04-11-2019 08:47 PM
I'm trying to configure a Cisco 1921 to allow 6 servers on the internal network to be accessible from individual public IPs - and to use those same IP for their respective inside sourced traffic.
There is only one internal network, which is shared with other devices.
Whilst I can access the those webservers external from the correct IP address for each, internally, each web server still uses the primary WAN IP for its own requests. I cannot see why:
Below is my config - i've changed the public ips - see comment:
! WAN ! Gatway = 200.0.0.1 ! Primary = 200.0.0.2/30 ! AdditionalA = 200.0.1.10/29 ! AdditionalB = 200.0.1.11/29 ! AdditionalC = 200.0.1.12/29 ! AdditionalD = 200.0.1.13/29 ! AdditionalE = 200.0.1.14/29 ! ! LAN ! Gateway = 192.168.254.252/24 ! DHCP Devices = 192.168.254.1-199/24 ! Web Server 1 = 192.168.254.200 ! Web Server 2 = 192.168.254.201 ! Web Server 3 = 192.168.254.202 ! Web Server 4 = 192.168.254.203 ! Web Server 5 = 192.168.254.204 ! Web Server 6 = 192.168.254.205 interface GigabitEthernet0/0 description $ETH-LAN$ ip address 192.168.254.252 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 description PrimaryWANDesc_TPGF400$ETH-WAN$ ip address 200.0.0.2 255.255.255.252 ip access-group 105 in ip access-group 105 out ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map Gig0 ! ip nat pool NP1 200.0.1.10 200.0.1.10 prefix-length 29 ip nat pool NP2 200.0.1.11 200.0.1.11 prefix-length 29 ip nat pool NP3 200.0.1.12 200.0.1.12 prefix-length 29 ip nat pool NP4 200.0.1.13 200.0.1.13 prefix-length 29 ip nat pool NP5 200.0.1.14 200.0.1.14 prefix-length 29 ip nat inside source list 80 pool NP1 overload ip nat inside source list 81 pool NP2 overload ip nat inside source list 82 pool NP3 overload ip nat inside source list 83 pool NP4 overload ip nat inside source list 84 pool NP5 overload ip nat inside source route-map RM1 pool NP1 overload ip nat inside source route-map RM2 pool NP2 overload ip nat inside source route-map RM3 pool NP3 overload ip nat inside source route-map RM4 pool NP4 overload ip nat inside source route-map RM5 pool NP5 overload ip nat inside source static 192.168.254.200 200.0.0.2 route-map RMAPSTATICNAT ip nat inside source static 192.168.254.201 200.0.1.10 route-map RMAPSTATICNAT ip nat inside source static 192.168.254.202 200.0.1.11 route-map RMAPSTATICNAT ip nat inside source static 192.168.254.203 200.0.1.12 route-map RMAPSTATICNAT ip nat inside source static 192.168.254.204 200.0.1.13 route-map RMAPSTATICNAT ip nat inside source static 192.168.254.205 200.0.1.14 route-map RMAPSTATICNAT ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 200.0.0.1 permanent ! ip access-list extended ACLINCOMING permit tcp any host 192.168.254.200 eq 443 permit tcp any host 192.168.254.200 eq www permit tcp any host 192.168.254.201 eq 443 permit tcp any host 192.168.254.201 eq www permit tcp any host 192.168.254.202 eq 443 permit tcp any host 192.168.254.202 eq www permit tcp any host 192.168.254.203 eq 443 permit tcp any host 192.168.254.203 eq www permit tcp any host 192.168.254.204 eq 443 permit tcp any host 192.168.254.204 eq www permit tcp any host 192.168.254.205 eq 443 permit tcp any host 192.168.254.205 eq www permit tcp any host 192.168.254.200 eq 1640 permit tcp any host 192.168.254.201 eq 1640 permit tcp any host 192.168.254.202 eq 1640 permit tcp any host 192.168.254.203 eq 1640 permit tcp any host 192.168.254.204 eq 1640 permit tcp any host 192.168.254.205 eq 1640 ip access-list extended ACLNATOVERLOAD deny ip host 192.168.254.200 any deny ip host 192.168.254.201 any deny ip host 192.168.254.202 any deny ip host 192.168.254.203 any deny ip host 192.168.254.204 any deny ip host 192.168.254.205 any permit ip 192.168.254.0 0.0.0.255 any ip access-list extended ACLSTATICNAT permit ip host 192.168.254.200 any permit ip host 192.168.254.201 any permit ip host 192.168.254.202 any permit ip host 192.168.254.203 any permit ip host 192.168.254.204 any permit ip host 192.168.254.205 any ! ! route-map RM1 permit 10 match ip address 80 route-map RM2 permit 10 match ip address 81 route-map RM3 permit 10 match ip address 82 route-map RM4 permit 10 match ip address 83 route-map RM5 permit 10 match ip address 84 ! route-map RMAPSTATICNAT permit 10 match ip address ACLSTATICNAT ! ! access-list 1 remark Standard access-list 1 remark CCP_ACL Category=2 access-list 1 remark d access-list 1 permit any access-list 80 permit 192.168.254.201 access-list 81 permit 192.168.254.202 access-list 82 permit 192.168.254.203 access-list 83 permit 192.168.254.204 access-list 84 permit 192.168.254.205 access-list 105 permit ip any any ! ! !
Solved! Go to Solution.
04-13-2019 08:37 AM
We do not know what is the arrangement between the original poster and their ISP and precisely what the ISP has provided. It is quite feasible that the ISP has provided a /30 subnet for a transit network and has provided a /29 for the customer to use. The ISP would have routing logic to reach the /29 subnet using the /30 subnet address as the next hop. While it is frequently the case that the customer will put an IP from the /29 as an interface IP address (making the /29 into a locally connected subnet) that is not a requirement. It is quite feasible to use the /29 public addresses for address translation (as is the case in the original post) and not to have any address from that subnet configured as an interface address.
HTH
Rick
04-14-2019 04:38 PM - edited 04-14-2019 04:45 PM
Hello Rick
@Richard Burts wrote:But I do not agree that the decision to use the ISP subnet for address translation rather than as a connected subnet, or the configuration of the default route are problems.
The OP is wanting to nat with both subnets at the same time -my understanding here is without a secondary address(in this case /29) how will nat work for subnet given the nat order of operation ( pbr-rib-nat)
If specifying a default nexthop ip of the/30 the rtr will check it’s rib /arp tables and use that specific next hop to forward all packets towards so surely nat for /29 will fail correct.
However regards the first option I suggested which was to use a secondary addressing and a connected default route although excessive broadcast/arp incurrs nat should work for both subnets.
Am I wrong here with my assumptions?
04-11-2019 10:25 PM - edited 04-11-2019 10:29 PM
Hi @Balaweisi,
You are probably configuring your Router with the Cisco Configuration Professional (CCP) software, isn't it?
Looks like your attempts made CCP push a lot of redundant NAT related configuration to your Router.
First of all, the below configuration lines (among others) appear to be redundant. If you do no ip nat inside source list 1 interface GigabitEthernet0/1 overload you will probably made connections from 192.168.254.200-205 use their assigned Public IP when initiating connections from the Inside network.
access-list 1 remark Standard access-list 1 remark CCP_ACL Category=2 access-list 1 remark d access-list 1 permit any ! ip nat inside source list 1 interface GigabitEthernet0/1 overload
From the configuration you are posting, I believe you can have just the next configurations lines in place and still accomplish what you are looking for.
In other words, better to keep it simple.
interface GigabitEthernet0/0 description $ETH-LAN$ ip address 192.168.254.252 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 description PrimaryWANDesc_TPGF400$ETH-WAN$ ip address 200.0.0.2 255.255.255.252 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map Gig0 ! ip route 0.0.0.0 0.0.0.0 200.0.0.1 permanent ! ip nat inside source static 192.168.254.200 200.0.0.2 ip nat inside source static 192.168.254.201 200.0.1.10 ip nat inside source static 192.168.254.202 200.0.1.11 ip nat inside source static 192.168.254.203 200.0.1.12 ip nat inside source static 192.168.254.204 200.0.1.13 ip nat inside source static 192.168.254.205 200.0.1.14 ! ip access-list extended ACLNATOVERLOAD deny ip host 192.168.254.200 any deny ip host 192.168.254.201 any deny ip host 192.168.254.202 any deny ip host 192.168.254.203 any deny ip host 192.168.254.204 any deny ip host 192.168.254.205 any permit ip 192.168.254.0 0.0.0.255 any ! ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet0/1 overload
DISCLAIMER:
The configurations discussed in this post can be merely templates and may not be final configurations that can be just copied & pasted to any network device in a production environment. It is responsibility of whoever follows this suggestions to review, evaluate and modify the configurations at convenience. Ensure that you understand the potential impact of any command. In all cases, make sure not to lose remote management access to the device. It is highly suggested to introduce changes to live networks only during maintenance windows. The author of this post is not responsible of unintended consequences by failing to follow this disclaimer note.
04-12-2019 01:49 AM
Hello,
on a side note, and I don't know if Hector has addressed this already in his post, I don't see how the pool addresses can work at all, since the outside interface belongs to a different IP address space:
interface GigabitEthernet0/1
description PrimaryWANDesc_TPGF400$ETH-WAN$
ip address 200.0.0.2 255.255.255.252
ip access-group 105 in
ip access-group 105 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map Gig0
!
ip nat pool NP1 200.0.1.10 200.0.1.10 prefix-length 29
ip nat pool NP2 200.0.1.11 200.0.1.11 prefix-length 29
ip nat pool NP3 200.0.1.12 200.0.1.12 prefix-length 29
ip nat pool NP4 200.0.1.13 200.0.1.13 prefix-length 29
ip nat pool NP5 200.0.1.14 200.0.1.14 prefix-length 29
04-12-2019 03:43 AM - edited 04-12-2019 03:49 AM
Hello
You configuration is quite convoluted however what stands out is your public addressing as you have at 2 public subnets you should possibly need to apply a secondary addressing on your wan interface and/or change you default static route or implement some policy routing for the static1-1 nat to work.
Personally i would suggest to use the policy routing then you are not pushing everything towards your wan interface and creating excessive arps.( see attached file)
Also can you confirm your isp address for 200.0.1.0/29 subnet
04-13-2019 08:37 AM
We do not know what is the arrangement between the original poster and their ISP and precisely what the ISP has provided. It is quite feasible that the ISP has provided a /30 subnet for a transit network and has provided a /29 for the customer to use. The ISP would have routing logic to reach the /29 subnet using the /30 subnet address as the next hop. While it is frequently the case that the customer will put an IP from the /29 as an interface IP address (making the /29 into a locally connected subnet) that is not a requirement. It is quite feasible to use the /29 public addresses for address translation (as is the case in the original post) and not to have any address from that subnet configured as an interface address.
HTH
Rick
04-14-2019 03:52 AM - edited 04-14-2019 04:47 AM
Hello Rick
Now sure I understand, Even if the isp has the routing logic applied for this /29 and the OP doesn’t have an address in this subnet applied to its wan interface I don’t see how nat would work for that subnet unless the default route is changed into a connected default and arp is utilized - otherwise how would nat be initiated for the /29 ?
04-14-2019 05:30 AM
@paul driver I am quite puzzled about your statement
I don’t see how nat would work for that subnet unless the default route is changed into a connected default and arp is utilized
Here is the interface config
interface GigabitEthernet0/1 description PrimaryWANDesc_TPGF400$ETH-WAN$ ip address 200.0.0.2 255.255.255.252
and here is the configured default route
ip route 0.0.0.0 0.0.0.0 200.0.0.1 permanent
So the default route already specifies a connected subnet as the next hop and would use arp.
I agree that the configuration of address translation is problematic. There are 3 different and overlapping attempts to translate addresses for the servers. But I do not agree that the decision to use the ISP subnet for address translation rather than as a connected subnet, or the configuration of the default route are problems.
HTH
Rick
04-14-2019 03:25 PM - edited 04-14-2019 03:30 PM
Hi Yes, OP here,
Sorry, to address each point:
1. Yes it was configured with CCP, but not but me i'm trying to fix a problem without re-doing it all.
2. Yes it did seem quite convoluted to me too. Felt very wrong. but i'd tried with simpler methods like the above.
3. IP Addresses have been changed for posting on Internet, there are two IP Ranges: a /30 (original) and a /29 (added later).
When I apply the /29 range (not same as /30 network) as a ip nat inside source static 192.168.254.200 x.x.x.x route-map ... I can access those hosts from the internet, so it is going via the gateway of the /30 range.
- I've tried adding those addresses to the WAN interface as secondary, but it didn't make any difference. I Think i might have to give up having the second range on the WAN interface.
I will try moving the primary WAN address to be part of the /29 range for now and let you know how it goes, but it requires a bit of downtime, so i'll have to do it tonight.
Cheers guys
04-14-2019 03:44 PM
Hello
@Balaweisi wrote:- I've tried adding those addresses to the WAN interface as secondary, but it didn't make any difference. I Think i might have to give up having the second range on the WAN interface.
When you did this did you change the default route to point to the interface rather than a next hop address as you have now? that’s the only way to me I see nat working for both subnets without otherwise knowing the isp nexthop of both subnets and using pbr for the /29
Again as stated having a default route pointing to an interface isn’t preferable however nat should work for you in this case
04-14-2019 03:54 PM
No, no change to the default route. The ISP (TPG - Fiber1000) didn't provide details of the additional range other than the network address and prefix. So i followed their normal CE-PE arrangement with them and used that last/first addresses in the range - neither worked. Strangely it only worked with the current gateway.
04-15-2019 01:28 AM - edited 04-15-2019 01:31 AM
Hi Guys,
Thanks for your help.
I confirmed with the ISP that the second range (/29) was actually associated with the host in the /30 range. So the way I got around this to get it up and running is to use BGP to route the /29 network to the internet via a vlan interface on the inside.
So now each of the hosts are directly exposed to the internet. I managed to get some firewalls on them, so it should be fine for what they want.
Thanks again.
interface GigabitEthernet0/0 description $ETH-LAN$ ip address 192.168.254.252 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/0.2 encapsulation dot1Q 2 ip address x.x.1.1 255.255.255.248 ip virtual-reassembly in ! interface GigabitEthernet0/1 description PrimaryWANDesc_TPGF400$ETH-WAN$ ip address x.x.x.2 255.255.255.252 ip access-group 105 in ip access-group 105 out ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map Gig0 ! interface Virtual-Template1 ip unnumbered GigabitEthernet0/1 ip mtu 1392 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1352 peer default ip address pool SDM_POOL_1 ppp encrypt mppe 128 ppp authentication ms-chap-v2 ms-chap pap ppp ipcp dns 8.8.8.8 ! router bgp 2764 bgp log-neighbor-changes neighbor x.x.x.1 remote-as 2764 ! address-family ipv4 network x.x.1.0 mask 255.255.255.248 neighbor x.x.x.1 activate exit-address-family ! ip local pool SDM_POOL_1 192.168.10.10 192.168.10.200 ip forward-protocol nd ! ip dns view default domain timeout 1 domain retry 1 dns forwarding timeout 1 dns forwarding retry 1 ip dns server queue limit forwarder 10 ip dns server ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source list ACLNATOVERLOAD interface GigabitEthernet0/1 overload ip nat inside source list nat-list interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.254.11 21 x.x.x.2 21 extendable ip nat inside source static tcp 192.168.254.245 80 x.x.x.2 80 extendable ip nat inside source static tcp 192.168.254.245 443 x.x.x.2 443 extendable ip nat inside source static tcp 192.168.254.245 1640 x.x.x.2 1640 extendable ip nat inside source static tcp 192.168.254.9 5900 x.x.x.2 5900 extendable ip nat inside source static tcp 192.168.254.245 5900 x.x.x.2 5901 extendable ip nat inside source static tcp 192.168.254.190 5980 x.x.x.2 5980 extendable ip nat inside source static tcp 192.168.254.222 5999 x.x.x.2 5999 extendable ip nat inside source static tcp 192.168.254.250 7000 x.x.x.2 7000 extendable ip nat inside source static udp 192.168.254.250 7000 x.x.x.2 7000 extendable ip nat inside source static udp 192.168.254.11 7000 x.x.x.2 7001 extendable ip nat inside source static tcp 192.168.254.250 7000 x.x.x.2 7002 extendable ip nat inside source static tcp 192.168.254.201 80 x.x.x.2 8081 extendable ip nat outside source static tcp x.x.x.2 5900 192.168.254.24 5900 extendable ip route 0.0.0.0 0.0.0.0 x.x.x.1 permanent ! ! access-list 105 permit ip any any ! ! !
04-15-2019 02:05 AM
Hello
BGP -well i guess that's one way to resolve your issue?
Thank you for letting us know how you solved this - very much appreciated
04-14-2019 04:38 PM - edited 04-14-2019 04:45 PM
Hello Rick
@Richard Burts wrote:But I do not agree that the decision to use the ISP subnet for address translation rather than as a connected subnet, or the configuration of the default route are problems.
The OP is wanting to nat with both subnets at the same time -my understanding here is without a secondary address(in this case /29) how will nat work for subnet given the nat order of operation ( pbr-rib-nat)
If specifying a default nexthop ip of the/30 the rtr will check it’s rib /arp tables and use that specific next hop to forward all packets towards so surely nat for /29 will fail correct.
However regards the first option I suggested which was to use a secondary addressing and a connected default route although excessive broadcast/arp incurrs nat should work for both subnets.
Am I wrong here with my assumptions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide