02-16-2013 06:57 AM - edited 03-04-2019 07:02 PM
Team,
I have looked for a definitive answer on this and while there are many discussions on this I have still not found a good way to do the following.
We have been granted 5 Ip addresses from the provider (/29) we have 4 internal web servers. We would like to map address1 to server 1 address 2 to server 2 address 3 to server 3 address 4 to server 4 and address 5 would be the public ip that users surf out on. I want to make sure that these servers always use the same IP address.... Sounds simple and logical but it is proving more difficult than anticipated. I have seen suggestions for secondary iddresses on WAN interface but that won't help with the 1:1 mapping of server to ip address. I have seen some suggestions on doing 5 different NAT pools (Which seems promising) but when I try to put 1 single address in a NAT pool (IP nat pool test 12.111.112.113 12.111.112.113 netmask 255.255.255.255) it tells me the minimum mask should be a 255.255.255.252...
Logically in my head I think it would make sense to have 5 NAT pools each triggered by an ACL that defines the specific server but can't seem to get around this issue.....
ANY Thoughts or suggestions are most welcome.... Any other designs or creative ways to approach this are appreciated.
Paul
Solved! Go to Solution.
02-16-2013 09:47 AM
Paul
You do not need a pool for static address translation. You could try something like this
ip nat inside source static
And your dynamic address translation might be done something like this
ip nat inside source list 7 interface serial 0 overload
You might look at this link for some more discussion about doing both dynamic and static address translation
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
HTH
Rick
02-17-2013 08:31 AM
Paul, if I get your meaning on this I haven't seen a lot of discussion on this topic; however I have this running on my own network. Essentially you want one address assigned to each server which you can do through a NAT inside source command, this will send the packet to the correct server. However when that server replies it will exit through the default nat pool and the address assigned to it. This is unacceptable for most Internet protocols since the host that sent the packet is receiving a response from another IP address.
In order to make this work you will need to create a NAT pool for each public address you want to use, for instance:
ip nat pool
ip nat pool
ip nat pool
ip nat pool
Next you will need to assign an access list to each of these NAT pools with the following commands
ip nat inside source list 101 interface GigabitEthernet0/1 overload <-------
ip nat inside source list 102 pool
ip nat inside source list 103 pool
ip nat inside source list 104 pool
ip nat inside source list 105 pool
The secret to making this work is building the access list correctly, what I generally will do is I will create a private address space on the lan to assign each public address to, for instance I will segment the network into blocks of 16 private addresses to each public address except for the default pool which is generally what is left over. For instance I will segment the network like this:
10.10.10.17 - 10.10.10.31 assigned to 123.123.123.98
10.10.10.33 - 10.10.10.47 assigned to 123.123.123.99
10.10.10.49 - 10.10.10.63 assigned to 123.123.123.100
10.10.10.65 - 10.10.10.79 assigned to 123.123.123.101
10.10.10.81 - 10.10.10.254 assigned to 123.123.123.102 <-------
.
Given this the assess list would look something like this:
access-list 101 deny ip 10.10.10.16 0.0.0.15 any
access-list 101 deny ip 10.10.10.32 0.0.0.15 any
access-list 101 deny ip 10.10.10.48 0.0.0.15 any
access-list 101 deny ip 10.10.10.64 0.0.0.15 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny ip 10.10.10.32 0.0.0.15 any
access-list 102 deny ip 10.10.10.48 0.0.0.15 any
access-list 102 deny ip 10.10.10.64 0.0.0.15 any
access-list 102 permit ip 10.10.10.16 0.0.0.15 any
access-list 103 deny ip 10.10.10.48 0.0.0.15 any
access-list 103 deny ip 10.10.10.64 0.0.0.15 any
access-list 103 permit ip 10.10.10.32.0 0.0.15 any
access-list 104 deny ip 10.10.10.64 0.0.0.15 any
access-list 104 permit ip 10.10.10.48 0.0.0.15 any
access-list 105 permit ip 10.10.10.64 0.0.0.15 any
This should accomplish what you are looking for, if you want to have multiple servers on an IP this becomes easy. Just assign a private address within the range you want for the given public address.
Cheers,
Sam
02-16-2013 07:00 AM
Start mentioning the exact Cisco product and version you're using.
02-16-2013 07:12 AM
Thank You Paolo,
I have this at two different accts (Similar Problem) One is on a 2811 router on the 15.x line of code and the other is on a UC560. The uc560 is on 151-4.M4b.
If you need more info please let me know.
02-16-2013 08:40 AM
In both cases, you can use a simple 1:1 NAT config.
02-16-2013 09:20 AM
Paolo,
I would agree, the problem is how do I define a nat pool with only 1 ip address in it.. When I try it i get this
ip nat pool net187 x.x.x.187 x.x.x.187 netmask 255.255.255.255
%Pool net187 mask 255.255.255.255 too small; should be at least 255.255.255.252
I ONLY want .187 in that pool.. If I could get that to work than everything you say would work 1:1 nat
Thoughts?
Paul
02-16-2013 07:12 AM
Thank You Paolo,
I have this at two different accts (Similar Problem) One is on a 2811 router on the 15.x line of code and the other is on a UC560. The uc560 is on 151-4.M4b.
If you need more info please let me know.
02-16-2013 08:55 AM
Paul
I am not familiar with the UC560 but on the 2811 I would think that 4 static NAT would take care of the servers and a NAT overload would take care of dynamic user translation.
HTH
Rick
02-16-2013 09:21 AM
Thanks for the reply Richard. I appreciate it.
I would agree, the problem is how do I define a nat pool with only 1 ip address in it.. When I try it i get this
ip nat pool net187 x.x.x.187 x.x.x.187 netmask 255.255.255.255
%Pool net187 mask 255.255.255.255 too small; should be at least 255.255.255.252
I ONLY want .187 in that pool.. If I could get that to work than everything you say would work 1:1 nat
02-16-2013 09:47 AM
Paul
You do not need a pool for static address translation. You could try something like this
ip nat inside source static
And your dynamic address translation might be done something like this
ip nat inside source list 7 interface serial 0 overload
You might look at this link for some more discussion about doing both dynamic and static address translation
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
HTH
Rick
02-17-2013 08:31 AM
Paul, if I get your meaning on this I haven't seen a lot of discussion on this topic; however I have this running on my own network. Essentially you want one address assigned to each server which you can do through a NAT inside source command, this will send the packet to the correct server. However when that server replies it will exit through the default nat pool and the address assigned to it. This is unacceptable for most Internet protocols since the host that sent the packet is receiving a response from another IP address.
In order to make this work you will need to create a NAT pool for each public address you want to use, for instance:
ip nat pool
ip nat pool
ip nat pool
ip nat pool
Next you will need to assign an access list to each of these NAT pools with the following commands
ip nat inside source list 101 interface GigabitEthernet0/1 overload <-------
ip nat inside source list 102 pool
ip nat inside source list 103 pool
ip nat inside source list 104 pool
ip nat inside source list 105 pool
The secret to making this work is building the access list correctly, what I generally will do is I will create a private address space on the lan to assign each public address to, for instance I will segment the network into blocks of 16 private addresses to each public address except for the default pool which is generally what is left over. For instance I will segment the network like this:
10.10.10.17 - 10.10.10.31 assigned to 123.123.123.98
10.10.10.33 - 10.10.10.47 assigned to 123.123.123.99
10.10.10.49 - 10.10.10.63 assigned to 123.123.123.100
10.10.10.65 - 10.10.10.79 assigned to 123.123.123.101
10.10.10.81 - 10.10.10.254 assigned to 123.123.123.102 <-------
.
Given this the assess list would look something like this:
access-list 101 deny ip 10.10.10.16 0.0.0.15 any
access-list 101 deny ip 10.10.10.32 0.0.0.15 any
access-list 101 deny ip 10.10.10.48 0.0.0.15 any
access-list 101 deny ip 10.10.10.64 0.0.0.15 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny ip 10.10.10.32 0.0.0.15 any
access-list 102 deny ip 10.10.10.48 0.0.0.15 any
access-list 102 deny ip 10.10.10.64 0.0.0.15 any
access-list 102 permit ip 10.10.10.16 0.0.0.15 any
access-list 103 deny ip 10.10.10.48 0.0.0.15 any
access-list 103 deny ip 10.10.10.64 0.0.0.15 any
access-list 103 permit ip 10.10.10.32.0 0.0.15 any
access-list 104 deny ip 10.10.10.64 0.0.0.15 any
access-list 104 permit ip 10.10.10.48 0.0.0.15 any
access-list 105 permit ip 10.10.10.64 0.0.0.15 any
This should accomplish what you are looking for, if you want to have multiple servers on an IP this becomes easy. Just assign a private address within the range you want for the given public address.
Cheers,
Sam
02-17-2013 12:58 PM
ip nat pool net187x.x.x.187 x.x.x.187 prefix-length 24
Do like that for a nat pool with only 1 ip address in it.
Do Rate if u find helpful
02-18-2013 07:28 AM
Thank you Sam,
This is EXACTLY what I had in mind. The only reason i could not get it to work was the NAT pools having 1 host in them..When I added the /32 mask it didn't like it. But you used a /29 mask and it works...
Thanks
Paul
05-18-2016 11:37 PM
I'm (somewhat) sorry to resurrect a 3 year old post ....
I just wanted to thank you Sam, I have been searching for this answer for several years, and stumbled across this post looking for something else, and voila a huge thorn in my side is finally fixed (slightly modified using object-group to redirect traffic for 1 ip a bit easier) but i would not have found it if it had not been for your answer here .... again THANK YOU !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide