Solved: Re: Simultaneous static and dynamic NAT on a Cisco 2811

Kyle C Barnes · ‎08-10-2013

I'm running a Cisco 2811 at my house and I'm trying to figure out how port forwarding translates into NAT.

I currently have my WAN interface (Fa0/0) configured:

interface FastEthernet0/0

ip dhcp client hostname ISP

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

My internal VLAN:

interface Vlan100

description Home_Data

ip address 10.0.0.1 255.255.255.0

ip nat inside

I also have the following:

ip nat inside source list 99 interface FastEthernet0/0 overload

Standard IP access list 99

10 permit 10.0.0.0, wildcard bits 0.0.0.255 (97314 matches)

My goal is to get an application I use called Ventrilo to work. It uses port 3784.

I've configured the following:

ip nat source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784

This should make it that if anyone tries to hit my external IP (which is the IP address of fa0/0) it should forward them to the PC running the Ventrilo server.

Also, I've used this resource: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

This article explains how to use dynamic and static NAT simultaneously.

There is this part of the article that I have no option with:

Note:

Although it is possible to use the same global address for both the Dynamic and Static NAT, whenever possible it is better to use different global addresses. Being a home networking..I only have the single global address.

Any suggestions?

Thanks!

Kyle

Added link which explains simultaneous dynamic/static NAT

Peter Paluch · ‎08-11-2013

Hi Kyle,

ip nat source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784

This exact command appears to be incorrect. Note it is missing the inside keyword. Correctly, it should spell:

ip nat inside source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784

The reason is that the ip nat source version of the command refers to a so-called NVI (NAT Virtual Interface) style of configuring NAT that allows an interface to be both "inside" and "outside". This style of configuration is not compatible with the usual ip nat inside source style of NAT/PAT configuration, however, so you either use one or the other.

My suggestion is therefore to remove your current ip nat source command and replace it with the ip nat inside source command as shown above.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-11-2013

Hi Kyle,

Okay, good to know.

On Cisco, the NAT applies only if the packets traverse the inside-outside or outside-inside combination of interfaces. As this combination of interfaces is not really hit when your internal clients communicate with the inside machine under its public IP address, the NAT does not apply here.

My personal suggestion is to use the internal IP address for your internal network (the KISS principle ). My primary reason for this is that the packet hairpinning over the router and back out the same interface will incur a performance penalty on the application so it is better to avoid it. Only if using the private IP address would be a major inconvenience for you, I can come up with a modification of your NAT configuration that would allow for this.

Let me know please - and in any case, I am glad it does work!

Best regards,

Peter

View solution in original post

paolo bevilacqua · ‎08-11-2013

Wrong forum, post in "WAN and routing". You can move your post using the actions panel on the right.

Peter Paluch · ‎08-11-2013

Hi Kyle,

ip nat source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784

This exact command appears to be incorrect. Note it is missing the inside keyword. Correctly, it should spell:

ip nat inside source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784

The reason is that the ip nat source version of the command refers to a so-called NVI (NAT Virtual Interface) style of configuring NAT that allows an interface to be both "inside" and "outside". This style of configuration is not compatible with the usual ip nat inside source style of NAT/PAT configuration, however, so you either use one or the other.

My suggestion is therefore to remove your current ip nat source command and replace it with the ip nat inside source command as shown above.

Best regards,

Peter

Kyle C Barnes · ‎08-11-2013

Peter,

Good catch! I now see the following when performing a show ip nat translation:

tcp PUBLICIP:3784 10.0.0.5:3784 --- ---

udp PUBLICIP:3784 10.0.0.5:3784 --- ---

(I created two static maps; one for TCP and one for UDP--not 100% which it uses.)

Also, this website is now showing the port as open, when it was closed before: http://www.yougetsignal.com/tools/open-ports/

Problem is....still isn't working Annoying the hell out of me. I've verified that windows firewall is allowing port 3784 and is allowing the application.

Peter Paluch · ‎08-11-2013

Hi Kyle,

Well, can you try installing Wireshark on the machine that runs the Ventrilo, and run it while connecting from outside to the port 3784, and see if the packets can actualy hit that machine?

Are you familiar with the Wireshark software?

Best regards,

Peter

Kyle C Barnes · ‎08-11-2013

Peter,

Update...

It IS working. !! Yay !!

It's working for other external clients (got a friend to try).0

But when I try internally, with my public IP address it doesn't work. This worked before when using traditional port forwarding on the Linksys router.

Any idea to why it wouldn't work when trying from my internal network, pointing to my own public IP? Shouldn't it simply redirect back?

Peter Paluch · ‎08-11-2013

Hi Kyle,

Okay, good to know.

On Cisco, the NAT applies only if the packets traverse the inside-outside or outside-inside combination of interfaces. As this combination of interfaces is not really hit when your internal clients communicate with the inside machine under its public IP address, the NAT does not apply here.

My personal suggestion is to use the internal IP address for your internal network (the KISS principle ). My primary reason for this is that the packet hairpinning over the router and back out the same interface will incur a performance penalty on the application so it is better to avoid it. Only if using the private IP address would be a major inconvenience for you, I can come up with a modification of your NAT configuration that would allow for this.

Let me know please - and in any case, I am glad it does work!

Best regards,

Peter

Kyle C Barnes · ‎08-11-2013

Peter,

I hear ya!

I mainly use it for testing purposes. Until I get dynamic DNS working, it is my work around to figure out if my pub IP has changed and I need to give out the new IP address.

Otherwise, internal addressing does work great

You were a big help thank you!

Peter Paluch · ‎08-11-2013

Hi Kyle,

It has been a pleasure. You are always welcome!

Best regards,

Peter