Solved: Re: Multiple IPs on Public interface with 1:1 NAT for internal servers

Balaweisi · ‎04-11-2019

I'm trying to configure a Cisco 1921 to allow 6 servers on the internal network to be accessible from individual public IPs - and to use those same IP for their respective inside sourced traffic.

There is only one internal network, which is shared with other devices.

Whilst I can access the those webservers external from the correct IP address for each, internally, each web server still uses the primary WAN IP for its own requests. I cannot see why:

Below is my config - i've changed the public ips - see comment:

! WAN
!  Gatway = 200.0.0.1
!  Primary = 200.0.0.2/30
!  AdditionalA = 200.0.1.10/29
!  AdditionalB = 200.0.1.11/29
!  AdditionalC = 200.0.1.12/29
!  AdditionalD = 200.0.1.13/29
!  AdditionalE = 200.0.1.14/29
!
! LAN
!	Gateway = 192.168.254.252/24
!	DHCP Devices = 192.168.254.1-199/24
!	Web Server 1 = 192.168.254.200
!	Web Server 2 = 192.168.254.201
!	Web Server 3 = 192.168.254.202
!	Web Server 4 = 192.168.254.203
!	Web Server 5 = 192.168.254.204
!	Web Server 6 = 192.168.254.205



interface GigabitEthernet0/0
 description $ETH-LAN$
 ip address 192.168.254.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description PrimaryWANDesc_TPGF400$ETH-WAN$
 ip address 200.0.0.2 255.255.255.252
 ip access-group 105 in
 ip access-group 105 out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map Gig0
!

ip nat pool NP1 200.0.1.10 200.0.1.10 prefix-length 29
ip nat pool NP2 200.0.1.11 200.0.1.11 prefix-length 29
ip nat pool NP3 200.0.1.12 200.0.1.12 prefix-length 29
ip nat pool NP4 200.0.1.13 200.0.1.13 prefix-length 29
ip nat pool NP5 200.0.1.14 200.0.1.14 prefix-length 29


ip nat inside source list 80 pool NP1 overload
ip nat inside source list 81 pool NP2 overload
ip nat inside source list 82 pool NP3 overload
ip nat inside source list 83 pool NP4 overload
ip nat inside source list 84 pool NP5 overload

ip nat inside source route-map RM1 pool NP1 overload
ip nat inside source route-map RM2 pool NP2 overload
ip nat inside source route-map RM3 pool NP3 overload
ip nat inside source route-map RM4 pool NP4 overload
ip nat inside source route-map RM5 pool NP5 overload

ip nat inside source static 192.168.254.200 200.0.0.2 route-map RMAPSTATICNAT
ip nat inside source static 192.168.254.201 200.0.1.10 route-map RMAPSTATICNAT
ip nat inside source static 192.168.254.202 200.0.1.11 route-map RMAPSTATICNAT
ip nat inside source static 192.168.254.203 200.0.1.12 route-map RMAPSTATICNAT
ip nat inside source static 192.168.254.204 200.0.1.13 route-map RMAPSTATICNAT
ip nat inside source static 192.168.254.205 200.0.1.14 route-map RMAPSTATICNAT


ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 200.0.0.1 permanent
!
ip access-list extended ACLINCOMING
 permit tcp any host 192.168.254.200 eq 443
 permit tcp any host 192.168.254.200 eq www
 permit tcp any host 192.168.254.201 eq 443
 permit tcp any host 192.168.254.201 eq www
 permit tcp any host 192.168.254.202 eq 443
 permit tcp any host 192.168.254.202 eq www
 permit tcp any host 192.168.254.203 eq 443
 permit tcp any host 192.168.254.203 eq www
 permit tcp any host 192.168.254.204 eq 443
 permit tcp any host 192.168.254.204 eq www
 permit tcp any host 192.168.254.205 eq 443
 permit tcp any host 192.168.254.205 eq www
 permit tcp any host 192.168.254.200 eq 1640
 permit tcp any host 192.168.254.201 eq 1640
 permit tcp any host 192.168.254.202 eq 1640
 permit tcp any host 192.168.254.203 eq 1640
 permit tcp any host 192.168.254.204 eq 1640
 permit tcp any host 192.168.254.205 eq 1640
ip access-list extended ACLNATOVERLOAD
 deny   ip host 192.168.254.200 any
 deny   ip host 192.168.254.201 any
 deny   ip host 192.168.254.202 any
 deny   ip host 192.168.254.203 any
 deny   ip host 192.168.254.204 any
 deny   ip host 192.168.254.205 any
 permit ip 192.168.254.0 0.0.0.255 any
ip access-list extended ACLSTATICNAT
 permit ip host 192.168.254.200 any
 permit ip host 192.168.254.201 any
 permit ip host 192.168.254.202 any
 permit ip host 192.168.254.203 any
 permit ip host 192.168.254.204 any
 permit ip host 192.168.254.205 any
!
!
route-map RM1 permit 10
 match ip address 80
route-map RM2 permit 10
 match ip address 81
route-map RM3 permit 10
 match ip address 82
route-map RM4 permit 10
 match ip address 83
route-map RM5 permit 10
 match ip address 84
!
route-map RMAPSTATICNAT permit 10
 match ip address ACLSTATICNAT
!
!
access-list 1 remark Standard
access-list 1 remark CCP_ACL Category=2
access-list 1 remark d
access-list 1 permit any
access-list 80 permit 192.168.254.201
access-list 81 permit 192.168.254.202
access-list 82 permit 192.168.254.203
access-list 83 permit 192.168.254.204
access-list 84 permit 192.168.254.205
access-list 105 permit ip any any
!
!
!

Richard Burts · ‎04-13-2019

We do not know what is the arrangement between the original poster and their ISP and precisely what the ISP has provided. It is quite feasible that the ISP has provided a /30 subnet for a transit network and has provided a /29 for the customer to use. The ISP would have routing logic to reach the /29 subnet using the /30 subnet address as the next hop. While it is frequently the case that the customer will put an IP from the /29 as an interface IP address (making the /29 into a locally connected subnet) that is not a requirement. It is quite feasible to use the /29 public addresses for address translation (as is the case in the original post) and not to have any address from that subnet configured as an interface address.

HTH

Rick

HTH

Rick

View solution in original post

paul driver · ‎04-14-2019

Hello Rick

@Richard Burts wrote:
But I do not agree that the decision to use the ISP subnet for address translation rather than as a connected subnet, or the configuration of the default route are problems.

The OP is wanting to nat with both subnets at the same time -my understanding here is without a secondary address(in this case /29) how will nat work for subnet given the nat order of operation ( pbr-rib-nat)

If specifying a default nexthop ip of the/30 the rtr will check it’s rib /arp tables and use that specific next hop to forward all packets towards so surely nat for /29 will fail correct.

However regards the first option I suggested which was to use a secondary addressing and a connected default route although excessive broadcast/arp incurrs nat should work for both subnets.

Am I wrong here with my assumptions?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Hector Gustavo Serrano Gutierrez · ‎04-11-2019

Hi @Balaweisi,

You are probably configuring your Router with the Cisco Configuration Professional (CCP) software, isn't it?

Looks like your attempts made CCP push a lot of redundant NAT related configuration to your Router.

First of all, the below configuration lines (among others) appear to be redundant. If you do no ip nat inside source list 1 interface GigabitEthernet0/1 overload you will probably made connections from 192.168.254.200-205 use their assigned Public IP when initiating connections from the Inside network.

access-list 1 remark Standard
access-list 1 remark CCP_ACL Category=2
access-list 1 remark d
access-list 1 permit any
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload

From the configuration you are posting, I believe you can have just the next configurations lines in place and still accomplish what you are looking for.

In other words, better to keep it simple.

interface GigabitEthernet0/0
 description $ETH-LAN$
 ip address 192.168.254.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description PrimaryWANDesc_TPGF400$ETH-WAN$
 ip address 200.0.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map Gig0
!
ip route 0.0.0.0 0.0.0.0 200.0.0.1 permanent
!
ip nat inside source static 192.168.254.200 200.0.0.2
ip nat inside source static 192.168.254.201 200.0.1.10
ip nat inside source static 192.168.254.202 200.0.1.11
ip nat inside source static 192.168.254.203 200.0.1.12
ip nat inside source static 192.168.254.204 200.0.1.13
ip nat inside source static 192.168.254.205 200.0.1.14
!
ip access-list extended ACLNATOVERLOAD
 deny   ip host 192.168.254.200 any
 deny   ip host 192.168.254.201 any
 deny   ip host 192.168.254.202 any
 deny   ip host 192.168.254.203 any
 deny   ip host 192.168.254.204 any
 deny   ip host 192.168.254.205 any
 permit ip 192.168.254.0 0.0.0.255 any
!
ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet0/1 overload

DISCLAIMER:

The configurations discussed in this post can be merely templates and may not be final configurations that can be just copied & pasted to any network device in a production environment. It is responsibility of whoever follows this suggestions to review, evaluate and modify the configurations at convenience. Ensure that you understand the potential impact of any command. In all cases, make sure not to lose remote management access to the device. It is highly suggested to introduce changes to live networks only during maintenance windows. The author of this post is not responsible of unintended consequences by failing to follow this disclaimer note.

Georg Pauwen · ‎04-12-2019

Hello,

on a side note, and I don't know if Hector has addressed this already in his post, I don't see how the pool addresses can work at all, since the outside interface belongs to a different IP address space:

interface GigabitEthernet0/1
description PrimaryWANDesc_TPGF400$ETH-WAN$
ip address 200.0.0.2 255.255.255.252
ip access-group 105 in
ip access-group 105 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map Gig0
!

ip nat pool NP1 200.0.1.10 200.0.1.10 prefix-length 29
ip nat pool NP2 200.0.1.11 200.0.1.11 prefix-length 29
ip nat pool NP3 200.0.1.12 200.0.1.12 prefix-length 29
ip nat pool NP4 200.0.1.13 200.0.1.13 prefix-length 29
ip nat pool NP5 200.0.1.14 200.0.1.14 prefix-length 29

paul driver · ‎04-12-2019

Hello
You configuration is quite convoluted however what stands out is your public addressing as you have at 2 public subnets you should possibly need to apply a secondary addressing on your wan interface and/or change you default static route or implement some policy routing for the static1-1 nat to work.

Personally i would suggest to use the policy routing then you are not pushing everything towards your wan interface and creating excessive arps.( see attached file)

Also can you confirm your isp address for 200.0.1.0/29 subnet

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎04-13-2019

We do not know what is the arrangement between the original poster and their ISP and precisely what the ISP has provided. It is quite feasible that the ISP has provided a /30 subnet for a transit network and has provided a /29 for the customer to use. The ISP would have routing logic to reach the /29 subnet using the /30 subnet address as the next hop. While it is frequently the case that the customer will put an IP from the /29 as an interface IP address (making the /29 into a locally connected subnet) that is not a requirement. It is quite feasible to use the /29 public addresses for address translation (as is the case in the original post) and not to have any address from that subnet configured as an interface address.

HTH

Rick

HTH

Rick

paul driver · ‎04-14-2019

Hello Rick
Now sure I understand, Even if the isp has the routing logic applied for this /29 and the OP doesn’t have an address in this subnet applied to its wan interface I don’t see how nat would work for that subnet unless the default route is changed into a connected default and arp is utilized - otherwise how would nat be initiated for the /29 ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎04-14-2019

@paul driver I am quite puzzled about your statement

I don’t see how nat would work for that subnet unless the default route is changed into a connected default and arp is utilized

Here is the interface config

interface GigabitEthernet0/1
 description PrimaryWANDesc_TPGF400$ETH-WAN$
 ip address 200.0.0.2 255.255.255.252

and here is the configured default route

ip route 0.0.0.0 0.0.0.0 200.0.0.1 permanent

So the default route already specifies a connected subnet as the next hop and would use arp.

I agree that the configuration of address translation is problematic. There are 3 different and overlapping attempts to translate addresses for the servers. But I do not agree that the decision to use the ISP subnet for address translation rather than as a connected subnet, or the configuration of the default route are problems.

HTH

Rick

HTH

Rick

Balaweisi · ‎04-14-2019

Hi Yes, OP here,

Sorry, to address each point:

1. Yes it was configured with CCP, but not but me i'm trying to fix a problem without re-doing it all.

2. Yes it did seem quite convoluted to me too. Felt very wrong. but i'd tried with simpler methods like the above.

3. IP Addresses have been changed for posting on Internet, there are two IP Ranges: a /30 (original) and a /29 (added later).

When I apply the /29 range (not same as /30 network) as a ip nat inside source static 192.168.254.200 x.x.x.x route-map ... I can access those hosts from the internet, so it is going via the gateway of the /30 range.

- I've tried adding those addresses to the WAN interface as secondary, but it didn't make any difference. I Think i might have to give up having the second range on the WAN interface.

I will try moving the primary WAN address to be part of the /29 range for now and let you know how it goes, but it requires a bit of downtime, so i'll have to do it tonight.

Cheers guys

paul driver · ‎04-14-2019

Hello

@Balaweisi wrote:
- I've tried adding those addresses to the WAN interface as secondary, but it didn't make any difference. I Think i might have to give up having the second range on the WAN interface.

When you did this did you change the default route to point to the interface rather than a next hop address as you have now? that’s the only way to me I see nat working for both subnets without otherwise knowing the isp nexthop of both subnets and using pbr for the /29

Again as stated having a default route pointing to an interface isn’t preferable however nat should work for you in this case

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Balaweisi · ‎04-14-2019

No, no change to the default route. The ISP (TPG - Fiber1000) didn't provide details of the additional range other than the network address and prefix. So i followed their normal CE-PE arrangement with them and used that last/first addresses in the range - neither worked. Strangely it only worked with the current gateway.

Balaweisi · ‎04-15-2019

Hi Guys,

Thanks for your help.

I confirmed with the ISP that the second range (/29) was actually associated with the host in the /30 range. So the way I got around this to get it up and running is to use BGP to route the /29 network to the internet via a vlan interface on the inside.

So now each of the hosts are directly exposed to the internet. I managed to get some firewalls on them, so it should be fine for what they want.

Thanks again.

interface GigabitEthernet0/0
 description $ETH-LAN$
 ip address 192.168.254.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address x.x.1.1 255.255.255.248
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 description PrimaryWANDesc_TPGF400$ETH-WAN$
 ip address x.x.x.2 255.255.255.252
 ip access-group 105 in
 ip access-group 105 out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map Gig0
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/1
 ip mtu 1392
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1352
 peer default ip address pool SDM_POOL_1
 ppp encrypt mppe 128
 ppp authentication ms-chap-v2 ms-chap pap
 ppp ipcp dns 8.8.8.8
!
router bgp 2764
 bgp log-neighbor-changes
 neighbor x.x.x.1 remote-as 2764
 !
 address-family ipv4
  network x.x.1.0 mask 255.255.255.248
  neighbor x.x.x.1 activate
 exit-address-family
!
ip local pool SDM_POOL_1 192.168.10.10 192.168.10.200
ip forward-protocol nd
!

ip dns view default
 domain timeout 1
 domain retry 1
 dns forwarding timeout 1
 dns forwarding retry 1
ip dns server queue limit forwarder 10
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet0/1 overload
ip nat inside source list nat-list interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.254.11 21 x.x.x.2 21 extendable
ip nat inside source static tcp 192.168.254.245 80 x.x.x.2 80 extendable
ip nat inside source static tcp 192.168.254.245 443 x.x.x.2 443 extendable
ip nat inside source static tcp 192.168.254.245 1640 x.x.x.2 1640 extendable
ip nat inside source static tcp 192.168.254.9 5900 x.x.x.2 5900 extendable
ip nat inside source static tcp 192.168.254.245 5900 x.x.x.2 5901 extendable
ip nat inside source static tcp 192.168.254.190 5980 x.x.x.2 5980 extendable
ip nat inside source static tcp 192.168.254.222 5999 x.x.x.2 5999 extendable
ip nat inside source static tcp 192.168.254.250 7000 x.x.x.2 7000 extendable
ip nat inside source static udp 192.168.254.250 7000 x.x.x.2 7000 extendable
ip nat inside source static udp 192.168.254.11 7000 x.x.x.2 7001 extendable
ip nat inside source static tcp 192.168.254.250 7000 x.x.x.2 7002 extendable
ip nat inside source static tcp 192.168.254.201 80 x.x.x.2 8081 extendable
ip nat outside source static tcp x.x.x.2 5900 192.168.254.24 5900 extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.1 permanent
!
!
access-list 105 permit ip any any
!
!
!

paul driver · ‎04-15-2019

Hello

BGP -well i guess that's one way to resolve your issue?
Thank you for letting us know how you solved this - very much appreciated

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎04-14-2019

Hello Rick

@Richard Burts wrote:
But I do not agree that the decision to use the ISP subnet for address translation rather than as a connected subnet, or the configuration of the default route are problems.

The OP is wanting to nat with both subnets at the same time -my understanding here is without a secondary address(in this case /29) how will nat work for subnet given the nat order of operation ( pbr-rib-nat)

If specifying a default nexthop ip of the/30 the rtr will check it’s rib /arp tables and use that specific next hop to forward all packets towards so surely nat for /29 will fail correct.

However regards the first option I suggested which was to use a secondary addressing and a connected default route although excessive broadcast/arp incurrs nat should work for both subnets.

Am I wrong here with my assumptions?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul