEDIUM pwdgen
ip inspect name CCP_MEDIUM rsvp-encap
ip inspect name CCP_MEDIUM rsvp_tunnel
ip inspect name CCP_MEDIUM socks
ip inspect name CCP_MEDIUM vqp
ip inspect name CCP_MEDIUM user-RDP
ip inspect name CCP_MEDIUM nntp
ip inspect name CCP_MEDIUM clp
ip inspect name CCP_MEDIUM cisco-net-mgmt
ip inspect name CCP_MEDIUM cisco-sys
ip inspect name CCP_MEDIUM cisco-tna
ip inspect name CCP_MEDIUM cisco-fna
ip inspect name CCP_MEDIUM cisco-tdp
ip inspect name CCP_MEDIUM cisco-svcs
ip inspect name CCP_MEDIUM stun
ip inspect name CCP_MEDIUM tr-rsrb
ip inspect name CCP_MEDIUM citrix
ip inspect name CCP_MEDIUM citriximaclient
ip inspect name CCP_MEDIUM ica
ip inspect name CCP_MEDIUM icabrowser
ip inspect name CCP_MEDIUM cddbp
ip inspect name CCP_MEDIUM dbase
ip inspect name CCP_MEDIUM mysql
ip inspect name CCP_MEDIUM sqlsrv
ip inspect name CCP_MEDIUM sqlserv
ip inspect name CCP_MEDIUM nfs
ip inspect name CCP_MEDIUM uucp
ip inspect name CCP_MEDIUM kermit
ip inspect name CCP_MEDIUM ftps
ip inspect name CCP_MEDIUM realsecure
ip inspect name CCP_MEDIUM n2h2server
ip inspect name CCP_MEDIUM entrust-svcs
ip inspect name CCP_MEDIUM creativeserver
ip inspect name CCP_MEDIUM creativepartnr
ip inspect name CCP_MEDIUM cifs
ip inspect name CCP_MEDIUM fcip-port
ip inspect name CCP_MEDIUM hp-alarm-mgr
ip inspect name CCP_MEDIUM hp-collector
ip inspect name CCP_MEDIUM hp-managed-node
ip inspect name CCP_MEDIUM irc
ip inspect name CCP_MEDIUM irc-serv
ip inspect name CCP_MEDIUM ircs
ip inspect name CCP_MEDIUM ircu
ip inspect name CCP_MEDIUM ipass
ip inspect name CCP_MEDIUM netstat
ip inspect name CCP_MEDIUM tarantella
ip inspect name CCP_MEDIUM iscsi-target
ip inspect name CCP_MEDIUM iscsi
ip inspect name CCP_MEDIUM sms
ip inspect name CCP_MEDIUM webster
ip inspect name CCP_MEDIUM who
ip inspect name CCP_MEDIUM skinny
ip inspect name CCP_MEDIUM sip-tls
ip inspect name CCP_MEDIUM appleqtc
login block-for 30 attempts 5 within 30
!
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
!
username rrocks password 7
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_bittorrent
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key
crypto isakmp key
crypto isakmp key
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set Netgear esp-aes 256 esp-sha-hmac
!
crypto map VPNs 1 ipsec-isakmp
set peer
set transform-set Netgear
set pfs group2
match address
crypto map VPNs 2 ipsec-isakmp
set peer
set transform-set Netgear
set pfs group2
match address
crypto map VPNs 3 ipsec-isakmp
set peer
set transform-set Netgear
set pfs group2
match address
!
!
!
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination 209.51.181.2
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description WAN$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect CCP_MEDIUM out
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map VPNs
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
!
interface GigabitEthernet0/1
description LAN$FW_INSIDE$
ip address 192.168.0.101 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address
ipv6 nd managed-config-flag
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
ip http access-class 1
ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha
ip http client secure-ciphersuite 3des-ede-cbc-sha
ip flow-top-talkers
top 20
sort-by bytes
!
ip nat inside source static tcp 192.168.0.110 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.168.0.100 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.0.110 443 interface GigabitEthernet0/0 443
ip nat inside source route-map NATMap interface GigabitEthernet0/0 overload
!
ip access-list extended
remark CCP_ACL Category=4
permit ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended
remark CCP_ACL Category=4
permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended
remark CCP_ACL Category=4
permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
logging trap debugging
logging facility local2
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 permit udp host 192.168.0.100 eq domain any
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.101 eq 22
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.101 eq 443
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.101 eq cmd
access-list 100 deny tcp any host 192.168.0.101 eq telnet
access-list 100 deny tcp any host 192.168.0.101 eq 22
access-list 100 deny tcp any host 192.168.0.101 eq www
access-list 100 deny tcp any host 192.168.0.101 eq 443
access-list 100 deny tcp any host 192.168.0.101 eq cmd
access-list 100 deny udp any host 192.168.0.101 eq snmp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq smtp
access-list 101 permit ahp host
access-list 101 permit esp host
access-list 101 permit udp host
access-list 101 permit udp host
access-list 101 permit ahp host
access-list 101 permit esp host
access-list 101 permit udp host
access-list 101 permit udp host
access-list 101 permit ahp host
access-list 101 permit esp host
access-list 101 permit udp host
access-list 101 permit udp host
access-list 101 permit ahp host
access-list 101 permit esp host
access-list 101 permit udp host
access-list 101 permit udp host
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
access-list 105 remark CCP_ACL Category=18
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=1
access-list 109 permit ip 192.168.0.0 0.0.0.255 any
access-list 109 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 109 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 109 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
ipv6 route ::/0 GigabitEthernet0/1
!
no cdp run
!
!
!
route-map NATMap permit 105
match ip address 105
!
!
!
!
control-plane
!
!
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
access-class 109 in
password 7
login authentication local_auth
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.168.0.100 prefer
end
Any host on 192.168.2.0, 192.168.3.0, or 192.168.4.0 can't communicate to my mail server over the IPSec tunnels.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2010 03:53 PM
Hi Richard,
This is what I believe is happening: you try to connect to the internal IP address of your SMTP server. The connection request will traverse through the IPsec tunnel and eventually reach the SMTP server. However, when the server replies, the reply will first hit the static NAT entry and get translated. The translated entry most probably does not even traverse the IPsec tunnel because its source IP address no more matches your ACL that specifies the interesting traffic for the IPsec tunnel. Even if the reply arrives at the original sender, it comes from a different IP address because of the NAT, and therefore is not accepted.
The ip nat inside source static command can be enhanced using a route-map construct so that it applies only when the server talks to clients not behind the IPsec tunnel. However, this route-map can only be used if this command uses an explicitly specified external IP address instead of referencing the outside interface. As I see, your Gi0/0 acquires its IP address through DHCP. Is this IP address stable, or can it change over time?
If it is stable then we can modify the configuration. If the IP address is varying, however, some other workaround will have to be devised.
Best regards,
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2010 04:15 PM
It's dynamic but rarely changes. If it comes down to it, I can change the configuration in the event of a change. In any event, I will be switching to a static /29 range in the next couple weeks so it would only be for a short time that I would have to worry about the possibility of it changing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2010 04:41 PM
Thank you so much for your help. Your suggestion led me to https://supportforums.cisco.com/thread/2024353 which explained to me how to accomplish the task. It is now working great! 5 Stars!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide