08-19-2019 09:25 AM
am attempting to add a second public/external IP to WAN interface and NAT to static IP on existing vLAN. I have tried several combination and not working.
please confirm - to add a second IP to external interface, i simply add the IP to the existing interface with suffix of SECONDARY.
then to NAT, i would use following syntax
IP NAT INSIDE SOURCE STATIC 10.10.10.10 69.34.xx.xx (LAN -> WAN)
08-19-2019 09:41 AM
Hello Bruce,
the command syntax is correct for flows starting from inside to internet.
if you want to make the session started from the internet you need to add the extendable keyword
IP NAT INSIDE SOURCE STATIC 10.10.10.10 69.34.xx.xx extendable
However, I have never tried to NAT to a secondary address.
Hope to help
Giuseppe
08-19-2019 11:06 AM
Thank you for the response. Not sure I clarified correctly in original post. Goal is to allow public access (outside to inside) from a new second static public IP to inside existing IP. Use Case: allow iPhone app access to security cameras on inside LAN.
So not following either response in your post - inside to internet and 'extendable' seems from one inside to multiple outside (which is not necessary in my case i believe).
thanks again and hope to hear more...
08-19-2019 10:49 PM
Hello Bruce,
the extendable keyword allows access from the internet to the internal resource.
I think you need it to achieve your target.
Without it only the internal resource cannot be reached if the communication starts from "outside".
The extendable provides this capability.
The only point of attention is the fact that the new address is a secondary address.
Try it and report your results here in the forums.
I agree that the NAT command syntax have some non intuitive aspects.
Hope to help
Giuseppe
08-20-2019 04:22 AM
I added this and tested:
ip nat inside source static 10.0.40.6 69.34.137.160 extendable
and then this and tested:
ip nat inside source static tcp 10.0.40.6 80 69.34.137.160 80 extendable
ip nat inside source static tcp 10.0.40.6 443 69.34.137.160 443 extendable
ip nat inside source static tcp 10.0.40.6 554 69.34.137.160 554 extendable
ip nat inside source static tcp 10.0.40.6 8000 69.34.137.160 8000 extendable
tracert
08-20-2019 05:46 AM - edited 08-20-2019 05:56 AM
Hello Bruce,
for testing the NAT static entries you should try to access from a public IP address outside your network using for example a Smartphone as a WIFI hotspot.
The ICMP related NAT entries are created by the tracert test and they are not covered by the more specific static NAT commands.
These two lines I don't know what they are, but again are the result of an activity started on the client
>> tcp 69.34.137.160:33899 10.0.40.6:33899 185.176.27.86:58455 185.176.27.86:58455
tcp 69.34.137.160:35636 10.0.40.6:35636 54.86.148.252:6800 54.86.148.252:6800
https://www.speedguide.net/port.php?port=6800
I have not found any reference about TCP port 58455
Edit:
IP address
54.86.148.252
belongs to AS14618
AS14618 belongs to Amazon US (ARIN RIR)
ASNumber: | 14618 |
ASName: | AMAZON-AES |
ASHandle: | AS14618 |
RegDate: | 2005-11-04 |
Updated: | 2012-03-02 |
Ref: | https://rdap.arin.net/registry/autnum/14618 |
IP address
185.176.27.86
belongs to AS204428 that is owned by an european company SS-net (RIPE)
aut-num: | AS204428 |
as-name: | SS-Net |
org: | ORG-SA4107-RIPE |
sponsoring-org: | ORG-LE44-RIPE |
Hope to help
Giuseppe
08-19-2019 11:29 AM
hostname ISR1921
!
no ip domain lookup
ip name-server 201.170.3.27
ip name-server 201.170.2.27
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN0
ip address 10.0.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.0.20.5 255.255.255.128
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.0.30.5 255.255.255.240
!
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 10.0.40.5 255.255.255.224
!
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 10.0.60.5 255.255.255.224
!
interface GigabitEthernet0/0.70
encapsulation dot1Q 70
ip address 10.0.70.5 255.255.255.224
!
interface GigabitEthernet0/1
description LAN1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description WAN0
ip address 64.34.100.140 255.255.255.128
ip address 64.34.100.142 255.255.255.128 secondary (proposed new entry)
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool p1 64.34.100.141 64.34.100.141 netmask 255.255.255.128
ip nat inside source list 10 pool p1 overload
ip nat inside source static 10.0.10.6 64.34.100.142 (proposed new entry)
ip route 0.0.0.0 0.0.0.0 64.34.100.119
!
snmp-server location "zzz Florida"
snmp-server contact "xxxx"
access-list 10 permit 10.0.10.0 0.0.0.255
access-list 10 permit 10.0.20.0 0.0.0.255
access-list 10 permit 10.0.30.0 0.0.0.255
access-list 10 permit 10.0.40.0 0.0.0.255
access-list 10 permit 10.0.60.0 0.0.0.255
access-list 10 permit 10.0.70.0 0.0.0.255
!
control-plane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide