Static NAT

BHconsultants88 · ‎02-16-2017

Hi everyone, I hope someone can help me with this one...

Everything appears to be working correctly but there's a problem with the inside static NAT rule. The specific problem is that no traffic is coming to the host from 105.102.10.15. It sends traffic to the 105 network fine but nothing is coming back.

I think the NAT is working properly but in the NAT stats at the bottom, I only see the NAT results from the pool, should I not see stats for the static NAT?

-----------------------------------------------------------------------
interface GigabitEthernet0/1
ip address 92.178.11.218 255.255.255.0 secondary
ip address 10.40.14.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

ip nat pool DOCK 10.40.14.20 10.40.14.254 netmask 255.255.255.0
ip nat inside source list 1 pool DOCK
ip nat inside source static 92.178.11.67 10.40.14.44
ip route 0.0.0.0 0.0.0.0 10.2.4.1
ip route 172.10.10.0 255.255.255.0 92.178.11.254

ip access-list standard Hub-Routes
permit 105.102.0.0 0.0.255.255

access-list 1 permit 172.10.10.0 0.0.0.255
access-list 1 permit 92.178.11.0 0.0.0.255
-----------------------------------------------------------------------

Here's the NAT translation stats:

Pro Inside global Inside local Outside local Outside global
--- 10.40.14.28 92.178.11.1 --- ---
tcp 10.40.14.12:80 92.178.11.67:80 165.2.58.17:50473 165.2.58.17:50473
--- 10.40.14.12 92.178.11.67 --- ---
udp 10.40.14.20:137 92.178.11.60:137 62.255.255.255:137 62.255.255.255:137
udp 10.40.14.20:138 92.178.11.60:138 62.255.255.255:138 62.255.255.255:138
--- 10.40.14.20 92.178.11.60 --- ---
--- 10.40.14.27 92.178.11.150 --- ---
--- 10.40.14.21 92.178.11.208 --- ---
--- 10.40.14.22 92.178.11.224 --- ---
--- 10.40.14.25 92.178.11.254 --- ---
--- 10.40.14.30 172.10.10.1 --- ---
--- 10.40.14.31 172.10.10.2 --- ---
--- 10.40.14.32 172.10.10.3 --- ---
--- 10.40.14.33 172.10.10.4 --- ---
--- 10.40.14.26 114.165.224.192 --- ---
--- 10.40.14.23 114.165.224.188 --- ---
--- 10.40.14.24 114.165.224.190 --- ---
--- 10.40.14.29 114.165.224.191 --- ---

Total active translations: 18 (1 static, 17 dynamic; 3 extended)
Peak translations: 95, occurred 01:44:07 ago
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Hits: 20639 Misses: 0
CEF Translated packets: 20500, CEF Punted packets: 735
Expired translations: 1558
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool MOWWT refcount 16
pool DOCK: netmask 255.255.255.0
start 10.40.14.20 end 10.40.14.254
type generic, total addresses 255, allocated 19 (5%), misses 0
-----------------------------------------------------------------------

Thanks for your assistance!

Georg Pauwen · ‎02-16-2017

Hello,

what is your NAT outside interface ?

Both your static and your pool addresses are part of the inside NAT:

ip nat pool DOCK 10.40.14.20 10.40.14.254 netmask 255.255.255.0
ip nat inside source list 1 pool DOCK
ip nat inside source static 92.178.11.67 10.40.14.44

interface GigabitEthernet0/1
ip address 92.178.11.218 255.255.255.0 secondary
ip address 10.40.14.1 255.255.255.0
ip nat inside

You need to have an outside NAT, and the pool addresses as well as the static target address need to be part of the outside range.

Post the full config of the router...

BHconsultants88 · ‎02-16-2017

Thank you so much for replying. That is basically the full configuration - the only thing missing was the outside interface, pasted below:

interface GigabitEthernet0/0
description Outside
ip address 10.60.64.249 255.255.255.0 secondary
no ip redirects
no ip proxy-arp
ip nat outside
speed auto
no cdp enable

So are you saying I need to create another NAT pool for this interface? What would it NAT from/to?

Georg Pauwen · ‎02-16-2017

Hello,

what are you internal (NAT inside), and what are you external (NAT outside) addresses ? What is the primary IP address of the outside interface ?

BHconsultants88 · ‎02-16-2017

Summary of network is as follows:

Local LAN 172.10.10.0 /24 patted behind single IP 92.178.11.92

92.178.11.0 /24 is an Admin Network consisting of Servers, routers, switches, etc.

Primary IP of outside interface 10.60.64.249 - (shouldn't say secondary, that's a typo)

Inside NAT

92.178.11.0 /24 needs to NAT to 10.40.14.0 /24

Static NAT - 92.178.11.67 10.40.14.44

External address is 105.102..0.0 /16

Georg Pauwen · ‎02-16-2017

Hello,

sorry for the confusion, but I am lost. Are you trying to accomplish double NAT ?

Is 92.178.11.0 /24 inside or outside ? If it is inside, you cannot use it for PAT for network 172.10.10.0 /24.

This is what you say is your configuration:

interface GigabitEthernet0/0
description Outside
ip address 10.60.64.249 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat outside
speed auto
no cdp enable

interface GigabitEthernet0/1
ip address 92.178.11.218 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

ip nat pool DOCK 10.40.14.20 10.40.14.254 netmask 255.255.255.0
ip nat inside source list 1 pool DOCK
ip nat inside source static 92.178.11.67 10.40.14.44
ip route 0.0.0.0 0.0.0.0 10.2.4.1
ip route 172.10.10.0 255.255.255.0 92.178.11.254

ip access-list standard Hub-Routes
permit 105.102.0.0 0.0.255.255

access-list 1 permit 172.10.10.0 0.0.0.255
access-list 1 permit 92.178.11.0 0.0.0.255

Where is network 172.10.10.0 ? Can you make a schematic drawing of your setup and indicate which networks are where ?

Masoud Pourshabanian · ‎02-16-2017

Hello,

I am confused too. Why do you NAT your public addresses?

ip nat inside source list 1 pool DOCK
access-list 1 permit 92.178.11.0 0.0.0.255