04-03-2023 03:00 AM
i have the following nat configured it was working very well, suddenly it's not working anymore.
ip nat inside source static tcp 192.168.4.117 7000 195.112.197.10 7000 extendable
i can telnet on the internal IP 192.168.4.117 on 7000 but cannot telnet on the public IP from external.
the following is the access list also configured:
ip access-list extended NAT-Inside-Outside
deny ip 192.168.4.0 0.0.0.255 172.16.4.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.5.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.6.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.3.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.2.0 0.0.0.255 192.168.4.80 0.0.0.15
deny ip 192.168.4.80 0.0.0.15 any
deny ip 192.168.4.0 0.0.0.255 192.168.4.80 0.0.0.15
permit ip 192.168.4.0 0.0.0.255 any
permit ip host 172.20.1.2 any
04-03-2023 03:11 AM
You need to exclude static PAT from NAT overload'
You can do that by add acl line above line perimt x.x.xx any with
Deny tcp host 192.168.4.117 eq 7000 any
04-03-2023 03:25 AM
Hello
The ACL you show relates to multiple subnets, I assume then you have a large single inside/multiple NAT domain(s)?
You also need to exclude this static PAT statement from the that NAT acl and have it installed before any other access-list control entry (ace) that relates to the subnet of this host
show ip access-list NAT-Inside-Outside
ip access-list extended NAT-Inside-Outside
2 deny tcp host 192.168.4.117 any eq 7000
04-03-2023 04:24 AM
that didn't work
04-03-2023 04:41 AM
Can I see
Show ip nat translate
04-03-2023 04:43 AM
Pro Inside global Inside local Outside local Outside global
tcp 195.112.197.10:7000 192.168.4.117:7000 91.151.227.41:59002 91.151.227.41:59002
tcp 195.112.197.10:7000 192.168.4.117:7000 --- ---
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:351 185.224.128.213:351
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:1039 185.224.128.213:1039
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:5007 185.224.128.213:5007
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:12011 185.224.128.213:12011
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13717 185.224.128.213:13717
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13905 185.224.128.213:13905
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19605 185.224.128.213:19605
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19805 185.224.128.213:19805
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:32229 185.224.128.213:32229
tcp 195.112.197.10:80 192.168.4.230:80 --- ---
tcp 195.112.197.10:7620 192.168.4.230:7620 --- ---
tcp 195.112.197.10:7621 192.168.4.230:7621 --- ---
tcp 195.112.197.10:7622 192.168.4.230:7622 --- ---
tcp 195.112.197.10:7623 192.168.4.230:7623 --- ---
04-03-2023 04:50 AM
previous show ip nat translation was when i tried to telnet to the public ip as you can see it goes outside from my pubic ip but it's not opening
04-03-2023 04:50 AM
tcp 195.112.197.10:7000 192.168.4.117:7000 --- ---
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:351 185.224.128.213:351
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:5007 185.224.128.213:5007
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:12011 185.224.128.213:12011
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13717 185.224.128.213:13717
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:13905 185.224.128.213:13905
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19605 185.224.128.213:19605
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:19805 185.224.128.213:19805
tcp 195.112.197.10:80 192.168.4.230:80 185.224.128.213:32229 185.224.128.213:32229
tcp 195.112.197.10:80 192.168.4.230:80 193.32.162.159:46511 193.32.162.159:46511
tcp 195.112.197.10:80 192.168.4.230:80 --- ---
tcp 195.112.197.10:7620 192.168.4.230:7620 --- ---
tcp 195.112.197.10:7621 192.168.4.230:7621 --- ---
tcp 195.112.197.10:7622 192.168.4.230:7622 --- ---
Pro Inside global Inside local Outside local Outside global
tcp 195.112.197.10:7623 192.168.4.230:7623 --- ---
04-03-2023 05:05 AM - edited 04-03-2023 05:26 AM
See above comment
04-03-2023 05:09 AM
no
04-03-2023 05:25 AM
tcp 195.112.197.10:7000 192.168.4.117:7000 91.151.227.41:59002 91.151.227.41:59002
This corrct your NATing is ok'
If there is still issue and you confirm that no acl in interface check then the return routing bath it can that return not hit same interface it enter'
Do you have dual isp and failover?
04-03-2023 05:30 AM - edited 04-03-2023 05:32 AM
i have two route-map each for one ISP and the above access list NAT-Inside-Outside is applied on each one
one of the ISP is down so we are working on one route-map matching the access list above
04-03-2023 05:35 AM
Then friend you need conditional staitc NAT for route-map
Check link below
04-03-2023 05:51 AM
i tried it, didn't work.
04-03-2023 06:01 AM
Can I see last config of
Pbr and static nat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide