Re: NAT not working

Alain Nohra · ‎04-03-2023

i have the following nat configured it was working very well, suddenly it's not working anymore.

ip nat inside source static tcp 192.168.4.117 7000 195.112.197.10 7000 extendable

i can telnet on the internal IP 192.168.4.117 on 7000 but cannot telnet on the public IP from external.

the following is the access list also configured:

ip access-list extended NAT-Inside-Outside
deny ip 192.168.4.0 0.0.0.255 172.16.4.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.5.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.6.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.3.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.2.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.4.80 0.0.0.15 any
deny ip 192.168.4.0 0.0.0.255 192.168.4.80 0.0.0.15
permit ip 192.168.4.0 0.0.0.255 any
permit ip host 172.20.1.2 any

MHM Cisco World · ‎04-03-2023

You need to exclude static PAT from NAT overload'

You can do that by add acl line above line perimt x.x.xx any with

Deny tcp host 192.168.4.117 eq 7000 any

paul driver · ‎04-03-2023

Hello
The ACL you show relates to multiple subnets, I assume then you have a large single inside/multiple NAT domain(s)?
You also need to exclude this static PAT statement from the that NAT acl and have it installed before any other access-list control entry (ace) that relates to the subnet of this host

show ip access-list NAT-Inside-Outside

ip access-list extended NAT-Inside-Outside
2 deny tcp host 192.168.4.117 any eq 7000

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Alain Nohra · ‎04-03-2023

that didn't work

MHM Cisco World · ‎04-03-2023

Can I see

Show ip nat translate

Alain Nohra · ‎04-03-2023

Pro Inside global Inside local Outside local Outside global
tcp 195.112.197.10:7000 192.168.4.117:7000 91.151.227.41:59002 91.151.227.41:59002
tcp 195.112.197.10:7000 192.168.4.117:7000 --- ---
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:351 185.224.128.213:351
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:1039 185.224.128.213:1039
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:5007 185.224.128.213:5007
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:12011 185.224.128.213:12011
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13717 185.224.128.213:13717
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13905 185.224.128.213:13905
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19605 185.224.128.213:19605
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19805 185.224.128.213:19805
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:32229 185.224.128.213:32229
tcp 195.112.197.10:80 192.168.4.230:80 --- ---
tcp 195.112.197.10:7620 192.168.4.230:7620 --- ---
tcp 195.112.197.10:7621 192.168.4.230:7621 --- ---
tcp 195.112.197.10:7622 192.168.4.230:7622 --- ---
tcp 195.112.197.10:7623 192.168.4.230:7623 --- ---

Alain Nohra · ‎04-03-2023

previous show ip nat translation was when i tried to telnet to the public ip as you can see it goes outside from my pubic ip but it's not opening

Alain Nohra · ‎04-03-2023

tcp 195.112.197.10:7000 192.168.4.117:7000 --- ---
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:351 185.224.128.213:351
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:5007 185.224.128.213:5007
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:12011 185.224.128.213:12011
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13717 185.224.128.213:13717
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13905 185.224.128.213:13905
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19605 185.224.128.213:19605
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19805 185.224.128.213:19805
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:32229 185.224.128.213:32229
tcp 195.112.197.10:80 192.168.4.230:80 193.32.162.159:46511 193.32.162.159:46511
tcp 195.112.197.10:80 192.168.4.230:80 --- ---
tcp 195.112.197.10:7620 192.168.4.230:7620 --- ---
tcp 195.112.197.10:7621 192.168.4.230:7621 --- ---
tcp 195.112.197.10:7622 192.168.4.230:7622 --- ---
Pro Inside global Inside local Outside local Outside global
tcp 195.112.197.10:7623 192.168.4.230:7623 --- ---

MHM Cisco World · ‎04-03-2023

See above comment

Alain Nohra · ‎04-03-2023

no

MHM Cisco World · ‎04-03-2023

tcp 195.112.197.10:7000 192.168.4.117:7000 91.151.227.41:59002 91.151.227.41:59002

This corrct your NATing is ok'

If there is still issue and you confirm that no acl in interface check then the return routing bath it can that return not hit same interface it enter'

Do you have dual isp and failover?

Alain Nohra · ‎04-03-2023

i have two route-map each for one ISP and the above access list NAT-Inside-Outside is applied on each one

one of the ISP is down so we are working on one route-map matching the access list above

MHM Cisco World · ‎04-03-2023

Then friend you need conditional staitc NAT for route-map

Check link below

https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-static-nat-with-route-maps/ta-p/3132855

Alain Nohra · ‎04-03-2023

i tried it, didn't work.

MHM Cisco World · ‎04-03-2023

Can I see last config of

Pbr and static nat