cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
2390
Views
0
Helpful
11
Replies

Static NAT only working in one direction

adrian.mulgrew
Level 1
Level 1

Hi

I'm trying to use both Dynamic and Static NAT. Dynamic for most traffic and static just for a few servers we need to get access to from the Internet.

The problem is that the Static NAT is only working from Internet to the Inside IP but not from Inside to Internet. i.e. when the server tries to access the Internet it's address gets translated using the Dynamic Nat rules?

Config excerpts:

interface GigabitEthernet0/1
ip address 82.12.194.202 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed auto
!

ip nat inside source route-map internet interface GigabitEthernet0/1 overload

ip nat inside source static 192.168.0.13 82.12.194.204 extendable
ip nat inside source static 192.168.128.11 82.12.194.206 extendable
ip nat inside source static 192.168.55.193 86.13.140.193 extendable

access-list 5 remark NAT list to allow internet access

access-list 5 permit 192.168.244.5 log
access-list 5 permit 192.168.128.16
access-list 5 permit 192.168.123.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.122.0 0.0.0.255
access-list 5 permit 192.168.110.0 0.0.0.255
access-list 5 permit 192.168.66.0 0.0.0.255
access-list 5 permit 192.168.112.0 0.0.0.255
access-list 5 permit 192.168.55.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.255.255

route-map internet permit 10
match ip address 5

1 Accepted Solution

Accepted Solutions

Adrian,

good news, glad you got it sorted out !

View solution in original post

11 Replies 11

Hello,

a few things:

Logging on access lists used for NAT is not a good idea. Remove the 'log' keyword from the first line in your access list:

access-list 5 permit 192.168.244.5 log

Also, the line below cannot work, since the public IP address is not part of your assigned range:

ip nat inside source static 192.168.55.193 86.13.140.193 extendable

What do you have configured for routing ? Can you post the full configuration of the router ?

Thanks Georg - why do you think the public IP is not part of assigned range?

Hello Adrian,

82.12.194.202 255.255.255.248 means that your host range is 201 through 206. 86.13.140.193 is not configured anywhere on your network as part of an interface set as NAT outside.

Also, your NAT pool is not in use, so you might also want to remove this line:

ip nat pool DMZ 82.12.194.203 82.12.194.203 netmask 255.255.255.248

The 'log' keyword is really important to remove, as it messes with NAT.

OK, I see. In that case is it possible to add two separate IP ranges as NAT outside on the same interface? For example I would need both 82.12.194.203/29 and  86.13.140.193/28?

Hello,

'ip address 86.13.140.193 255.255.255.240 secondary'

adds that range as a secondary to the interface.

That said, your original problem was that you could not access internal addresses from the outside ? Did any of the changes suggested make a difference ?

No, the original problem was the opposite. Sorry if I wasn't clear.

Original problem was that I *could* access from external to internal but not from internal to Internet.

Adrian,

what is the current status ? Did our suggestions help ?

Hi Georg,

Figured it out. Really stupid.. The router configuration was actually fine as it was. The problem was a Firewall between the router and the switch. One of the rules on the firewall was NATing the traffic before it reached the router, so the from the router point of view it was never seeing any traffic coming from the internal IP 192.168.55.193.

I've removed the 'log' and unnecessary NAT Pool as suggested.

Thanks for all your help and time.

Adrian,

good news, glad you got it sorted out !

hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
clock timezone GMT 0 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2921/K9 sn FGL163411LQ
!
!
username xxxx privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
!
interface GigabitEthernet0/1
description [ External]
ip address 82.12.194.202 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed auto
!
interface GigabitEthernet0/2
description [ Internal]
ip address 192.168.244.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
duplex full
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-top-talkers
top 100
sort-by bytes
cache-timeout 360000
!
ip nat translation timeout 300
ip nat pool DMZ 82.12.194.203 82.12.194.203 netmask 255.255.255.248
ip nat inside source route-map internet interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.0.13 82.12.194.204 extendable
ip nat inside source static 192.168.128.11 82.12.194.206 extendable
ip nat inside source static 192.168.55.193 86.13.140.193 extendable
ip route 0.0.0.0 0.0.0.0 82.12.194.201
ip route 192.168.0.0 255.255.255.0 192.168.244.2
ip route 192.168.2.0 255.255.255.0 192.168.244.2
ip route 192.168.55.0 255.255.255.0 192.168.244.2
ip route 192.168.66.0 255.255.255.0 192.168.244.2
ip route 192.168.110.0 255.255.255.0 192.168.244.2
ip route 192.168.112.0 255.255.255.0 192.168.244.2
ip route 192.168.122.0 255.255.254.0 192.168.244.2
ip route 192.168.128.0 255.255.255.0 192.168.244.2
ip route 192.168.200.0 255.255.255.0 192.168.244.2
!
access-list 5 remark NAT list to allow internet access
access-list 5 permit 192.168.244.5 log
access-list 5 permit 192.168.128.16
access-list 5 permit 192.168.123.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.122.0 0.0.0.255
access-list 5 permit 192.168.110.0 0.0.0.255
access-list 5 permit 192.168.66.0 0.0.0.255
access-list 5 permit 192.168.112.0 0.0.0.255
access-list 5 permit 192.168.55.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.255.255

!
!
!
!
route-map internet permit 10
match ip address 5
!

!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input all
!
scheduler allocate 20000 1000
end

Router#

Hello

Just like to add, the static nats dont need to be inclluded in the acl list  for nat either ...

access-list 5 remark NAT list to allow internet access
access-list 5 deny host 192.168.0.13
access-list 5 deny host 192.168.0.11
access-list 5 deny host 192.168.55.193
access-list 5 permit 192.168.244.5 log
access-list 5 permit 192.168.128.16
access-list 5 permit 192.168.123.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.122.0 0.0.0.255
access-list 5 permit 192.168.110.0 0.0.0.255
access-list 5 permit 192.168.66.0 0.0.0.255
access-list 5 permit 192.168.112.0 0.0.0.255
access-list 5 permit 192.168.55.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.255.255  <---- the above in bold negated from this ace

ip nat pool DMZ 82.12.194.203 82.12.194.203 netmask 255.255.255.248
ip nat inside source static 192.168.55.193 86.13.140.193  82.12.194.205  extendable

sh ip arp



res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card