- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 08:06 AM - edited 03-05-2019 08:56 AM
Hi
I'm trying to use both Dynamic and Static NAT. Dynamic for most traffic and static just for a few servers we need to get access to from the Internet.
The problem is that the Static NAT is only working from Internet to the Inside IP but not from Inside to Internet. i.e. when the server tries to access the Internet it's address gets translated using the Dynamic Nat rules?
Config excerpts:
interface GigabitEthernet0/1
ip address 82.12.194.202 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed auto
!
ip nat inside source route-map internet interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.0.13 82.12.194.204 extendable
ip nat inside source static 192.168.128.11 82.12.194.206 extendable
ip nat inside source static 192.168.55.193 86.13.140.193 extendable
access-list 5 remark NAT list to allow internet access
access-list 5 permit 192.168.244.5 log
access-list 5 permit 192.168.128.16
access-list 5 permit 192.168.123.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.122.0 0.0.0.255
access-list 5 permit 192.168.110.0 0.0.0.255
access-list 5 permit 192.168.66.0 0.0.0.255
access-list 5 permit 192.168.112.0 0.0.0.255
access-list 5 permit 192.168.55.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.255.255
route-map internet permit 10
match ip address 5
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2017 11:48 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 08:20 AM
Hello,
a few things:
Logging on access lists used for NAT is not a good idea. Remove the 'log' keyword from the first line in your access list:
access-list 5 permit 192.168.244.5 log
Also, the line below cannot work, since the public IP address is not part of your assigned range:
ip nat inside source static 192.168.55.193 86.13.140.193 extendable
What do you have configured for routing ? Can you post the full configuration of the router ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 08:29 AM
Thanks Georg - why do you think the public IP is not part of assigned range?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 09:08 AM
Hello Adrian,
82.12.194.202 255.255.255.248 means that your host range is 201 through 206. 86.13.140.193 is not configured anywhere on your network as part of an interface set as NAT outside.
Also, your NAT pool is not in use, so you might also want to remove this line:
ip nat pool DMZ 82.12.194.203 82.12.194.203 netmask 255.255.255.248
The 'log' keyword is really important to remove, as it messes with NAT.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 10:56 AM
OK, I see. In that case is it possible to add two separate IP ranges as NAT outside on the same interface? For example I would need both 82.12.194.203/29 and 86.13.140.193/28?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 11:27 AM
Hello,
'ip address 86.13.140.193 255.255.255.240 secondary'
adds that range as a secondary to the interface.
That said, your original problem was that you could not access internal addresses from the outside ? Did any of the changes suggested make a difference ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2017 12:52 AM
No, the original problem was the opposite. Sorry if I wasn't clear.
Original problem was that I *could* access from external to internal but not from internal to Internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2017 07:29 AM
Adrian,
what is the current status ? Did our suggestions help ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2017 11:34 AM
Hi Georg,
Figured it out. Really stupid.. The router configuration was actually fine as it was. The problem was a Firewall between the router and the switch. One of the rules on the firewall was NATing the traffic before it reached the router, so the from the router point of view it was never seeing any traffic coming from the internal IP 192.168.55.193.
I've removed the 'log' and unnecessary NAT Pool as suggested.
Thanks for all your help and time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2017 11:48 AM
Adrian,
good news, glad you got it sorted out !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 08:41 AM
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
clock timezone GMT 0 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2921/K9 sn FGL163411LQ
!
!
username xxxx privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
!
interface GigabitEthernet0/1
description [ External]
ip address 82.12.194.202 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed auto
!
interface GigabitEthernet0/2
description [ Internal]
ip address 192.168.244.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
duplex full
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-top-talkers
top 100
sort-by bytes
cache-timeout 360000
!
ip nat translation timeout 300
ip nat pool DMZ 82.12.194.203 82.12.194.203 netmask 255.255.255.248
ip nat inside source route-map internet interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.0.13 82.12.194.204 extendable
ip nat inside source static 192.168.128.11 82.12.194.206 extendable
ip nat inside source static 192.168.55.193 86.13.140.193 extendable
ip route 0.0.0.0 0.0.0.0 82.12.194.201
ip route 192.168.0.0 255.255.255.0 192.168.244.2
ip route 192.168.2.0 255.255.255.0 192.168.244.2
ip route 192.168.55.0 255.255.255.0 192.168.244.2
ip route 192.168.66.0 255.255.255.0 192.168.244.2
ip route 192.168.110.0 255.255.255.0 192.168.244.2
ip route 192.168.112.0 255.255.255.0 192.168.244.2
ip route 192.168.122.0 255.255.254.0 192.168.244.2
ip route 192.168.128.0 255.255.255.0 192.168.244.2
ip route 192.168.200.0 255.255.255.0 192.168.244.2
!
access-list 5 remark NAT list to allow internet access
access-list 5 permit 192.168.244.5 log
access-list 5 permit 192.168.128.16
access-list 5 permit 192.168.123.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.122.0 0.0.0.255
access-list 5 permit 192.168.110.0 0.0.0.255
access-list 5 permit 192.168.66.0 0.0.0.255
access-list 5 permit 192.168.112.0 0.0.0.255
access-list 5 permit 192.168.55.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.255.255
!
!
!
!
route-map internet permit 10
match ip address 5
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input all
!
scheduler allocate 20000 1000
end
Router#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2017 02:28 PM
Hello
Just like to add, the static nats dont need to be inclluded in the acl list for nat either ...
access-list 5 remark NAT list to allow internet access
access-list 5 deny host 192.168.0.13
access-list 5 deny host 192.168.0.11
access-list 5 deny host 192.168.55.193
access-list 5 permit 192.168.244.5 log
access-list 5 permit 192.168.128.16
access-list 5 permit 192.168.123.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.122.0 0.0.0.255
access-list 5 permit 192.168.110.0 0.0.0.255
access-list 5 permit 192.168.66.0 0.0.0.255
access-list 5 permit 192.168.112.0 0.0.0.255
access-list 5 permit 192.168.55.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.255.255 <---- the above in bold negated from this ace
ip nat pool DMZ 82.12.194.203 82.12.194.203 netmask 255.255.255.248
ip nat inside source static 192.168.55.193 86.13.140.193 82.12.194.205 extendable
sh ip arp
res
Paul
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul