Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
2
Replies

Static & Dynamic NAT and Outside connection in Cisco 2811

megaservicescl
Level 1
Level 1

‎04-06-2016 06:11 PM - edited ‎03-05-2019 03:44 AM

Hello Cisco gurus, I think it's time to ask for help!

This is the scenario:

- Cisco router model 2811 with firmware c2800nm-advsecurityk9-mz.151-4.M10 and 2 interfaces f0/0 and f0/1
- 5 public IP from 200.xxx.xxx.234 to 200.xxx.xxx.238
- 2 web, mail, ftp and dns servers (SRV1 and SRV2)

I want to use 3 of this 5 IP's:

- LAN from 192.168.1.30 to 192.168.1.254 -> 200.xxx.xxx.236
- SRV1 in 192.168.1.10 -> 200.xxx.xxx.237
- SRV2 in 192.168.1.20 -> 200.xxx.xxx.238

After 3 days of reading and testing configurations, I can connect to the internet from the LAN (no problems here), but I can't see the server's from outside the local network.

I would be very grateful if someone can help me with this problem!

Here is my running configuration:

!---------------------------
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 200.xx.xxx.227 200.xx.xx.90
!
!
redundancy
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 200.xxx.xxx.236 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.10 200.xxx.xxx.237
ip nat inside source static 192.168.1.20 200.xxx.xxx.238
ip route 0.0.0.0 0.0.0.0 200.xxx.xxx.233
!
access-list 1 permit 192.168.1.0 0.0.0.255
!---------------------------

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-06-2016 06:51 PM

The configuration is correct.

Can 192.168.1.10 and 192.168.1.20 access the Internet ok (verifying their routing configuration)?

Is a local firewall, such as Windows Firewall, configured to allow the traffic?

Can you access whatever the service is directly on the servers to prove those services are working?

0 Helpful

megaservicescl
Level 1
Level 1
In response to Philip D'Ath

‎04-08-2016 09:15 AM

Hello Philip,
Thank you for your reply.

Well, after various tests, I realized that I can connect to the server services from computers not connected in the same IP range (200.xxx.xxx.234 to 200.xxx.xxx.238).

My solution was to use route-maps in the static NAT.

Now I can navigate the server's web pages, ftp, etc. using domain's/hostname, but yet I can't connect to the server's using the outside IP.

ssh://domain.ltd:22 work
ssh://200.xxx.xxx.238:22 don't work

Any help?

!
ip nat inside source list LAN_ACL interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.10 200.xxx.xxx.237 route-map SRV1 extendable
ip nat inside source static 192.168.1.20 200.xxx.xxx.238 route-map SRV2 extendable
ip route 0.0.0.0 0.0.0.0 200.xxx.xxx.233
!
ip access-list extended LAN_ACL
deny ip host 192.168.1.10 any
deny ip host 192.168.1.20 any
permit ip 192.168.1.0 0.0.0.255 any

!
ip access-list extended SRV1_ACL
permit ip host 192.168.1.10 any
!
route-map SRV1 permit 10
match ip address SRV1_ACL
!
ip access-list extended SRV2_ACL
permit ip host 192.168.1.20 any
!
route-map SRV2 permit 10
match ip address SRV2_ACL
!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card