Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
7
Replies

Nat issue with a Cisco 3745 Router and inside/outside mapping

Go to solution
kevin.greene1
Level 1
Level 1

‎09-18-2015 10:47 AM - edited ‎03-05-2019 02:20 AM

Hi:

I am having an issue with NAT (like many do).

I have an internal host that need to be seen on the outside.

There is an ACL on the public edge interface that allows several ports to be passed through the public ACL to the internal host.

This is a normal ACL and works well for other hosts that have normal public IP's assigned to them.

The challenge is after the ACL, I need the internal host on an internal LAN to have a public facing ip via NAT since the internal host can only have one IP assigned to it.

In this specific case, the internal host only has one physical interface and I need to keep it on the internal LAN.

I created a NAT rule that should work.

ip nat inside source static 172.24.3.228 207.xxx.xxx route-map voip

route-map voip permit 1
 match ip address 152
 match interface FastEthernet4/0 FastEthernet3/0

access-list 152 permit ip host 172.24.3.228 any

(Note: the xxx in the IP address is just not to show what the real address is)

However, either I am missing something somewhere or I have a typo in the route map.

It fails to map inward. The host goes outward OK (I can ping public hosts but I think this is since it is using the normal "inside to outside" NAT function.

The public interfaces do have the NAT setting set as it works for the normal internal users. I removed the public IP address from the lists below only for security reasons.

interface FastEthernet3/0
 ip access-group access-513 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 no cdp enable
 no mop enabled
 crypto map crypto

interface FastEthernet4/0
 ip access-group access-513 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 no cdp enable
 no mop enabled
 crypto map crypto

The Internal network is also working:

interface FastEthernet0/1
 description Corporate LAN
 ip address 172.24.3.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
 no mop enabled

If it helps, the router has Fast Ethernet to the public network. The router also has VPN connections to other corporate locations which work well (except one tunnel - still sorting that one out).

Any comments and or suggestions would be great as to the NAT issue.

 

Kevin

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kevin.greene1

‎09-19-2015 07:38 PM

Kevin

Can you just confirm what I think you are asking for ie. if the host is accessed from the remote office via the VPN it should be via the real IP but if it is accessed from the internet you want it on the public IP.

Is this what you are asking for ?

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
paul driver
VIP
VIP

‎09-18-2015 04:17 PM

Hello

I too don't really understand what your request is?

If you would like a external IP to be seen as an internal host then you can apply an NAT outside local address

ip nat outside source static (public address) 172.24.3.228

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
kevin.greene1
Level 1
Level 1
In response to paul driver

‎09-18-2015 09:02 PM

Hello:

Thanks for your fast reply.

Basically the internal host on the internal LAN (172.24.3.x) is a SIP/VOIP server.

However, to get SIP traffic from the external SIP provider, the SIP provider sends the traffic to the public IP address. I am wanting the public IP to NAT to an internal address. Classical NAT stuff.

The challenge I am having that either I do not understand the static NAT examples I find on a Google search or I just do not understand how NAT works (this is more likely the case).

I will try your example.

I am assuming I can remove my existing NAT rule and map.

Thanks.

Kevin

 

 

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-18-2015 04:33 PM

Kevin

Perhaps I am misunderstanding the whole setup but if you simply want to present the internal host to the outside using a public IP why are you using a route map ?

Edit - is it because you do not want to translate it via the VPN tunnels ?

Jon

0 Helpful

Go to solution
kevin.greene1
Level 1
Level 1
In response to Jon Marshall

‎09-18-2015 09:56 PM

Hi:

You are correct - I want the internal host to have a public IP.

In addition as a side issue, the other office in a different city needs to communicate to the same internal host over a tunnel. It used to work until I started playing with fixing the NAT issue.

From our primary location where the internal host is, I can connect to the remote locations over the tunnel. However, I need to fix the NAT at the remote location (192.168.0.x) as they can access the internal LAN at the main location. But --- this is an unrelated issue to the original problem. Their DHCP server points to our 172.24.3.x VOIP services (SIP & TFTP).

Thank you again for your help.

Kevin

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kevin.greene1

‎09-19-2015 07:38 PM

Kevin

Can you just confirm what I think you are asking for ie. if the host is accessed from the remote office via the VPN it should be via the real IP but if it is accessed from the internet you want it on the public IP.

Is this what you are asking for ?

Jon

0 Helpful

Go to solution
kevin.greene1
Level 1
Level 1
In response to Jon Marshall

‎09-20-2015 02:30 PM

Hello Jon:

 

Thank you for your followup.

I was able to solve the biggest problem of the Outside IP into the Internal host at the main location.

I can now make SIP calls each way with no problems at the main office - both internally and externally.

Now I am sorting out the issue of the remote office connection to the SIP server.

The remote location desk sets get their local information from their remote DHCP server. That seems to be working well. The desk sets are also able to download the required information from the SIP server DHCP server and the desk telephones all seem to have the right configuration.

However, I am still missing something as they keep trying to register. I should be able to sort this out soon (I hope). What is strange is from the main office I can connect to various servers in the remote office and the hosts there can connect to the main office via SSH. Thus, I think it is an issue maybe about a firewall rule or an ACL rule perhaps.

Anyway --- thank you again for your help and moral support. It is really nice to know that someone is out there listening to people like me.

Cheers.

 

Kevin

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to kevin.greene1

‎09-21-2015 01:10 AM

Hello

Can you confirm what changes you made to correct the issue?

It would be benifical to others in the futrue.

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card