07-27-2018 04:32 AM
Hi there!
I'm trying to set up some static NAT on a router with a fail over WAN config using route-maps.
For dynamic NAT, I have this config part, which works fine:
ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP2 interface Dialer1 overload
route-map ISP2 permit 10
match ip address NAT
match interface Dialer1
route-map ISP1 permit 10
match ip address NAT
match interface GigabitEthernet0/0/0
ip access-list standard NAT
deny 192.168.7.9
permit 192.168.7.0 0.0.0.15
However, when I add this for static NAT to hist 192.168.7.9, I cannot connect through the public ip and port 8123 (connection timeout or connection refused; I get both):
ip nat inside source static tcp 192.168.7.9 22 93.x.x.x 8123 extendable
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 extendable
ssh connection from the router to the host works.
sh ip nat translation shows this:
Pro Inside global Inside local Outside local Outside global
tcp 217.x.x.x:8123 192.168.7.9:22 --- ---
tcp 93.x.x.x:8123 192.168.7.9:22 --- ---
tcp 217.x.x.x:8123 192.168.7.9:22 217.x.x.x:56115 217.x.x.x:5611
Any ideas what's wrong?
07-27-2018 05:32 AM
Hello,
you have two different IP addresses mapped to the same ports. Try to configure just one entry and see if you get it to work:
So either:
ip nat inside source static tcp 192.168.7.9 22 93.x.x.x 8123 extendable
or
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 extendable
but not both together...
07-27-2018 06:27 AM
Well, actually I wanted it to be like
route-map isp2static permit 10
match interface Dialer1
route-map isp1static permit 10
match interface g0/0/0
ip nat inside source static tcp 192.168.7.9 22 93.x.x.x 8123 route-map isp2static extendable
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 route-map isp1static extendable
but I tried it without the route-map first.
I have removed the ip nat inside source static tcp 192.168.7.9 22 93.x.x.x 8123 extendable
but it still does not work.
I also tried the version with the route-map but no luck.
07-27-2018 06:31 AM
Hello,
post the full configuration of the router...
07-27-2018 07:04 AM
Here is the config:
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 150000
!
hostname FailoverR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 131072
no logging rate-limit
no logging console
no logging monitor
enable secret 5 $1$8Kwu$DgC0Sj5KGeUHsUawviu4h0
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CET-CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name xxxx
ip dhcp excluded-address 192.168.7.1 192.168.7.5
!
ip dhcp pool NAT
network 192.168.7.0 255.255.255.0
domain-name xxxx
dns-server 192.168.7.1
default-router 192.168.7.1
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
crypto pki trustpoint TP-self-signed-6
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-6
revocation-check none
rsakeypair TP-self-signed-6
!
!
crypto pki certificate chain TP-self-signed-6
certificate self-signed 01
3082032E
quit
!
license udi pid C1116-4P sn yyy
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$Uyjc$br8BYITvdx4WmhBIYSpnw.
!
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
interface Loopback0
no ip address
!
interface GigabitEthernet0/0/0
description WAN
ip address 217.x.x.x 255.255.255.224
ip nat outside
ip access-group Block_DNS in
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
no atm enable-ilmi-trap
hold-queue 224 in
!
interface ATM0/2/0.1 point-to-point
no atm enable-ilmi-trap
pvc 1/32
bridge-dot1q encap 7
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/2/0
no ip address
shutdown
no negotiation auto
!
interface Vlan1
description venue_id yy
ip dhcp relay information trusted
ip address 192.168.7.1 255.255.255.240
ip nat inside
ip tcp adjust-mss 1412
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip nat outside
ip access-group Block_DNS in
encapsulation ppp
ip tcp adjust-mss 1322
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password 0 pw
ppp pap sent-username hostname password 0 pw
!
ip nat translation timeout 1800
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 60
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat translation max-entries 40000
ip nat translation max-entries all-host 1000
!
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 extendable
ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP2 interface Dialer1 overload
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 217.x.x.y
ip route 0.0.0.0 0.0.0.0 Dialer1 10
!
ip ssh port 2222 rotary 1
!
ip access-list standard NAT
deny 192.168.7.9
permit 192.168.7.0 0.0.0.15
ip access-list standard NAT_AP
permit 192.168.7.9
!
ip access-list extended Block_DNS
deny udp any any eq domain
deny tcp any any eq domain
permit ip any any
!
ip sla 1
icmp-echo 81.y.y.y source-interface GigabitEthernet0/0/0
frequency 10
ip sla schedule 1 life forever start-time now
logging history informational
logging facility kern
!
!
route-map isp2static permit 10
match interface Dialer1
!
route-map isp1static permit 10
match ip address NAT_AP
!
route-map ISP2 permit 10
match ip address NAT
match interface Dialer1
!
route-map ISP1 permit 10
match ip address NAT
match interface GigabitEthernet0/0/0
!
control-plane
!
line con 0
exec-timeout 120 0
login local
transport input none
stopbits 1
line vty 0 4
exec-timeout 120 0
privilege level 15
login local
rotary 1
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 120 0
privilege level 15
login local
rotary 1
length 0
transport input telnet ssh
!
sntp server 0.pool.ntp.org
sntp server 1.pool.ntp.org
sntp server ntp2.ptb.de
sntp server ntp1.ptb.de
sntp source-interface Loopback0
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end
07-27-2018 07:30 AM
Hello,
I have made some changes to your configuration (marked in bold), implement those and check if the NAT works:
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 150000
!
hostname FailoverR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 131072
no logging rate-limit
no logging console
no logging monitor
enable secret 5 $1$8Kwu$DgC0Sj5KGeUHsUawviu4h0
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CET-CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name xxxx
ip dhcp excluded-address 192.168.7.1 192.168.7.5
!
ip dhcp pool NAT
network 192.168.7.0 255.255.255.0
domain-name xxxx
dns-server 192.168.7.1
default-router 192.168.7.1
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
crypto pki trustpoint TP-self-signed-6
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-6
revocation-check none
rsakeypair TP-self-signed-6
!
!
crypto pki certificate chain TP-self-signed-6
certificate self-signed 01
3082032E
quit
!
license udi pid C1116-4P sn yyy
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$Uyjc$br8BYITvdx4WmhBIYSpnw.
!
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
interface Loopback0
no ip address
!
interface GigabitEthernet0/0/0
description WAN
ip address 217.x.x.x 255.255.255.224
ip nat outside
ip access-group Block_DNS in
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
no atm enable-ilmi-trap
hold-queue 224 in
!
interface ATM0/2/0.1 point-to-point
no atm enable-ilmi-trap
pvc 1/32
bridge-dot1q encap 7
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/2/0
no ip address
shutdown
no negotiation auto
!
interface Vlan1
description venue_id yy
ip dhcp relay information trusted
ip address 192.168.7.1 255.255.255.240
ip nat inside
ip tcp adjust-mss 1412
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip nat outside
ip access-group Block_DNS in
encapsulation ppp
ip tcp adjust-mss 1322
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password 0 pw
ppp pap sent-username hostname password 0 pw
!
ip nat translation timeout 1800
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 60
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat translation max-entries 40000
ip nat translation max-entries all-host 1000
!
ip nat inside source static tcp 192.168.7.9 22 217.x.x.x 8123 extendable
ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP2 interface Dialer1 overload
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
!
ip route 0.0.0.0 0.0.0.0 217.x.x.y track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 10
!
ip ssh port 2222 rotary 1
!
ip access-list standard NAT
permit 192.168.7.0 0.0.0.15
--> no ip access-list standard NAT_AP
permit 192.168.7.9
!
ip access-list extended Block_DNS
deny udp any any eq domain
deny tcp any any eq domain
permit ip any any
!
ip sla 1
icmp-echo 81.y.y.y source-interface GigabitEthernet0/0/0
frequency 10
ip sla schedule 1 life forever start-time now
logging history informational
logging facility kern
!
--> no route-map isp2static permit 10
match interface Dialer1
!
--> no route-map isp1static permit 10
match ip address NAT_AP
!
route-map ISP2 permit 10
match ip address NAT
match interface Dialer1
!
route-map ISP1 permit 10
match ip address NAT
match interface GigabitEthernet0/0/0
!
control-plane
!
line con 0
exec-timeout 120 0
login local
transport input none
stopbits 1
line vty 0 4
exec-timeout 120 0
privilege level 15
login local
rotary 1
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 120 0
privilege level 15
login local
rotary 1
length 0
transport input telnet ssh
!
sntp server 0.pool.ntp.org
sntp server 1.pool.ntp.org
sntp server ntp2.ptb.de
sntp server ntp1.ptb.de
sntp source-interface Loopback0
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end
07-27-2018 08:25 AM
Okay, I tried that but still get a timeout when I try to connect to host 192.168.7.9
BTW, if it is any help, it turned on debug ip packet and got this for the host address:
Jul 27 17:20:19: IP: s=192.168.7.9 (Vlan1), d=224.0.0.251, len 70, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
I do not get why the reply from 192.168.7.9 is sent to a multicast address.
07-27-2018 08:54 AM
Hello,
224.0.0.251 is multicast DNS, I think iTunes uses that address, too.
Try and make the changes below (marked in bold):
interface GigabitEthernet0/0/0
description WAN
ip address 217.x.x.x 255.255.255.224
ip nat outside
--> no ip access-group Block_DNS in
negotiation auto
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
--> no ip access-group Block_DNS in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password 0 pw
ppp pap sent-username hostname password 0 pw
07-30-2018 02:08 PM
So, I finally figured it out myself. The local dynamic and static addresses must not overlap. I used a different inside address for the static NAT and it worked fine.
BTW, regarding the 'you have two different IP addresses mapped to the same ports. Try to configure just one entry and see if you get it to work:' . It is no problem to use two IP addresses. That is what the keyword extendable is for.
07-30-2018 02:13 PM
Hello,
glad you got it to work. That said, at least in theory, static NAT has precedence over dynamic NAT, so once a static NAT entry has a match, that match goes first...
07-31-2018 12:49 AM - edited 07-31-2018 12:52 AM
Hello
@RemRem wrote:However, when I add this for static NAT to hist 192.168.7.9, I cannot connect through the public ip and port 8123 (connection timeout or connection refused; I get both):
ip nat inside source static tcp 192.168.7.9 22 93.x.x.X 8123 extendable
ip nat inside source static tcp 192.168.7.9 22 217.x.x.X 8123 extendable
ssh connection from the router to the host works.
Any ideas what's wrong?
The static inside global addresses should different from your routers outside and ISP public interfaces
to allow outside clients to be able to connect to 192.168.7.9
Can you confirm this is correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide