Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
1
Replies

problem with NAT

julianthomas
Level 1
Level 1

‎05-21-2012 05:54 AM - edited ‎03-04-2019 04:25 PM

Hi,

i'm having some trouble setting up the correct NAT configuration of a Cisco 1921 router.

The NAT is not working as I want - I think my configuration is wrong somewhere.

All clients in 172.16.0.0/24 have the correct outgoing address of 1.1.1.3.

But the NAT for 10.10.0.4 (and 10.10.0.5, 10.10.0.6) is partially broken:

Ping and ssh from the outside world to 1.1.1.4 is "natted" to 10.10.0.4 and works as expected.

But from inside (172.16.0.0/24) ssh to 1.1.1.4 should be "natted" to 10.10.0.4, but doesn't work (ping works).

ssh from 172.16.0.0/24 to 10.10.0.4 (without doing NAT) works.

I'm not a Cisco or network expert, so sorry, if this is an easy/stupid problem.

Thanks for any help

Julian

network design:

===============

172.16.0.0/16: network for normal use

192.168.64.0/24: network for specific clients and servers

10.0.0.0/24: network for remote users (vpn)

10.10.0.0/24: network for webserver, mailserver, ...

1.1.1.0/29: network from my internet provider

1.1.1.1: isp gateway

1.1.1.2: WAN interface of this router

1.1.1.3: outgoing (to my isp gateway) address (NAT) for all clients from 172.16.0.0/24

1.1.1.4: NAT <=> 10.10.0.4

1.1.1.5: NAT <=> 10.10.0.5

1.1.1.6: NAT <=> 10.10.0.6

Router Configuration:

=====================

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname <hostname>

!

boot-start-marker

boot-end-marker

!

!

logging buffered 40960

enable secret 5 <pw>

!

aaa new-model

!

!

aaa authentication login local_auth local

aaa authorization network vpntestvpn_list local

!

aaa session-id common

!

clock timezone CEST 1 0

!

no ipv6 cef

ip source-route

ip cef

!

!

ip domain name mydomain.local

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1921/K9 sn <serialno>

!

!

username <user1> privilege 15 secret 5 <pw>

username <user2> secret 5 <pw>

!

redundancy

!

!

!

!

ip ssh version 2

!

!

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key <key> address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group <groupname>

key <key>

dns 172.16.1.xx

domain mydomain.local

pool vpnpool

netmask 255.255.255.0

crypto isakmp profile vpntestvpn_isakmp_profile

   match identity group <groupname>

   client authentication list local_auth

   isakmp authorization list vpntestvpn_list

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set vpntestvpn_encryption esp-3des esp-sha-hmac

!

crypto ipsec profile vpntestvpn_ipsec_profile

set transform-set vpntestvpn_encryption

set isakmp-profile vpntestvpn_isakmp_profile

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

!

interface GigabitEthernet0/0

description "172.16.1.15: local, 10.0.0.1: network for VPN clients"

ip address 192.168.64.1 255.255.255.0 secondary

ip address 10.0.0.1 255.255.255.0 secondary

ip address 172.16.1.15 255.255.0.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "public servers"

ip address 10.10.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

description "WAN Interface"

ip address 1.1.1.2 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpntestvpn_ipsec_profile

!

ip local pool vpnpool 10.0.0.50 10.0.0.69

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool NATPOOL 1.1.1.3 1.1.1.3 netmask 255.255.255.248

ip nat inside source list 15 pool NATPOOL overload

ip nat inside source static 10.10.0.4 1.1.1.4 extendable

ip nat inside source static 10.10.0.5 1.1.1.5 extendable

ip nat inside source static 10.10.0.6 1.1.1.6 extendable

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!

access-list 15 deny   10.10.0.4

access-list 15 deny   10.10.0.5

access-list 15 deny   10.10.0.6

access-list 15 permit 172.16.0.0 0.0.255.255

access-list 99 permit 172.16.0.0 0.0.255.255

access-list 99 deny   any log

!

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 99 in

exec-timeout 40 0

privilege level 15

password 7 <pw>

transport preferred none

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-21-2012 07:39 AM

Hello Julian,

NAT is triggered when an IP flow goes from an inside interface to an outside interface or viceversa, when going from one inside interface to another inside interface NAT is not triggered.

I would say the behaviour you have seen is normal

you should use the inside local address of 10.10.0.4 when accessing from internal network to reach the server.

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card