09-04-2018 06:11 AM - edited 03-05-2019 10:53 AM
I have been trying for years to move over to NVI NAT on two different routers (C877 and C1801) but neither seem to do it. I'm wondering if I'm doing something wrong or if the versions I'm running have a flaw, currently a C180X-ADVIPSERVICESK9-M), Version 12.4(15)T17.
Below is what I'm attempting:
interface Vlan1 ip nat enable ! interface Dialer1 ip nat enable ! ip nat source static tcp xxx.xx.xx.x 80 interface Dialer1 80 ip nat source static tcp xxx.xx.xx.x 443 interface Dialer1 443 ip nat source static tcp xxx.xx.xx.x 22 interface Dialer1 2222 ip nat source list 170 interface Dialer1 overload
But with this configuration the static translations fail to appear in "show ip nat nvi trans". I get the NAT overload translations, therefore outbound network traffic is working. But nothing hits the inbound services from the internet.
I end up having to go to:
interface Vlan1 ip nat enable ip nat inside ! interface Dialer1 ip nat enable ip nat outside ! ip nat source static tcp xxx.xx.xx.x 80 interface Dialer1 80 ip nat source static tcp xxx.xx.xx.x 443 interface Dialer1 443 ip nat source static tcp xxx.xx.xx.x 22 interface Dialer1 2222 ip nat inside source list 170 interface Dialer1 overload
Which is a sort of hybrid setup, but the static translations still only appear in "show ip nat trans" although that are stated as an NVI configuration.
Pro Inside global Inside local Outside local Outside global tcp xx.xxx.xxx.xx:80 xxx.xx.x.xx:80 --- --- tcp xx.xxx.xxx.xx:443 xxx.xx.x.xx:443 --- --- tcp xx.xxx.xxx.xx:2222 xxx.xx.x.xx:22 --- ---
So I'm sort of thinking in the versions/routers I've been using none of them seem to actually differentiate between "ip nat inside source" and "ip nat source" or am I missing something?
So basically I think I've decided I will forever be running split brain dns, or at least until IPv4 is depreciated for IPv6.
09-04-2018 07:58 AM
09-04-2018 08:58 PM - edited 09-04-2018 09:03 PM
Not that it's my main drive, but I've got a couple of VLANs that are locked down (guest access), I've opened these up by ACLs for traffic to these internal services, but it means I need to manage that as well as externally not to mention using my internal DNS for the guests
I don't really want to add VRF to the mix too, but I guess I could try that. Thanks for confirming my configuration is correct and giving me another angle to try.
09-04-2018 09:14 AM
09-04-2018 08:50 PM
09-05-2018 03:32 AM
09-05-2018 05:07 PM
09-11-2018 07:39 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide