Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3392
Views
0
Helpful
6
Replies

static nat on subinterfaces

Go to solution
marcel3007
Level 1
Level 1

‎11-03-2014 10:11 AM - edited ‎03-05-2019 12:05 AM

Hello from Berlin :)

following scenario:

Now, i want to access the www server from public and insert a static ip nat inside arguemnt but it doesnt work. On the ww server (my pc in this example) i have a internet connection. All works fine, only the nat / pat translation doesent works.

Here is my config of my Router:

configure terminal

hostname Rtr_Chab

no ip http
no ip source-route

line con 0
 logging synchronous
exit

username vpn01 password vpn01
username vpn02 password vpn02

enable password xxx

interface loopback 0
 description Testinterface
 ip add 172.16.99.1 255.255.255.255
exit

line vty 0 15
 login local
 password xxx
exit

interface fa0/0
 description WAN Interface
 ip address dhcp
 ip nat outside
 no shutdown
exit

interface fa0/1
 description LAN Interface
 no shutdown
exit

interface fa0/1.10
 description VLAN 10 K-Netz
 encapsulation dot1q 10 native
 ip address 192.168.9.200 255.255.255.0
 ip nat inside
 no shutdown
exit

interface fa0/1.20
 description VLAN 20 Charlottenburg-Netz
 encapsulation dot1q 20
 ip address 172.16.20.1 255.255.255.0
 ip nat inside
 no shutdown
exit

interface fa0/1.30
 description VLAN 30 Charlottenburg-Admin-Netz
 encapsulation dot1q 30
 ip address 172.16.30.1 255.255.255.0
 ip nat inside
 no shutdown
exit

interface fa0/1.40
 description VLAN 40 VPN-Netz
 encapsulation dot1q 40
 ip address 172.16.40.1 255.255.255.0
 ip nat inside
 no shutdown
exit


ip dhcp excluded-address 172.16.20.1 172.16.20.100

ip dhcp pool Pool_Charlottenburg-Netz
 network 172.16.20.0 255.255.255.0
 default-router 172.16.20.1
 import all
exit

ip dhcp pool Pool_Charlottenburg-Admin-Netz
 network 172.16.30.0 255.255.255.0
 default-router 172.16.30.1
 import all
exit

ip dhcp pool Pool_VPN-Netz
 network 172.16.40.0 255.255.255.0
 default-router 172.16.40.1
 import all
exit

no access-list 1
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 permit 172.16.20.0 0.0.0.255
access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 172.16.40.0 0.0.0.255
access-list 1 permit 172.16.99.1 0.0.0.0

ip nat inside source list 1 interface fa0/0 overload
ip nat inside source static tcp 172.16.20.101 80 interface fa0/0 80

vpdn enable

vpdn-group 1
 accept-dialin
  protocol pptp
  virtual-template 1
exit


interface Virtual-Template1
 description PPTP Einwahl Interface fuer VPN Zugang
 ip unnumbered fa0/1.40
 no keepalive
 no cdp enable
 peer default ip address dhcp-pool Pool_VPN-Netz
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2
exit
end

and my configuration of the switch:

configure terminal

default interface range fastEthernet0/1 - 24

hostname SW_Chab

line con 0
 logging synchronous
 exit


interface vlan 30
 ip address 172.16.30.2 255.255.255.0
 no shutdown
exit

ip default-gateway 172.16.30.1


interface fa0/1
 description Service-PC Admin-Netz
 switchport mode access
 switchport access vlan 30
 spanning-tree portfast
 spanning-tree bpduguard enable
 no shutdown
exit

interface fa0/2
 description Service-PC (temp) Admin-Netz
 switchport mode access
 switchport access vlan 30
 spanning-tree portfast
 spanning-tree bpduguard enable
 no shutdown
exit

interface fa0/9
 description Techniker-PC Chab
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
 spanning-tree bpduguard enable
 no shutdown
exit

interface fa0/10
 description Drucker Chab
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
 spanning-tree bpduguard enable
 no shutdown
exit

interface fa0/22
 description AccessPoint Chab
 switchport mode trunk
 switchport trunk native vlan 20
 no shutdown
exit

interface fa0/23
 description KAP-Netz
 switchport mode trunk
 switchport trunk native vlan 10
 no shutdown
exit

interface fa0/24
 description Router
 switchport mode trunk
 no shutdown
exit

 

Hopefully you can help me.

Thanks!

Marcel

Labels:
Preview file
50 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to marcel3007

‎11-03-2014 01:17 PM

Hello

"Remove the old statements before applying the below"

int xx

no ip nat inside
no ip nat outside
ip nat enable
exit

no ip nat inside source list 1 interface fa0/0 overload
no ip nat inside source static tcp 172.16.20.101 80 interface fa0/0 80

ip nat source list 1 interface fa0/0 overload
ip nat source static tcp 172.16.20.101 80 interface fa0/0 80 extendable ( if applicable)

res

Paul
 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul driver
VIP
VIP

‎11-03-2014 11:30 AM

Hello

Can you try adding the extenable keyword to the end of the static mapping
 

ip nat inside source static tcp 172.16.20.101 80 interface fa0/0 80 extenable
 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
marcel3007
Level 1
Level 1
In response to paul driver

‎11-03-2014 11:56 AM

Hi Paul,

i doesent have the extenable command in my ios version. I have the version c1841-adventerprisek9-mz.151-4.M1.bin installed. Should i try with another version?

Marcel

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to marcel3007

‎11-03-2014 12:20 PM

hello

Yes you can do, however befroe you do that try using NVI Nat ( domainless nat) its nat order is different then domain nat as it performs lookups before and after translation

Remove the old statments before applying the below:

int xx
ip nat enable

ip nat source list 1 interface fa0/0 overload
ip nat source static tcp 172.16.20.101 80 interface fa0/0 80 extenable

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
marcel3007
Level 1
Level 1
In response to paul driver

‎11-03-2014 12:54 PM

Sorry, dont know if i understand you right.

I have disable now the ip virtual-reassembly and downgrade to ios 12.4.

I have try to apply the statements you post but i havent the extenable command.

Here is my complete show run, hope you can find something (the ip route statements are dynamically because the ip nat statements):

Current configuration : 3170 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rtr_Chab
!
boot-start-marker
boot system flash:/c1841-adventerprisek9-mz.124-25f.bin
boot-end-marker
!
!
no aaa new-model
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.20.1 172.16.20.100
!
ip dhcp pool Pool_Charlottenburg-Netz
   import all
   network 172.16.20.0 255.255.255.0
   default-router 172.16.20.1
!
ip dhcp pool Pool_Charlottenburg-Admin-Netz
   import all
   network 172.16.30.0 255.255.255.0
   default-router 172.16.30.1
!
ip dhcp pool Pool_VPN-Netz
   import all
   network 172.16.40.0 255.255.255.0
   default-router 172.16.40.1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
crypto pki token default removal timeout 0
!
!
username vpn01 password 0 vpn01
username vpn02 password 0 vpn02
!
!
controller DSL 0/0/0
 line-term cpe
!
interface Loopback0
 description Testinterface
 ip address 172.16.99.1 255.255.255.255
!         
interface FastEthernet0/0
 description WAN Interface
 ip address dhcp
 ip nat outside
 ip nat enable
 no ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description LAN Interface
 no ip address
 ip nat enable
 duplex auto
 speed auto
!
interface FastEthernet0/1.10
 description VLAN 10 KAP-Netz
 encapsulation dot1Q 10 native
 ip address 192.168.9.200 255.255.255.0
 ip nat inside
 ip nat enable
 no ip virtual-reassembly
!
interface FastEthernet0/1.20
 description VLAN 20 Charlottenburg-Netz
 encapsulation dot1Q 20
 ip address 172.16.20.1 255.255.255.0
 ip nat inside
 ip nat enable
 no ip virtual-reassembly
!
interface FastEthernet0/1.30
 description VLAN 30 Charlottenburg-Admin-Netz
 encapsulation dot1Q 30
 ip address 172.16.30.1 255.255.255.0
 ip nat inside
 ip nat enable
 no ip virtual-reassembly
!
interface FastEthernet0/1.40
 description VLAN 40 VPN-Netz
 encapsulation dot1Q 40
 ip address 172.16.40.1 255.255.255.0
 ip nat inside
 ip nat enable
 no ip virtual-reassembly
!
interface Virtual-Template1
 description PPTP Einwahl Interface fuer VPN Zugang
 ip unnumbered FastEthernet0/1.40
 peer default ip address dhcp-pool Pool_VPN-Netz
 no keepalive
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 91.64.82.254 254
ip route 0.0.0.0 0.0.0.0 91.64.191.254 254
ip route 0.0.0.0 0.0.0.0 91.64.81.254 254
ip route 0.0.0.0 0.0.0.0 24.134.39.254 254
!
!
no ip http server
no ip http secure-server
ip nat source static tcp 172.16.20.101 80 interface FastEthernet0/0 80
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
!
!
control-plane
!

end
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to marcel3007

‎11-03-2014 01:17 PM

Hello

"Remove the old statements before applying the below"

int xx

no ip nat inside
no ip nat outside
ip nat enable
exit

no ip nat inside source list 1 interface fa0/0 overload
no ip nat inside source static tcp 172.16.20.101 80 interface fa0/0 80

ip nat source list 1 interface fa0/0 overload
ip nat source static tcp 172.16.20.101 80 interface fa0/0 80 extendable ( if applicable)

res

Paul
 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
marcel3007
Level 1
Level 1
In response to paul driver

‎11-04-2014 08:16 AM

Hi Paul,

thank you very much! That was the solution for my problem. For all others, here is my final config:


interface loopback 0
 description Testinterface
 ip add 172.16.99.1 255.255.255.255
exit

interface fa0/0
 description WAN Interface
 ip address dhcp
 ip nat enable
 no shutdown
exit

interface fa0/1
 description LAN Interface
 ip nat enable
 no shutdown
exit

interface fa0/1.10
 encapsulation dot1q 10 native
 ip address 192.168.9.200 255.255.255.0
 ip nat enable
 no shutdown
exit

interface fa0/1.20
 encapsulation dot1q 20
 ip address 172.16.20.1 255.255.255.0
 ip nat enable
 no shutdown
exit

interface fa0/1.30
 encapsulation dot1q 30
 ip address 172.16.30.1 255.255.255.0
 ip nat enable
 no shutdown
exit

interface fa0/1.40
 encapsulation dot1q 40
 ip address 172.16.40.1 255.255.255.0
 ip nat enable
 no shutdown
exit

access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 permit 172.16.20.0 0.0.0.255
access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 172.16.40.0 0.0.0.255
access-list 1 permit 172.16.99.1 0.0.0.0

ip nat source list 1 interface FastEthernet0/0 overload
ip nat source static tcp 172.16.30.3 20 interface FastEthernet0/0 20
ip nat source static tcp 172.16.30.3 21 interface FastEthernet0/0 21
ip nat source static tcp 172.16.30.3 80 interface FastEthernet0/0 80

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card