04-26-2011 09:17 AM - edited 03-04-2019 12:11 PM
Hi, experts.
I have a necessity to adjust static NAT on Cisco 2621xm.
i do:
1. First Config:
interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address <public ip> 255.255.255.240
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
ip nat inside source static 192.168.14.2 interface FastEthernet0/0.9
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 <ISP Gateway>
2. Second:
interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address <public ip> 255.255.255.240
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
ip nat inside source static 192.168.14.2 <second public ip>
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 <ISP Gateway>
192.168.14.2 - is a vpn box requires static NAT.
Config №1 works, but №2 not working, why? What in between the basic difference?
Solved! Go to Solution.
04-28-2011 06:40 AM
Hi Igor,
I tried something simple in my lab and it worked just fine, I do have a 2621XM here to test:
!
ip cef <------ Very important--------<<<
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 1.2.3.114 255.255.255.240
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat pool Internet 1.2.3.115 1.2.3.115 netmask 255.255.255.240
ip nat inside source list 1 pool Internet overload
ip nat inside source static 192.168.14.2 1.2.3.116
access-list 1 permit 192.168.14.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 1.2.3.113 +-
!
04-26-2011 12:59 PM
Hi,
Have you confirm with your isp that the address is active and pointing to your network?
Let me know.
Cheers,
Yanil
04-26-2011 10:36 PM
Thanks for the answer.
Yes, at me 28 bit mask of a subnet, and
04-27-2011 10:11 AM
It works, if I add a line:
interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address
ip address
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
ip nat inside source static 192.168.14.2
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0
192.168.14.2 - is a vpn box requires static NAT.
But thus routing in subnet ISP doesn't work. If I ping from Cisco 2621xm of the address from subnet ISP packets are lost. All others public IP are accessible without problems.
04-27-2011 06:54 AM
This configuration works now.
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW1
!
boot-start-marker
boot system flash:cisco/c2600-is-mz.123-9.bin
boot-end-marker
!
no logging on
enable secret 5 ***
enable password 7 ***
!
clock timezone Moscow 3
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip name-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip nat inside source static 192.168.14.2 interface FastEthernet0/0.9
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0
!
!
logging trap debugging
!
!
!
!
!
!
!
line con 0
password 7 ***
line aux 0
line vty 0 4
password 7 ***
login
line vty 5 15
password 7 ***
login
!
ntp clock-period 17180303
ntp server 192.168.10.101
!
end
I would like to replace ip nat inside source static 192.168.14.2 interface FastEthernet0/0.9 to ip nat inside source static 192.168.14.2 IP2, And the address on the interface to change on IP1.
04-27-2011 02:50 PM
Hi,
Again, the configuration looks fine. Why don't you try to configure that IP address on a loopback interface on the router and ping let's say the 4.2.2.2 with source that loopback? That's a valid test! Also, that will show us wether or not the ISP is routing that address to you.
Cheers,
Yanil
04-27-2011 11:54 PM
A week ago for routing used by another device (CheckPoint). Everything worked fine. Now the server broke down. I want to set up routing on Cisco 2621xm.
The task that I need to solve is as follows:
1. Make NAT for internal network containing subnets 192.168.10.0/24 + 192.168.53.0/24 + ... so that they appear as a particular
external address e.g. 1.2.3.115 of the external subnet addresses provided by my ISP (1.2.3.112/28).
2. Make static NAT for the ip address of the VPN device 192.168.14.2 being the second 1.2.3.116 of the external subnet addresses
provided by my ISP.
3. Configure routing between the internal subnets as specified in 1.
When I configure static NAT on Cisco 2621xm I am facing a problem, namely:
ip nat inside source static 192.168.14.2 interface FastEthernet0/0.9 - works fine
ip nat inside source static 192.168.14.2 1.2.3.116 - is not - on the interface Fa0/0.9 in the 1.2.3.114.
When I say "doesn't work", that means that when I am trying to VPN, I get error message "VPN isn't established".
If I add the following line to the config of Fa0/0.9:
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 1.2.3.114 255.255.255.240
ip address 1.2.3.116 255.255.255.240 secondary
ip nat outside
then the config "ip nat inside source static 192.168.14.2 1.2.3.116" works fine.
However, routing to 1.2.3.112/28 from local subnets - doesn't.
I would like to have packets going to 1.2.3.112/28 directly from local addresses (192.168.10.0/24 + 192.168.53.0/24+...),
without being NAT'ed.
This configuration works now, but routing to 1.2.3.112/28 from local subnets - doesn't:
!
! Last configuration change at 20:02:40 Moscow Wed Apr 27 2011
! NVRAM config last updated at 20:18:33 Moscow Wed Apr 27 2011
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW1
!
boot-start-marker
boot system flash:cisco/c2600-is-mz.123-9.bin
boot-end-marker
!
no logging on
enable secret 5 *
enable password 7 *
!
clock timezone Moscow 3
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip name-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 1.2.3.116 255.255.255.240 secondary
ip address 1.2.3.114 255.255.255.240
ip access-group External in
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip nat pool Internet 1.2.3.115 1.2.3.115 netmask 255.255.255.240
ip nat inside source list NAT pool Internet overload
ip nat inside source static 192.168.14.2 1.2.3.116
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.113 -
!
!
!
ip access-list extended External
permit tcp any any established
permit udp any eq domain any
permit udp any eq ntp any
permit udp any eq isakmp host
permit udp host
deny ip any any
permit icmp any any echo-reply
ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 1.2.3.112 0.0.0.15
permit ip 192.168.10.0 0.0.0.255 any
logging trap debugging
!
!
!
!
!
!
!
line con 0
password 7 ***
line aux 0
line vty 0 4
password 7 ***
login
line vty 5 15
password 7 ***
login
!
ntp clock-period 17180305
ntp server 192.168.10.101
!
end
04-28-2011 06:40 AM
Hi Igor,
I tried something simple in my lab and it worked just fine, I do have a 2621XM here to test:
!
ip cef <------ Very important--------<<<
!
interface FastEthernet0/0.9
encapsulation dot1Q 9
ip address 1.2.3.114 255.255.255.240
ip nat outside
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat pool Internet 1.2.3.115 1.2.3.115 netmask 255.255.255.240
ip nat inside source list 1 pool Internet overload
ip nat inside source static 192.168.14.2 1.2.3.116
access-list 1 permit 192.168.14.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 1.2.3.113 +-
!
04-28-2011 10:19 PM
Thanks for your reply!
Yesterday my colleague and I set up everything carefully. Cisco 2621xm works as we need (It's magic!:)). The problem was most likely in our ACL External as well as in the STP of our Catalyst. Now configuration works without "secondary "ip addresses on the interface Fa0/0.9 as it should be.
Thank you very much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide