cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6099
Views
2
Helpful
18
Replies

NAT problem on Router

sravesteijn
Level 1
Level 1

Hello,

I have a problem with configuring policy NAT on a Cisco router which has only one public IP address.

This IP address is used in a static NAT to allow the LAN firewall to connect to the internet.

This works okay.

Now the IP address 9.9.9.9 needs to connect to the real IP 198.10.20.1, so it must not be natted.

I have tried to accomplish this with a route-map but it doesn’t work.

Is there another way to make sure that these connection are not natted?

interface FastEthernet0/0

ip address 198.10.20.1 255.255.255.252

ip nat outside

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

ip route 0.0.0.0 0.0.0.0 198.10.20.2

ip nat inside source static 192.168.1.10 198.10.20.1 route-map policy-nat

!

ip access-list standard no-nat

deny   9.9.9.9

permit any

!

route-map policy-nat permit 10

match ip address no-nat

1 Accepted Solution

Accepted Solutions

Hi,

That was giving me the same thought.


Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

18 Replies 18

cadet alain
VIP Alumni
VIP Alumni

Hi,

9.9.9.9 is a public IP so it should enter your router on the public side, no ? So it would never be natted anyway.

Can you provide a diagram or sketch to help understand what you want to do because this is not clear.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alian,

Correct 9.9.9.9 is connected to the public side. (inbound)

Static natting works in both ways.

I am using GNS to test this, the IP's used are not real

I do not want to NAT when I connect from 9.9.9.9, from all other IP's the NAT should be used.

I am testing from R1 (8.8.8.8) en from R2 (9.9.9.9) in both occations IP 198.10.20.1 is natted to 192.168.1.10.

Somehow the deny statement in the ACL is not taken into account, in both occations the permit is hitted.

Before test:

R3#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 198.10.20.1        192.168.1.10       ---                ---

R3#

After test:

R3#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 198.10.20.1:23     192.168.1.10:23    8.8.8.8:13990   8.8.8.8:13990

tcp 198.10.20.1:23     192.168.1.10:23    9.9.9.9:55750   9.9.9.9:55750

--- 198.10.20.1        192.168.1.10       ---                ---

R3#sh access-li

Standard IP access list no-nat

    10 deny  9.9.9.9

    20 permit any (2 matches)

Hi,

I don't understand exactly what you want to do. You did a static nat on R3 so you can access a machine in the 192.168.1.0 network from outside even if you have no route for this network? To simulate someone accessing an inside ressource from the internet?

But you don't want this external ip to access this inside subnet ?

Alain

Don't forget to rate helpful posts.

Hi Alain,

The configured static is in used for outbound & inbound connections to

192.168.1.10.

Routing is in place:

R3#sh ip route

....

Gateway of last resort is 198.10.20.2 to network 0.0.0.0

C    192.168.1.0/24 is directly connected, FastEthernet0/1

C    198.10.20.0/24 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 198.10.20.2

When the source is 9.9.9.9 I need to connect to the real IP

198.10.20.1, and NOT the NAT IP 192.168.1.10.

All other connections should use the nat but that is working fine.

Hi sravesteijn, can you change the access-list statement like below;

ip access-list extended no-nat

deny ip any host 9.9.9.9

permit ip any any

Hope this helps

Ali TADIR

Hi Altadir,

I have done what you suggested but it didn´t help.

Thanks for looking into this.

Hi,

You need to deny 9.9.9.9 in your global NAT pool.
So that whenever 9.9.9.9 is trying to connect 198.10.20.1 then it wont get NAT and can be access.

Hope this will help you.


Please rate the helpfull posts.
Regards,
Naidu.

Hi Naidu,

Can you please explain how I can configure this?

Hi,

I may not be able to give you the exact configuration which suites you but see the below example config at one of my site.


ip nat pool nonat 206.206.206.5 206.206.206.5 netmask 255.255.255.0
ip nat inside source route-map nonat pool nonat mapping-id 1 overload


ip access-list extended NONAT
deny   ip 10.24.2.0 0.0.0.255 9.9.9.2 0.0.0.255


route-map nonat permit 10
match ip address NONAT


Please rate the helpfull posts.
Regards,
Naidu.

Hi Naidu,

I configured it like you suggested but it only works partially which is not good enough.

Outbound natting works ok (192.168.1.10 is translated to 198.10.20.1)

Inbound connections from 9.9.9.9 to

198.10.20.1 works ok, these connections are not translated

However other inbound connections from like 8.8.8.8 are translated to 198.10.20.1

R3#sh ip nat translations

Pro Inside global        Inside local         Outside local      Outside global

tcp 198.10.20.1:23     198.10.20.1:23    8.8.8.8:21082      8.8.8.8:21082

interface FastEthernet0/0

ip address 198.10.20.1 255.255.255.0

ip nat outside

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 198.10.20.2

!

ip nat pool nonat 198.10.20.1 198.10.20.1 netmask 255.255.255.252

ip nat inside source route-map nonat pool nonat

!

ip access-list extended NONAT

deny   ip host 198.10.20.1 host 9.9.9.9 log

permit ip any any log

!

!

route-map nonat permit 10

match ip address NONAT

Do you have any other suggestions?

Hi,

Why you need to worry about the outside local and outside global.
Those can be anything like...If you are accessing your nated IP from anywhere in the world that gateway/IP would be your outside global and local.


And let me know whether you achieved what you desired or still have any issues or trouble. If yes let me know what you want achieve exactly.


Please rate the helpfull posts.
Regards,
Naidu.

Hi Naidu,

Outbound connections form 192.168.1.10 are translated to 198.10.20.1 when it connects to the internet, this works ok.

Inbound connections from IP 9.9.9.9 should connect to 198.10.20.1 without being forwarded to 192.168.1.10, this works ok.

All other inbound connections to 198.10.20.1 should be forwarded to 192.168.1.10, that is not working.

And that is an requirement.

Thanks for your help!

.

Hi,

Then keep only below nat statement and dont change your global NAT and pool (NONAT) which I suggested in my previous post.


ip nat inside source static 192.168.1.10 198.10.20.1


Please rate the helpfull posts.
Regards,
Naidu.

Hi,

I have already tried that but that doesn't solve my problem.

The static NAT will than take precedence over the other NAT config.

And all connections are being fwd to the inside IP 192.168.1.10