Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23930
Views
10
Helpful
12
Replies

Multiple WAN Ip addresses and Multiple inside hosts

Go to solution
Paul Dicine
Level 1
Level 1

‎02-16-2013 06:57 AM - edited ‎03-04-2019 07:02 PM

Team,

I have looked for a definitive answer on this and while there are many discussions on this I have still not found a good way to do the following.

We have been granted 5 Ip addresses from the provider (/29) we have 4 internal web servers. We would like to map address1 to server 1 address 2 to server 2 address 3 to server 3 address 4 to server 4 and address 5 would be the public ip that users surf out on. I want to make sure that these servers always use the same IP address.... Sounds simple and logical but it is proving more difficult than anticipated. I have seen suggestions for secondary iddresses on WAN interface but that won't help with the 1:1 mapping of server to ip address. I have seen some suggestions on doing 5 different NAT pools (Which seems promising) but when I try to put 1 single address in a NAT pool (IP nat pool test 12.111.112.113 12.111.112.113 netmask 255.255.255.255) it tells me the minimum mask should be a 255.255.255.252...

Logically in my head I think it would make sense to have 5 NAT pools each triggered by an ACL that defines the specific server but can't seem to get around this issue.....

ANY Thoughts or suggestions are most welcome.... Any other designs or creative ways to approach this are appreciated.

Paul

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Paul Dicine

‎02-16-2013 09:47 AM

Paul

You do not need a pool for static address translation. You could try something like this

ip nat inside source static

And your dynamic address translation might be done something like this

ip nat inside source list 7 interface serial 0 overload

You might look at this link for some more discussion about doing both dynamic and static address translation

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Sam Smiley
Level 3
Level 3

‎02-17-2013 08:31 AM

Paul, if I get your meaning on this I haven't seen a lot of discussion on this topic; however I have this running on my own network. Essentially you want one address assigned to each server which you can do through a NAT inside source command, this will send the packet to the correct server. However when that server replies it will exit through the default nat pool and the address assigned to it. This is unacceptable for most Internet protocols since the host that sent the packet is receiving a response from another IP address.

In order to make this work you will need to create a NAT pool for each public address you want to use, for instance:

ip nat pool 123.123.123.98 123.123.123.98 netmask 255.255.255.248

ip nat pool 123.123.123.99 123.123.123.99 netmask 255.255.255.248

ip nat pool 123.123.123.100 123.123.123.100 netmask 255.255.255.248

ip nat pool 123.123.123.101 123.123.123.101 netmask 255.255.255.248

Next you will need to assign an access list to each of these NAT pools with the following commands

ip nat inside source list 101 interface GigabitEthernet0/1 overload <-------

ip nat inside source list 102 pool overload

ip nat inside source list 103 pool overload

ip nat inside source list 104 pool overload

ip nat inside source list 105 pool overload

The secret to making this work is building the access list correctly, what I generally will do is I will create a private address space on the lan to assign each public address to, for instance I will segment the network into blocks of 16 private addresses to each public address except for the default pool which is generally what is left over. For instance I will segment the network like this:

10.10.10.17 - 10.10.10.31 assigned to 123.123.123.98

10.10.10.33 - 10.10.10.47 assigned to 123.123.123.99

10.10.10.49 - 10.10.10.63 assigned to 123.123.123.100

10.10.10.65 - 10.10.10.79 assigned to 123.123.123.101

10.10.10.81 - 10.10.10.254 assigned to 123.123.123.102 <-------.

.

Given this the assess list would look something like this:

access-list 101 deny   ip 10.10.10.16 0.0.0.15 any
access-list 101 deny   ip 10.10.10.32 0.0.0.15 any
access-list 101 deny   ip 10.10.10.48 0.0.0.15 any
access-list 101 deny   ip 10.10.10.64 0.0.0.15 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 deny   ip 10.10.10.32 0.0.0.15 any
access-list 102 deny   ip 10.10.10.48 0.0.0.15 any
access-list 102 deny   ip 10.10.10.64 0.0.0.15 any
access-list 102 permit ip 10.10.10.16 0.0.0.15 any

access-list 103 deny   ip 10.10.10.48 0.0.0.15 any
access-list 103 deny   ip 10.10.10.64 0.0.0.15 any
access-list 103 permit ip 10.10.10.32.0 0.0.15 any

access-list 104 deny   ip 10.10.10.64 0.0.0.15 any
access-list 104 permit ip 10.10.10.48 0.0.0.15 any

access-list 105 permit ip 10.10.10.64 0.0.0.15 any

This should accomplish what you are looking for, if you want to have multiple servers on an IP this becomes easy. Just assign a private address within the range you want for the given public address.

Cheers,

Sam

View solution in original post

12 Replies 12

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎02-16-2013 07:00 AM

Start mentioning the exact Cisco product and version  you're using.

0 Helpful

Go to solution
Paul Dicine
Level 1
Level 1
In response to paolo bevilacqua

‎02-16-2013 07:12 AM

Thank You Paolo,

I have this  at two different accts (Similar Problem) One is on a 2811 router on the  15.x line of code and the other is on a UC560. The uc560 is on  151-4.M4b.

If you need  more info please let me know.

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Paul Dicine

‎02-16-2013 08:40 AM

In both cases, you can use a simple 1:1 NAT config.

0 Helpful

Go to solution
Paul Dicine
Level 1
Level 1
In response to paolo bevilacqua

‎02-16-2013 09:20 AM

Paolo,

I would agree, the problem is how do I define a nat pool with only 1 ip address in it.. When I try it i get this

ip nat pool net187 x.x.x.187 x.x.x.187 netmask 255.255.255.255

%Pool net187 mask 255.255.255.255 too small; should be at least 255.255.255.252

I ONLY want .187 in that pool.. If I could get that to work than everything you say would work 1:1 nat

Thoughts?

Paul

0 Helpful

Go to solution
Paul Dicine
Level 1
Level 1

‎02-16-2013 07:12 AM

Thank You Paolo,

I have this at two different accts (Similar Problem) One is on a 2811 router on the 15.x line of code and the other is on a UC560. The uc560 is on 151-4.M4b.

If you need more info please let me know.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Paul Dicine

‎02-16-2013 08:55 AM

Paul

I am not familiar with the UC560 but on the 2811 I would think that 4 static NAT would take care of the servers and a NAT overload would take care of dynamic user translation.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Paul Dicine
Level 1
Level 1
In response to Paul Dicine

‎02-16-2013 09:21 AM

Thanks for the reply Richard. I appreciate it.

I would agree, the problem is how do I define a nat pool with only 1  ip address in it.. When I try it i get this

ip nat pool net187 x.x.x.187  x.x.x.187 netmask 255.255.255.255

%Pool net187 mask 255.255.255.255 too small;  should be at least 255.255.255.252

I ONLY want .187 in that pool.. If I  could get that to work than everything you say would work 1:1 nat

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Paul Dicine

‎02-16-2013 09:47 AM

Paul

You do not need a pool for static address translation. You could try something like this

ip nat inside source static

And your dynamic address translation might be done something like this

ip nat inside source list 7 interface serial 0 overload

You might look at this link for some more discussion about doing both dynamic and static address translation

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Sam Smiley
Level 3
Level 3

‎02-17-2013 08:31 AM

Paul, if I get your meaning on this I haven't seen a lot of discussion on this topic; however I have this running on my own network. Essentially you want one address assigned to each server which you can do through a NAT inside source command, this will send the packet to the correct server. However when that server replies it will exit through the default nat pool and the address assigned to it. This is unacceptable for most Internet protocols since the host that sent the packet is receiving a response from another IP address.

In order to make this work you will need to create a NAT pool for each public address you want to use, for instance:

ip nat pool 123.123.123.98 123.123.123.98 netmask 255.255.255.248

ip nat pool 123.123.123.99 123.123.123.99 netmask 255.255.255.248

ip nat pool 123.123.123.100 123.123.123.100 netmask 255.255.255.248

ip nat pool 123.123.123.101 123.123.123.101 netmask 255.255.255.248

Next you will need to assign an access list to each of these NAT pools with the following commands

ip nat inside source list 101 interface GigabitEthernet0/1 overload <-------

ip nat inside source list 102 pool overload

ip nat inside source list 103 pool overload

ip nat inside source list 104 pool overload

ip nat inside source list 105 pool overload

The secret to making this work is building the access list correctly, what I generally will do is I will create a private address space on the lan to assign each public address to, for instance I will segment the network into blocks of 16 private addresses to each public address except for the default pool which is generally what is left over. For instance I will segment the network like this:

10.10.10.17 - 10.10.10.31 assigned to 123.123.123.98

10.10.10.33 - 10.10.10.47 assigned to 123.123.123.99

10.10.10.49 - 10.10.10.63 assigned to 123.123.123.100

10.10.10.65 - 10.10.10.79 assigned to 123.123.123.101

10.10.10.81 - 10.10.10.254 assigned to 123.123.123.102 <-------.

.

Given this the assess list would look something like this:

access-list 101 deny   ip 10.10.10.16 0.0.0.15 any
access-list 101 deny   ip 10.10.10.32 0.0.0.15 any
access-list 101 deny   ip 10.10.10.48 0.0.0.15 any
access-list 101 deny   ip 10.10.10.64 0.0.0.15 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 deny   ip 10.10.10.32 0.0.0.15 any
access-list 102 deny   ip 10.10.10.48 0.0.0.15 any
access-list 102 deny   ip 10.10.10.64 0.0.0.15 any
access-list 102 permit ip 10.10.10.16 0.0.0.15 any

access-list 103 deny   ip 10.10.10.48 0.0.0.15 any
access-list 103 deny   ip 10.10.10.64 0.0.0.15 any
access-list 103 permit ip 10.10.10.32.0 0.0.15 any

access-list 104 deny   ip 10.10.10.64 0.0.0.15 any
access-list 104 permit ip 10.10.10.48 0.0.0.15 any

access-list 105 permit ip 10.10.10.64 0.0.0.15 any

This should accomplish what you are looking for, if you want to have multiple servers on an IP this becomes easy. Just assign a private address within the range you want for the given public address.

Cheers,

Sam

Go to solution
jawad-mukhtar
Level 4
Level 4
In response to Sam Smiley

‎02-17-2013 12:58 PM

ip nat pool net187x.x.x.187 x.x.x.187 prefix-length 24

Do like that for a nat pool with only 1 ip address in it.

Do Rate if u find helpful

Jawad
0 Helpful

Go to solution
Paul Dicine
Level 1
Level 1
In response to Sam Smiley

‎02-18-2013 07:28 AM

Thank you Sam,

This is EXACTLY what I had in mind. The only reason i could not get it to work was the NAT pools having 1 host in them..When I added the /32 mask it didn't like it. But you used a /29  mask and it works...

Thanks

Paul

0 Helpful

Go to solution
countjugular
Level 1
Level 1
In response to Sam Smiley

‎05-18-2016 11:37 PM

I'm (somewhat) sorry to resurrect a 3 year old post ....

I just wanted to thank you Sam, I have been searching for this answer for several years, and stumbled across this post looking for something else, and voila a huge thorn in my side is finally fixed (slightly modified using object-group to redirect traffic for 1 ip a bit easier) but i would not have found it if it had not been for your answer here .... again THANK YOU !!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card