05-21-2012 05:54 AM - edited 03-04-2019 04:25 PM
Hi,
i'm having some trouble setting up the correct NAT configuration of a Cisco 1921 router.
The NAT is not working as I want - I think my configuration is wrong somewhere.
All clients in 172.16.0.0/24 have the correct outgoing address of 1.1.1.3.
But the NAT for 10.10.0.4 (and 10.10.0.5, 10.10.0.6) is partially broken:
Ping and ssh from the outside world to 1.1.1.4 is "natted" to 10.10.0.4 and works as expected.
But from inside (172.16.0.0/24) ssh to 1.1.1.4 should be "natted" to 10.10.0.4, but doesn't work (ping works).
ssh from 172.16.0.0/24 to 10.10.0.4 (without doing NAT) works.
I'm not a Cisco or network expert, so sorry, if this is an easy/stupid problem.
Thanks for any help
Julian
network design:
===============
172.16.0.0/16: network for normal use
192.168.64.0/24: network for specific clients and servers
10.0.0.0/24: network for remote users (vpn)
10.10.0.0/24: network for webserver, mailserver, ...
1.1.1.0/29: network from my internet provider
1.1.1.1: isp gateway
1.1.1.2: WAN interface of this router
1.1.1.3: outgoing (to my isp gateway) address (NAT) for all clients from 172.16.0.0/24
1.1.1.4: NAT <=> 10.10.0.4
1.1.1.5: NAT <=> 10.10.0.5
1.1.1.6: NAT <=> 10.10.0.6
Router Configuration:
=====================
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
!
logging buffered 40960
enable secret 5 <pw>
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authorization network vpntestvpn_list local
!
aaa session-id common
!
clock timezone CEST 1 0
!
no ipv6 cef
ip source-route
ip cef
!
!
ip domain name mydomain.local
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn <serialno>
!
!
username <user1> privilege 15 secret 5 <pw>
username <user2> secret 5 <pw>
!
redundancy
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group <groupname>
key <key>
dns 172.16.1.xx
domain mydomain.local
pool vpnpool
netmask 255.255.255.0
crypto isakmp profile vpntestvpn_isakmp_profile
match identity group <groupname>
client authentication list local_auth
isakmp authorization list vpntestvpn_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set vpntestvpn_encryption esp-3des esp-sha-hmac
!
crypto ipsec profile vpntestvpn_ipsec_profile
set transform-set vpntestvpn_encryption
set isakmp-profile vpntestvpn_isakmp_profile
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
description "172.16.1.15: local, 10.0.0.1: network for VPN clients"
ip address 192.168.64.1 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0 secondary
ip address 172.16.1.15 255.255.0.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description "public servers"
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description "WAN Interface"
ip address 1.1.1.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpntestvpn_ipsec_profile
!
ip local pool vpnpool 10.0.0.50 10.0.0.69
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 1.1.1.3 1.1.1.3 netmask 255.255.255.248
ip nat inside source list 15 pool NATPOOL overload
ip nat inside source static 10.10.0.4 1.1.1.4 extendable
ip nat inside source static 10.10.0.5 1.1.1.5 extendable
ip nat inside source static 10.10.0.6 1.1.1.6 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
access-list 15 deny 10.10.0.4
access-list 15 deny 10.10.0.5
access-list 15 deny 10.10.0.6
access-list 15 permit 172.16.0.0 0.0.255.255
access-list 99 permit 172.16.0.0 0.0.255.255
access-list 99 deny any log
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 99 in
exec-timeout 40 0
privilege level 15
password 7 <pw>
transport preferred none
transport input telnet ssh
!
scheduler allocate 20000 1000
end
05-21-2012 07:39 AM
Hello Julian,
NAT is triggered when an IP flow goes from an inside interface to an outside interface or viceversa, when going from one inside interface to another inside interface NAT is not triggered.
I would say the behaviour you have seen is normal
you should use the inside local address of 10.10.0.4 when accessing from internal network to reach the server.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide