Re: NAT external IP to Internal IP on vLAN

brucecmiller · ‎08-19-2019

am attempting to add a second public/external IP to WAN interface and NAT to static IP on existing vLAN. I have tried several combination and not working.

please confirm - to add a second IP to external interface, i simply add the IP to the existing interface with suffix of SECONDARY.

then to NAT, i would use following syntax

IP NAT INSIDE SOURCE STATIC 10.10.10.10 69.34.xx.xx (LAN -> WAN)

Giuseppe Larosa · ‎08-19-2019

Hello Bruce,

the command syntax is correct for flows starting from inside to internet.

if you want to make the session started from the internet you need to add the extendable keyword

IP NAT INSIDE SOURCE STATIC 10.10.10.10 69.34.xx.xx extendable

However, I have never tried to NAT to a secondary address.

Hope to help

Giuseppe

brucecmiller · ‎08-19-2019

Thank you for the response. Not sure I clarified correctly in original post. Goal is to allow public access (outside to inside) from a new second static public IP to inside existing IP. Use Case: allow iPhone app access to security cameras on inside LAN.

So not following either response in your post - inside to internet and 'extendable' seems from one inside to multiple outside (which is not necessary in my case i believe).

thanks again and hope to hear more...

Giuseppe Larosa · ‎08-19-2019

Hello Bruce,

the extendable keyword allows access from the internet to the internal resource.

I think you need it to achieve your target.

Without it only the internal resource cannot be reached if the communication starts from "outside".

The extendable provides this capability.

The only point of attention is the fact that the new address is a secondary address.

Try it and report your results here in the forums.

I agree that the NAT command syntax have some non intuitive aspects.

Hope to help

Giuseppe

brucecmiller · ‎08-20-2019

I added this and tested:

ip nat inside source static 10.0.40.6 69.34.137.160 extendable

and then this and tested:

ip nat inside source static tcp 10.0.40.6 80 69.34.137.160 80 extendable
ip nat inside source static tcp 10.0.40.6 443 69.34.137.160 443 extendable
ip nat inside source static tcp 10.0.40.6 554 69.34.137.160 554 extendable
ip nat inside source static tcp 10.0.40.6 8000 69.34.137.160 8000 extendable

tracert

Tracing route to 69.34.137.160 over a maximum of 30 hops

1 1 ms 4 ms 4 ms 10.0.20.1
2 <1 ms <1 ms <1 ms 69.34.137.160

Trace complete.

show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global
icmp 69.34.137.160:15 10.0.40.6:15       3.112.14.218:15    3.112.14.218:15
icmp 69.34.137.160:29 10.0.40.6:29       3.112.14.218:29    3.112.14.218:29
tcp 69.34.137.160:80   10.0.40.6:80       ---                ---
tcp 69.34.137.160:443 10.0.40.6:443      ---                ---
tcp 69.34.137.160:554 10.0.40.6:554      ---                ---
tcp 69.34.137.160:8000 10.0.40.6:8000     ---                ---
tcp 69.34.137.160:33899 10.0.40.6:33899   185.176.27.86:58455 185.176.27.86:58455
tcp 69.34.137.160:35636 10.0.40.6:35636   54.86.148.252:6800 54.86.148.252:6800
--- 69.34.137.160      10.0.40.6

Giuseppe Larosa · ‎08-20-2019

Hello Bruce,

for testing the NAT static entries you should try to access from a public IP address outside your network using for example a Smartphone as a WIFI hotspot.

The ICMP related NAT entries are created by the tracert test and they are not covered by the more specific static NAT commands.

These two lines I don't know what they are, but again are the result of an activity started on the client

>> tcp 69.34.137.160:33899 10.0.40.6:33899 185.176.27.86:58455 185.176.27.86:58455
tcp 69.34.137.160:35636 10.0.40.6:35636 54.86.148.252:6800 54.86.148.252:6800

https://www.speedguide.net/port.php?port=6800

I have not found any reference about TCP port 58455

Edit:

IP address

54.86.148.252

belongs to AS14618

AS14618 belongs to Amazon US (ARIN RIR)

ASNumber:	14618
ASName:	AMAZON-AES
ASHandle:	AS14618
RegDate:	2005-11-04
Updated:	2012-03-02
Ref:	https://rdap.arin.net/registry/autnum/14618

IP address

185.176.27.86

 belongs to AS204428 that is owned by an european company SS-net (RIPE)

aut-num:	AS204428
as-name:	SS-Net
org:	ORG-SA4107-RIPE
sponsoring-org:	ORG-LE44-RIPE

Hope to help

Giuseppe

brucecmiller · ‎08-19-2019

hostname ISR1921

!

no ip domain lookup

ip name-server 201.170.3.27

ip name-server 201.170.2.27

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description LAN0

ip address 10.0.10.2 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 10.0.20.5 255.255.255.128

!

interface GigabitEthernet0/0.30

encapsulation dot1Q 30

ip address 10.0.30.5 255.255.255.240

!

interface GigabitEthernet0/0.40

encapsulation dot1Q 40

ip address 10.0.40.5 255.255.255.224

!

interface GigabitEthernet0/0.60

encapsulation dot1Q 60

ip address 10.0.60.5 255.255.255.224

!

interface GigabitEthernet0/0.70

encapsulation dot1Q 70

ip address 10.0.70.5 255.255.255.224

!

interface GigabitEthernet0/1

description LAN1

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

description WAN0

ip address 64.34.100.140 255.255.255.128

ip address 64.34.100.142 255.255.255.128 secondary (proposed new entry)

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool p1 64.34.100.141 64.34.100.141 netmask 255.255.255.128

ip nat inside source list 10 pool p1 overload

ip nat inside source static 10.0.10.6 64.34.100.142 (proposed new entry)

ip route 0.0.0.0 0.0.0.0 64.34.100.119

!

snmp-server location "zzz Florida"

snmp-server contact "xxxx"

access-list 10 permit 10.0.10.0 0.0.0.255

access-list 10 permit 10.0.20.0 0.0.0.255

access-list 10 permit 10.0.30.0 0.0.0.255

access-list 10 permit 10.0.40.0 0.0.0.255

access-list 10 permit 10.0.60.0 0.0.0.255

access-list 10 permit 10.0.70.0 0.0.0.255

!

control-plane