Hello, my company is expanding into a now colo and we've decided to build the network around a cisco ISR4321k9.
I have experience with configuring cisco switches (mostly catalyst) so I have some foundation knowledge, but when it comes to routing, I'm a little out of my depth. I'm learning this as fast as I can, but I don't have much time to get it done.
Basically, I'm trying to configure the router with an 8 port nim (just acting like a switch in the rack) and dual wan connections. One wan is connected to the internet while the other will be a hard connection to another (future) colo with a nearly identical config to this one. On the lan side of things, we'll have two servers with maybe 6 network connections between them.
The physical layout is this (obviously fakes IPs are fake):
Gi0/0/0 - ip address 172.16.10.2/29 -> WAN interface Gi0/0/1 - ip address 10.10.10.2/29 -> inter-colo interface Vlan1 - ip address 192.168.1.1/24 Gi0/1/0 -> appserver1 port1 with IP 192.168.1.10/24 Gi0/1/1 -> appserver1 port2 with IP 192.168.1.11/24 Gi0/1/2 -> appserver1 port3 with IP 192.168.1.12/24 Gi0/1/3 -> appserver2 port1 with IP 192.168.1.20/24 Gi0/1/4 -> appserver2 port2 with IP 192.168.1.21/24 Gi0/1/5 -> appserver2 port3 with IP 192.168.1.22/24
I have all this configured and it appears to be working correctly (I can plug in a laptop to any of the above ports with the specified IPs and watch me some netflix).
Now I need to assign public IPs to each of the server network ports (so that the servers are visible from the internet). If I read the documentation correctly all I need to do is run the following:
# ip nat inside source static 172.16.10.2 192.168.1.10
# ip nat inside source static 172.16.10.3 192.168.1.11
# ip nat inside source static 172.16.10.4 192.168.1.12
# ip nat inside source static 172.16.10.5 192.168.1.20
# ip nat inside source static 172.16.10.6 192.168.1.21
# ip nat inside source static 172.16.10.7 192.168.1.22
# ip nat outside source static 192.168.1.10 172.16.10.2
# ip nat outside source static 192.168.1.11 172.16.10.3
# ip nat outside source static 192.168.1.12 172.16.10.4
# ip nat outside source static 192.168.1.20 172.16.10.5
# ip nat outside source static 192.168.1.21 172.16.10.6
# ip nat outside source static 192.168.1.22 172.16.10.7
Is this correct? or am I just looking at this backwards and upside down?
The biggest problem is the fact I presently have the router connected to a temporary internet connection at our HQ office and I don't have multiple IP's assigned from our ISP so I cant actually test my config until everything goes live, and if I get this wrong, someone's going to have to GO to the colo to fix it... I'd like NOT to have to do that...
Solved! Go to Solution.
if you want the servers to be reachable / contacted from the internet you need to add the keyword extendable to each ip nat static command
ip nat inside source static 172.16.10.2 192.168.1.10
ip nat inside source static 172.16.10.2 192.168.1.10 extendable
This allows the NAT translation to be started when a client from the internet attempts to connect to public IP address of the server.
To make a test now with a single public IP address you can try to make your nat statement more specific adding a TCP and port to the statement
ip nat inside source static tcp 172.16.10.2 8080 192.168.1.10 8080 extendable
Check the correct syntax because I have written it on the fly.
You should be able to use a different TCP port for each server for testing purposes.
Hope to help
Thank you! I believe this is *mostly* what I needed... that said, I still am having issues in the test env.
Presently I'm connected to a cable ISP with a single IP address (because that's all I have), I've got everything configured and working fine for one of the app servers and a laptop. the server has a dev page serving on port 10000 and it's visible to the outside world, but I'm not able to open a vpn connection to the server...
I have the server configured with openvpn talking on udp port 1194. from the laptop I can start a connection which will attempt to connect but fail (as expected while on the same network) and the connection attempt is logged by the server (indicating the server IS configured correctly). but when I take the laptop off the network and connect to the HQ net (different ISP) I am still able to open the admin/test webpage on port 10000, but my openvpn client times out, and the server logs nothing...
this is the pertinent config:
! interface GigabitEthernet0/0/0 description WAN000 ip address [WAN-IP] 255.255.255.252 ip nat outside negotiation auto ! ! interface Vlan1 ip address 192.168.60.1 255.255.255.0 ip nat inside ! ip nat inside source static tcp 192.168.60.11 10000 interface GigabitEthernet0/0/0 10000 ip nat inside source static tcp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194 ip nat inside source list 1 interface GigabitEthernet0/0/0 overload ip forward-protocol nd ip http server ip http secure-server ip tftp source-interface GigabitEthernet0 ip route 0.0.0.0 0.0.0.0 [WAN-GW] ! ! access-list 1 permit 192.168.60.0 0.0.0.255 !