09-18-2015 10:47 AM - edited 03-05-2019 02:20 AM
Hi:
I am having an issue with NAT (like many do).
I have an internal host that need to be seen on the outside.
There is an ACL on the public edge interface that allows several ports to be passed through the public ACL to the internal host.
This is a normal ACL and works well for other hosts that have normal public IP's assigned to them.
The challenge is after the ACL, I need the internal host on an internal LAN to have a public facing ip via NAT since the internal host can only have one IP assigned to it.
In this specific case, the internal host only has one physical interface and I need to keep it on the internal LAN.
I created a NAT rule that should work.
ip nat inside source static 172.24.3.228 207.xxx.xxx route-map voip
route-map voip permit 1
match ip address 152
match interface FastEthernet4/0 FastEthernet3/0
access-list 152 permit ip host 172.24.3.228 any
(Note: the xxx in the IP address is just not to show what the real address is)
However, either I am missing something somewhere or I have a typo in the route map.
It fails to map inward. The host goes outward OK (I can ping public hosts but I think this is since it is using the normal "inside to outside" NAT function.
The public interfaces do have the NAT setting set as it works for the normal internal users. I removed the public IP address from the lists below only for security reasons.
interface FastEthernet3/0
ip access-group access-513 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
no mop enabled
crypto map crypto
interface FastEthernet4/0
ip access-group access-513 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
no mop enabled
crypto map crypto
The Internal network is also working:
interface FastEthernet0/1
description Corporate LAN
ip address 172.24.3.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
If it helps, the router has Fast Ethernet to the public network. The router also has VPN connections to other corporate locations which work well (except one tunnel - still sorting that one out).
Any comments and or suggestions would be great as to the NAT issue.
Kevin
Solved! Go to Solution.
09-19-2015 07:38 PM
Kevin
Can you just confirm what I think you are asking for ie. if the host is accessed from the remote office via the VPN it should be via the real IP but if it is accessed from the internet you want it on the public IP.
Is this what you are asking for ?
Jon
09-18-2015 04:17 PM
Hello
I too don't really understand what your request is?
If you would like a external IP to be seen as an internal host then you can apply an NAT outside local address
ip nat outside source static (public address) 172.24.3.228
res
paul
09-18-2015 09:02 PM
Hello:
Thanks for your fast reply.
Basically the internal host on the internal LAN (172.24.3.x) is a SIP/VOIP server.
However, to get SIP traffic from the external SIP provider, the SIP provider sends the traffic to the public IP address. I am wanting the public IP to NAT to an internal address. Classical NAT stuff.
The challenge I am having that either I do not understand the static NAT examples I find on a Google search or I just do not understand how NAT works (this is more likely the case).
I will try your example.
I am assuming I can remove my existing NAT rule and map.
Thanks.
Kevin
09-18-2015 04:33 PM
Kevin
Perhaps I am misunderstanding the whole setup but if you simply want to present the internal host to the outside using a public IP why are you using a route map ?
Edit - is it because you do not want to translate it via the VPN tunnels ?
Jon
09-18-2015 09:56 PM
Hi:
You are correct - I want the internal host to have a public IP.
In addition as a side issue, the other office in a different city needs to communicate to the same internal host over a tunnel. It used to work until I started playing with fixing the NAT issue.
From our primary location where the internal host is, I can connect to the remote locations over the tunnel. However, I need to fix the NAT at the remote location (192.168.0.x) as they can access the internal LAN at the main location. But --- this is an unrelated issue to the original problem. Their DHCP server points to our 172.24.3.x VOIP services (SIP & TFTP).
Thank you again for your help.
Kevin
09-19-2015 07:38 PM
Kevin
Can you just confirm what I think you are asking for ie. if the host is accessed from the remote office via the VPN it should be via the real IP but if it is accessed from the internet you want it on the public IP.
Is this what you are asking for ?
Jon
09-20-2015 02:30 PM
Hello Jon:
Thank you for your followup.
I was able to solve the biggest problem of the Outside IP into the Internal host at the main location.
I can now make SIP calls each way with no problems at the main office - both internally and externally.
Now I am sorting out the issue of the remote office connection to the SIP server.
The remote location desk sets get their local information from their remote DHCP server. That seems to be working well. The desk sets are also able to download the required information from the SIP server DHCP server and the desk telephones all seem to have the right configuration.
However, I am still missing something as they keep trying to register. I should be able to sort this out soon (I hope). What is strange is from the main office I can connect to various servers in the remote office and the hosts there can connect to the main office via SSH. Thus, I think it is an issue maybe about a firewall rule or an ACL rule perhaps.
Anyway --- thank you again for your help and moral support. It is really nice to know that someone is out there listening to people like me.
Cheers.
Kevin
09-21-2015 01:10 AM
Hello
Can you confirm what changes you made to correct the issue?
It would be benifical to others in the futrue.
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide