Static NAT question

simonwynn · ‎10-24-2011

Very simple question, but I want to make sure I understand this (below is a simplified example of what I'm doing...)

I have an external interface with an IP address off 63.63.63.1 as follows:

ip address 63.63.63.1 255.255.255.0 ip nat outside

I want to map a web server on an internal address 10.1.1.2 to an external public address of 63.63.63.2 as follows:

ip nat inside source static tcp 10.1.1.2 80 63.63.63.2 80

Does this create another address on my external interface (i.e. 63.63.63.2), or do I need to add this address explicitly???

Simon

Marwan ALshawi · ‎10-24-2011

Hi Simon

if this address is assigned/allocated to you by the ISP

then you do not need to add this address to any interface in the router this NAT will be enough as the Service provider will route any traffic going to this IP to your router IP/link

Hope this help

if helpful Rate

Vaibhava Varma · ‎10-25-2011

Hi Simon

Just to addd to marwanshawi's point.

So we want to do NAT to the IP 63.63.63.2 which is not configured anywhere ( neither in your network nor at the ISP Side).If this IP is not configured on your router locally or even if its configured on the ISP router (63.63.63.2 should be configured on ISP side if its a P2P Link) then I believe this won't even work as the NAT Translation will not find the Inside Global IP to be present on the router.

We should be doing NAT to the WAN IP configured on our own router rather than using ISP Interface IP.

Hope this helps you on this requirement.

Refards

Varma

Marwan ALshawi · ‎10-25-2011

Hi varma

The customer or the ISP dose not need to configure this ip as the point to point peering done using the .1 with the ISP the ISP can send the route within their cloud to the ip range allocated to the customer in this case the .2 pointed to .1 on the customer side

And the nating above can redirect the traffic to the internal server ip

Hope this help

Vaibhava Varma · ‎10-25-2011

Hi marwanshawi

What confused me here was the .1 IP is at the Customer Side and the .2 as I understood was at ISP Side.

If even the .2 IP is not configured at ISP Side and also not on Customer Side Router then the NAT will nit work to my best understanding. Even if the ISP is routing the whole /24 as across to Internet for NAT to work the NATTed IP should be locally reachable on the Customer Router.

Regards

Varma

Marwan ALshawi · ‎10-25-2011

Ya That's right

I think just need to be confirmed if the .2 is the ISP side ip or not

If not then all good

If yes then another ip need to be picked up

Latchum Naidu · ‎10-25-2011

Hi Simon,

I guess the 63.63.63.0/24 public IP space you have got from your ISP, so they are responsible to advertise this network on internet cloud.

The public IP 63.63.63.2 80 which you are going to NAT with your web server 10.1.1.2 no need to assign to any interface nor will create another address on your external interface.
The nated IP will be logical IP to your web server once you done NAT. So requests from outside will hit to the public nated IP (63.63.63.2) till your default gateway then routed to yoru private IP (10.1.1.2)

The only thing is that your ISP must be able to route the traffic through their gateway.

Once you done NAT check the ip is able to reachable from internet or not (It must be reachable from internet)
Also check the NAT translations on your router/firewall

Please rate the helpfull posts.
Regards,
Naidu.

simonwynn · ‎10-25-2011

Just to be clear, in this example my ISP has assigned

63.63.63.1 and

63.63.63.2

..so it looks like the NAT command alone assigns 63.63.63.2 to the interface.

SImon

Vaibhava Varma · ‎10-25-2011

Hi Simon

As Naidu has said above NAT command does not assigns the NATTed IP to any interface. You can view the same using "sh ip int bri | ex unas" when the NAT is happening which can be again checked using " sh ip nat translations"

Hope this helps to answer your query.

Regards

Varma

Marwan ALshawi · ‎10-27-2011

As long as the ISP allocated this IPs to you then using the nat command you used should work

The nat will not assign the ip to anywhere but once the traffic come from outside and you have ip nat outside enabled on that interface nat will take place to translate the ip

Hope this help

Plz rate the helpful posts

Kishore Chennupati · ‎10-27-2011

Hi,

Just to add to something al the experts have mentioned already here.

It is not uncommon to use a seperate public IP if you want to NAT to an internal server i.e web/mail server.

Most of the webservers that host work in this way.

In your case. you have assigned a public ip of 63.63.63.2 for your static one-one NAT to an internal IP. Now, this will not create any additional interfaces on the router. Its purely logical. This NAT is used for connections coming from outside to inside.

Now, you have your WAN IP 63.63.63.1. This is used for connections going from inside to outside in the form of PAT for your users.

The ISP will have a route back to your /28 or /29 or whatever is allocated to you. So, if I telnet to

63.63.63.2 on port 80 the request would be directed to your subnet i.e your GW.and then get translated to your internal NAT.

you can do a debug ip nat if u want and get someone from outside world to telnet into that public ip on port 80 you should be able to see the translation happen on your router. All this would happen seamlessly

HTH

Regards,

Kishore