cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
492
Views
0
Helpful
2
Replies

nat outside and public network...

ilrobbby
Level 1
Level 1

Hello Community!

 

I've a 887va router and a public /29 network.

The di0 is the only interface that nats outside all source address to internet;

vlan2 is the interface that handles the public network address pool, vlan2 is also the DG of a firewall that protects server-farm and allows routing to/from internet.

Any ip address behind fw that has to go to intenet, are natted with a public ip of my public pool and leaves the router with the natted address that I've decided on fw. (vlan2 interface hasn't ip nat ouside option);

Now, I need to publish a resource that is connects directly to vlan3 router's interface, and I need to make it reachable from internet trought the public ip of vlan2...

 

Is this conf. possible? If I set ip nat outside on vlan2 and implement a route-map nat, I think that I will loose the possibility to use all other public nat address, because the vlan2 nats ouside any packets with its ip address... right?

I've attached a small schema of my network, and the conf of device, can you help me please?

 

(vlan4 is used only to surf internet from wireless clients pc, if I've to shutdown fw; sure, I've to move eth cable from fw if to router's fe)


Many thanks!

Bye,
Roberto.

 

 

 

nat_problem.jpg

 

 
 
2 Replies 2

Hello

You should be good just to statically nat on vlan 2 

 

interface Vlan2
description vlan2 (Lax_EXT_CL Internet link)
ip nat outside

interface Dialer0
ip nat outside

 

interface Vlan4
description vlan4 (WiFi - internet Link FW KO)
ip nat inside

interface Vlan3
description vlan3 (...)
ip nat inside

 

access-list 1 permit 172.x.x.0 0.0.0.63

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.169.2 3803 interface Vlan2 6480
ip nat inside source static tcp 192.168.169.2 7578 interface Vlan2 7582
ip nat inside source static tcp 192.168.169.2 4563 interface Vlan2 3943

 

*********ip nat inside source list 2 interface ??????? overload

access-list 2 permit 192.168.169.0 0.0.0.3

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Paul, thanks for your input!

 

Now, as you sayd,  I've removed the access-list and the static nat for the net but, unfortunately didn't solve!

 

This is the ouput of ip nat debug (connection from internet/cellular network):

 

 

000789: Nov 27 11:43:53.154 GMT: NAT*: o: tcp (37.162.74.222, 26817) -> (88.x.x.249, 3943) [42521]
000790: Nov 27 11:43:53.154 GMT: NAT*: o: tcp (37.162.74.222, 26817) -> (88.x.x.249, 3943) [42521]
000791: Nov 27 11:43:53.154 GMT: NAT*: TCP s=26817, d=3943->4563
000792: Nov 27 11:43:53.154 GMT: NAT*: s=37.162.74.222, d=88.x.x.249->192.168.169.2 [42521]
000793: Nov 27 11:43:53.154 GMT: NAT*: i: tcp (192.168.169.2, 4563) -> (37.162.74.222, 26817) [0]
000794: Nov 27 11:43:53.154 GMT: NAT*: TCP s=4563->3943, d=26817
000795: Nov 27 11:43:53.154 GMT: NAT*: s=192.168.169.2->88.x.x.249, d=37.162.74.222 [0]

Nat seems works, the internal server doesn't respond but is still listening...

 

 

Same result if I try from a client behind FW, internal client was nated with 88.x.x.250 but didn't receives nothing...

 

This is a connection to the pubblic ip:

 

 

000938: Nov 27 12:25:58.054 GMT: NAT*: o: tcp (88.x.x.250, 36226) -> (88.x.x.249, 3943) [21849]
000939: Nov 27 12:25:58.054 GMT: NAT*: o: tcp (88.x.x.250, 36226) -> (88.x.x.249, 3943) [21849]
000940: Nov 27 12:25:58.054 GMT: NAT*: TCP s=36226, d=3943->4563
000941: Nov 27 12:25:58.054 GMT: NAT*: s=88.x.x.250, d=88.x.x.249->192.168.169.2 [21849]
000942: Nov 27 12:25:58.054 GMT: NAT*: i: tcp (192.168.169.2, 4563) -> (88.x.x.250, 36226) [0]
000943: Nov 27 12:25:58.054 GMT: NAT*: TCP s=4563->3943, d=36226
000944: Nov 27 12:25:58.054 GMT: NAT*: s=192.168.169.2->88.x.x.249, d=88.x.x.250 [0]

 

And this is a connection to real adddress "192.168.169.2:4563" to real listening socket (source client ip was nated by FW):

 

 

001118: Nov 27 12:35:46.722 GMT: NAT*: i: tcp (192.168.169.2, 4563) -> (88.x.x.250, 36353) [0]
001119: Nov 27 12:35:46.722 GMT: NAT*: i: tcp (192.168.169.2, 4563) -> (88.x.x.250, 36353) [0]
001120: Nov 27 12:35:46.722 GMT: NAT*: TCP s=4563->84563, d=36353
001121: Nov 27 12:35:46.722 GMT: NAT*: s=192.168.169.2->88.x.x.249, d=88.x.x.250 [0]
001122: Nov 27 12:35:46.974 GMT: NAT*: i: tcp (192.168.169.2, 4563) -> (88.x.x.250, 36354) [0]
001123: Nov 27 12:35:46.974 GMT: NAT*: i: tcp (192.168.169.2, 4563) -> (88.x.x.250, 36354) [0]
001124: Nov 27 12:35:46.974 GMT: NAT*: TCP s=4563->84563, d=36354
001125: Nov 27 12:35:46.974 GMT: NAT*: s=192.168.169.2->88.x.x.249, d=88.x.x.250 [0]

I'm really confused!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: