02-20-2019 11:28 AM - edited 02-20-2019 12:01 PM
Hello,
So the thing is am changing a router with 2 cat 9500 with virtual stackwise and im having some problems with a STATIC nat.
i have a server with the ip 172.31.6.2 and i need to natd to a 10.12.12.2 and leaving access only to some specific networks that exist on the same CAT9500 with VStackWise , so this is the config:
ip access-list stand SERVER_PRODUC
permit 10.12.12.0 0.0.0.255
permit 172.31.4.0 0.0.0.255
permit 172.31.21.0 0.0.0.255
permit 172.31.22.0 0.0.0.255
permit 172.31.23.0 0.0.0.255
permit 172.31.24.0 0.0.0.255
permit 172.31.25.0 0.0.0.255
permit 172.31.27.0 0.0.0.255
permit 172.31.248.0 0.0.0.3
permit 172.31.50.0 0.0.0.255
!
route-map RM_SERVER_PRODU permit 10
match ip address SERVER_PRODUC
!
ip nat inside source static 172.31.6.2 10.12.12.2 route-map RM_SERVER_PRODU
!
interface VLAN 12
ip address 10.12.12.42 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
!
interface VLAN 6
ip address 172.31.6.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface VLAN 23
ip address 172.31.23.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface VLAN 24
ip address 172.31.24.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface VLAN 25
ip address 172.31.25.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface VLAN 26
ip address 172.31.26.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface VLAN 27
ip address 172.31.27.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
The thing is i have ping from all of the lans but i cant access to the service that the server is suppost to be giving can does some one have an idea why?
Besides that the ping work from the LAN to the NAT IP but they can access the service that they need, and the ping it not being show on the show ip nat translation.
Thanks for the help.
02-20-2019 11:53 AM
Do your other VLANs have to access the server via the NAT address?
02-20-2019 11:59 AM - edited 02-20-2019 12:05 PM
They can ping the natted ip but they can´t access the service that is needed via telnet
02-20-2019 12:26 PM - edited 02-20-2019 12:30 PM
It seems to me like you do not need a route-map. Just access the telnet service directly to the IP address without NAT for any of the local VLANs. You could then just do NAT for 10.x address out from that interface.
172.31.23.1 - telnet to 172.31.6.2
not to 10.12.12.2
10.12.12.10 - telnet to 10.12.12.2 - which gets translated to 172.31.6.2
Hope this makes sense.
02-20-2019 12:39 PM
Yes if i dont filter traffic on the interface where the server is it wolud work, but because of a security requirement users cant access the server with the real ip thats the reson the user need to used the nated ip.
Any other idea of how can this be done or where is the flaud?
and THANKS by the way.
02-20-2019 12:52 PM
Does it work from the 10.12.12.0 subnet? If so, try adding the ip nat outside command to another of your VLANs besides the inside one.
02-20-2019 12:56 PM
You can also run an extended ping to the IP address, and run she show ip nat translation command.
02-20-2019 01:09 PM
The ping works but it does show on teh command: show ip nat translation command.
Puting the IP NAT OUTSIDE ON THE SPECIFIC INT VLAN?
02-20-2019 01:50 PM
Try using a secondary subnet liket this.
interface VLAN 12
ip address 10.12.12.42 255.255.255.0
ip nat outside
!
interface VLAN 6
ip address 172.31.6.1 255.255.255.0
ip address 172.31.7.1 255.255.255.0 secondary
ip nat inside
!
interface VLAN 23
ip address 172.31.23.1 255.255.255.0
ip nat outside
!
interface VLAN 24
ip address 172.31.24.1 255.255.255.0
ip nat outside
!
interface VLAN 25
ip address 172.31.25.1 255.255.255.0
ip nat outside
!
interface VLAN 26
ip address 172.31.26.1 255.255.255.0
ip nat outside
!
interface VLAN 27
ip address 172.31.27.1 255.255.255.0
ip nat outside
no ip nat inside source static 172.31.6.2 10.12.12.2 route-map RM_SERVER_PRODU
ip nat inside source static 172.31.6.2 172.31.7.2
If you only want to translate certain IP addresses going to 172.31.6.2, you can use a route-map then. However, no route-map is necessary.
Please mark helpful posts.
02-20-2019 02:08 PM
Ill try and tell you if it work.
thanks for the help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: