Solved: I am glad to know that you

gcarson73 · ‎03-14-2016

I am upgrading from a 2851 to a 2951. The issue I have is with the IP's associated with my static NAT statements.

Example, from a server I have a static NAT statement; I am able to ping both the G0/1 and G0/0 interface...but I was not able to ping 8.8.8.8, so no internet access. What am I missing, is there a better way to setup the router?

Here is my config.

en
config t
hostname router
ip name-server 208.67.222.222

Ip name-server 208.67.220.220

interface g0/1
ip address 10.3.81.1 255.255.255.0
ip nat inside
no shutdown
exit

interface g0/0
ip address 99.3.81.66 255.255.255.0
ip nat outside
no shutdown
exit

no ip domain lookup

ip route 0.0.0.0 0.0.0.0 99.3.81.1

access-list 1 permit 10.3.81.0 0.0.0.255

ip nat inside source list 1 interface g0/0 overload

ip nat inside source static 10.3.81.7 99.3.81.67

ip nat inside source static 10.3.81.5 99.3.81.68

ip nat inside source static tcp 10.3.81.6 443 99.3.81.69 443 extendable

ip nat inside source static tcp 10.3.81.61 80 99.3.81.70 80 extendable

ip nat inside source static tcp 10.3.81.16 80 99.3.81.73 80 extendable

ip nat inside source static tcp 10.3.81.90 3389 99.3.81.73 3389 extendable

ip nat inside source static 10.3.81.12 99.3.81.74

ip nat inside source static tcp 10.3.81.89 80 99.3.81.75 80 extendable

ip nat inside source static tcp 10.3.81.89 443 99.3.81.75 443 extendable

ip nat inside source static tcp 10.3.81.95 3389 99.3.81.75 3389 extendable

ip nat inside source static tcp 10.3.81.55 8080 99.3.81.75 8080 extendable

ip nat inside source static tcp 10.3.81.15 80 99.3.81.76 80 extendable

ip nat inside source static tcp 10.3.81.14 3389 99.3.81.76 3389 extendable

ip nat inside source static tcp 10.3.81.15 6080 99.3.81.76 6080 extendable

ip nat inside source static tcp 10.3.81.92 80 99.3.81.77 80 extendable

ip nat inside source static tcp 10.3.81.60 80 99.3.81.78 80 extendable

Richard Burts · ‎03-15-2016

I do not understand your comment/question about security enhancements being the issue. Perhaps you can clarify?

As far as the provider goes they may not have configured relationships between Public IP and MAC address, but they almost certainly have entries in the ARP table which might be pointing to the old router MAC address. That is why I suggested configuring one of the static translations to use a Public IP that has not been used before.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-14-2016

You tell us that you are upgrading from 1951 to 2951 and so my first question is whether your nat statements worked on the 1951? If they did work on the 1951 and do not work on 2951 then it is most likely that you did not transfer something correctly from the 1951.

My second question is what is the address of this server? You have quite a number of static translations and it will help us focus better on the problem if we knew which one is not working.

HTH

Rick

HTH

Rick

gcarson73 · ‎03-14-2016

Yes they work on the 2851.

None of the static NATs work on the 2951.

Internet access if fine with servers and workstations NOT with a static NAT. I cannot access any of my websites (port 80 or port 443 with static NAT statements), and it seems with the servers I have "ip nat inside source static xx.xx xx.xx" I cannot even access the internet...I can ping both interfaces, but not a DNS (such as 8.8.8.8)

I copied and pasted..and have compared line by line....The 2951 is Ver 15, and the 2851 is Ver 12.4...so something must have changed with Static NAT's and the IOS. Since I can ping both interfaces, it seems like an access list is blocking my "other Public IP's" Does anyone recommend any different setup (in regards to my NAT statements?)

Richard Burts · ‎03-14-2016

It is interesting that it did work on the 1951 but does not work with the 2951. You are using the same connection, to the same provider, with the same addressing on the 2951 as you used with the 1951? Is your testing to move the connection from the 1951 to the 2951? Or are you testing in some other way?

I wonder if the issue might be that the provider associates the addresses with the static translations with the address/mac address of your 1951? Could you try setting up a new static translation for one of the servers and in the new translation use an IP address as the translated address that has not been used before?

HTH

Rick

HTH

Rick

gcarson73 · ‎03-14-2016

Sorry, I updated my post to reflect my old router is a 2851, and my new router is a 2951.

Richard Burts · ‎03-15-2016

I do not understand your comment/question about security enhancements being the issue. Perhaps you can clarify?

As far as the provider goes they may not have configured relationships between Public IP and MAC address, but they almost certainly have entries in the ARP table which might be pointing to the old router MAC address. That is why I suggested configuring one of the static translations to use a Public IP that has not been used before.

HTH

Rick

HTH

Rick

gcarson73 · ‎03-15-2016

Because I could ping both interfaces, and not get to the internet...I believe the NAT/PAT "security" was not allowing it.

The statement that worked on the 2851 was "ip nat inside source list 1 interface g0/0 overload

access-list 1 permit 10.3.81.0 0.0.0.255" and of course my other NAT/PAT statements about public IP's and TCP protocols

*as you can see above, I used the "INT g0/0" which had my 1 Public IP (that I was using to NAT/PAT) In the new router (2951) I think the "security" was blocking internet access since I was not specifying my other "public IP's", see the statements below in the new config, my theory will be tested by this weekend. I will be sure to post here, and let you know.

*updated IP NAT commands I am using on the 2951

ip nat pool mynatpool 99.3.81.66 99.3.81.78 netmask 255.255.255.0

access-list 1 permit 10.3.81.0 0.0.0.255

ip nat inside source list 1 pool mynatpool overload"

I have erased my router and loaded my "new config" below...I will try and test this weekend. (but from what I have read, the 1 important statement is "ip nat inside source list 1 pool mynatpool overload")

en
config t
hostname router
ip name-server 208.67.222.222

Ip name-server 208.67.220.220

interface g0/1
ip address 10.3.81.1 255.255.255.0
no shutdown
exit

interface g0/0
ip address 99.3.81.66 255.255.255.0
no shutdown
exit

no ip domain lookup

ip route 0.0.0.0 0.0.0.0 99.3.81.1

ip nat pool mynatpool 99.3.81.66 99.3.81.78 netmask 255.255.255.0

access-list 1 permit 10.3.81.0 0.0.0.255

ip nat inside source list 1 pool mynatpool overload

int g0/1

ip nat inside

int g0/0

ip nat outside

ip nat inside source static 10.3.81.7 99.3.81.67

ip nat inside source static 10.3.81.5 99.3.81.68

ip nat inside source static tcp 10.3.81.6 443 99.3.81.69 443 extendable

ip nat inside source static tcp 10.3.81.61 80 99.3.81.70 80 extendable

ip nat inside source static tcp 10.3.81.16 80 99.3.81.73 80 extendable

ip nat inside source static tcp 10.3.81.90 3389 99.3.81.73 3389 extendable

ip nat inside source static 10.3.81.12 99.3.81.74

ip nat inside source static tcp 10.3.81.89 80 99.3.81.75 80 extendable

ip nat inside source static tcp 10.3.81.89 443 99.3.81.75 443 extendable

ip nat inside source static tcp 10.3.81.95 3389 99.3.81.75 3389 extendable

ip nat inside source static tcp 10.3.81.55 8080 99.3.81.75 8080 extendable

ip nat inside source static tcp 10.3.81.15 80 99.3.81.76 80 extendable

ip nat inside source static tcp 10.3.81.14 3389 99.3.81.76 3389 extendable

ip nat inside source static tcp 10.3.81.15 6080 99.3.81.76 6080 extendable

ip nat inside source static tcp 10.3.81.92 80 99.3.81.77 80 extendable

ip nat inside source static tcp 10.3.81.60 80 99.3.81.78 80 extendable

gcarson73 · ‎03-14-2016

I am using the same connection and same provider, so the same addressing on 2951. I physically move the cables to the new router. (so test is after hours, and I have done this twice now)

I have tested the new router, with 2 different Public IP's and my test was good. I have called Verizon before, and they say they DO NOT associate Public IPs to a MAC....maybe I need to call them again (and talk to someone else)

*the main public IP that I NAT, so all traffic can get to the internet works fine...its just the public IP's I am NAT'ing are not working.

This is a new config, I will try...I think some security enhancements are my issue....anyone who is a NAT/PAT guru out there????

en
config t
hostname router
ip name-server 208.67.222.222

Ip name-server 208.67.220.220

interface g0/1
ip address 10.3.81.1 255.255.255.0
no shutdown
exit

interface g0/0
ip address 99.3.81.66 255.255.255.0
no shutdown
exit

no ip domain lookup

ip route 0.0.0.0 0.0.0.0 99.3.81.1

ip nat pool mynatpool 99.3.81.66 99.3.81.78 netmask 255.255.255.0

access-list 1 permit 10.3.81.0 0.0.0.255

ip nat inside source list 1 pool mynatpool overload

int g0/1

ip nat inside

int g0/0

ip nat outside