Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
0
Helpful
0
Replies

7609 NAT configuration

yongsikahn
Level 1
Level 1

‎10-29-2010 01:39 AM - edited ‎03-06-2019 01:47 PM

Hi everyone...

our customer site has been using Dynamic NAT in 7609 Router.

but when we configured NAT in 7609 Router, the NAT config was not working well....

if the customer wants to go to outside (internet side), they have to pass our 7609 Router because we configured NAT for this.

and customer wants to go to inside network for access their server, this is also has to pass our 7609 Rotuer.

this is our NAT configuration in 7609 Router....  we also knew that the NAT ACL was too much and the router wouldn't support well about NAT.

but i wanted to know why the NAT cannot suit in the 7609 router and why the NAT disconnected until we did a clear NAT again ?????

i also attachemnt our diagram... please tell me anything,,,, i have much headeche...

and our customer want to change NAT ip address from 172.30.1.2 to 10.6.1.251.

that means NAT will translation to 10.6.1.251 when we got 172.30.1.2. how can I reconfigure about this ?????

any question, send to me i will give you more information........

aaa.PNG

##

interface Vlan60
description FOR Network EQUIPMENT
ip address 10.6.0.1 255.255.255.0
!
interface Vlan61
description FOR KREON SERVER
ip address 10.6.1.1 255.255.255.0
ip nat outside
!
interface Vlan62
ip address 10.6.2.1 255.255.255.0
ip nat outside
!
interface Vlan63
description FOR POINT BLANK
ip address 10.6.3.1 255.255.255.0
!
interface Vlan64
description FOR ATLANTICA
ip address 10.6.4.1 255.255.255.0
ip nat outside
!
interface Vlan65
description FREESTYLE
ip address 10.6.5.1 255.255.255.0
ip nat outside
!
interface Vlan66
description MAKO
ip address 10.6.6.1 255.255.255.0
ip nat outside
!

interface Vlan203
ip address xxx.yyy.xx.yyy 255.255.2xx.0 <-- this is our Public range.
ip nat outside
!
interface Vlan300
ip address 172.30.1.1 255.255.255.240 <-- this is our customer site. connect for P2P
ip nat inside
!
interface Vlan651
description FOR HAproxy_IPVS
ip address 10.6.51.1 255.255.255.0
ip nat outside
!
interface Vlan652
ip address 10.6.52.1 255.255.255.0
ip nat outside
!
interface Vlan653
ip address 10.6.53.1 255.255.255.0
ip nat outside
!

ip nat translation tcp-timeout 600 <-- first time the time duration was 24hrs, we changed 600s now because the NAT session disconnected many times.
ip nat translation udp-timeout 600 <-- we only supposed the problem caused by NAT duration ..... but this is also not correct reason.

                                                       even though we apply this duration for tcp and udp, the NAT session still disconnected from no reason impact.
ip nat inside source list NAT interface VlanXXX overload
ip nat inside source list NAT_TO_SERVER interface Vlan61 overload <-- we made NAT for go to inside server...
ip nat inside source list NAT_VLAN62 interface Vlan62 overload
ip nat inside source list NAT_VLAN63 interface Vlan63 overload
ip nat inside source list NAT_VLAN64 interface Vlan64 overload
ip nat inside source list NAT_VLAN65 interface Vlan65 overload
ip nat inside source list NAT_VLAN651 interface Vlan651 overload
ip nat inside source list NAT_VLAN652 interface Vlan652 overload
ip nat inside source list NAT_VLAN653 interface Vlan653 overload
ip nat inside source list NAT_VLAN659 interface Vlan659 overload
ip nat inside source list NAT_VLAN66 interface Vlan66 overload
ip nat inside source list NAT_VLAN660 interface Vlan660 overload
!
no ip http server
ip route 0.0.0.0 0.0.0.0 xxx.yyy.xxx.xxy <-- this is our public gateway ip address
ip route 10.6.1.192 255.255.255.192 xxx.yyy.xx.yyy <-- this public ip address shoud go our inside server zone.
ip route 10.6.3.0 255.255.255.0 10.6.3.2 
ip route 10.6.99.0 255.255.255.0 172.30.1.2 <-- our customer user has been using 10.6.99.0/24 and go to 172.30.1.2 for ourside gateway.
ip route 10.6.100.0 255.255.255.0 172.30.1.2 <-- our customer user has been using 10.6.99.0/24 and go to 172.30.1.2 for ourside gateway.
!

!
ip access-list extended IN300
permit icmp any any log
permit ip host 10.6.100.249 any
permit ip host 10.6.99.3 any
permit ip any any
ip access-list extended NAT
deny   ip 10.6.99.0 0.0.0.255 10.6.1.192 0.0.0.63
deny   ip 10.6.100.0 0.0.0.255 10.6.1.0 0.0.0.255
permit ip 172.30.1.0 0.0.0.255 any
permit udp any any eq domain
ip access-list extended NAT_TO_SERVER
permit tcp 172.30.1.0 0.0.0.255 10.6.1.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.1.0 0.0.0.255
permit ip host 172.30.1.2 10.6.1.0 0.0.0.255
ip access-list extended NAT_VLAN62
permit tcp 172.30.1.0 0.0.0.255 10.6.2.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.2.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.2.0 0.0.0.255
permit ip host 172.30.1.2 10.6.2.0 0.0.0.255
ip access-list extended NAT_VLAN63
permit tcp 172.30.1.0 0.0.0.255 10.6.3.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.3.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.3.0 0.0.0.255
permit ip host 172.30.1.2 10.6.3.0 0.0.0.255
ip access-list extended NAT_VLAN64
permit tcp 172.30.1.0 0.0.0.255 10.6.4.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.4.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.4.0 0.0.0.255
permit ip host 172.30.1.2 10.6.4.0 0.0.0.255
ip access-list extended NAT_VLAN65
permit tcp 172.30.1.0 0.0.0.255 10.6.5.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.5.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.5.0 0.0.0.255
permit ip host 172.30.1.2 10.6.5.0 0.0.0.255
ip access-list extended NAT_VLAN651
permit tcp 172.30.1.0 0.0.0.255 10.6.51.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.51.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.51.0 0.0.0.255
permit ip host 172.30.1.2 10.6.51.0 0.0.0.255
ip access-list extended NAT_VLAN652
permit tcp 172.30.1.0 0.0.0.255 10.6.52.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.52.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.52.0 0.0.0.255
permit ip host 172.30.1.2 10.6.52.0 0.0.0.255
ip access-list extended NAT_VLAN653
permit tcp 172.30.1.0 0.0.0.255 10.6.53.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.53.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.53.0 0.0.0.255
permit ip host 172.30.1.2 10.6.53.0 0.0.0.255
ip access-list extended NAT_VLAN659
permit tcp 172.30.1.0 0.0.0.255 10.6.59.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.59.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.59.0 0.0.0.255
permit ip host 172.30.1.2 10.6.59.0 0.0.0.255
ip access-list extended NAT_VLAN66
permit tcp 172.30.1.0 0.0.0.255 10.6.6.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.6.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.6.0 0.0.0.255
permit ip host 172.30.1.2 10.6.6.0 0.0.0.255
ip access-list extended NAT_VLAN660
permit tcp 172.30.1.0 0.0.0.255 10.6.60.0 0.0.0.255
permit tcp 10.6.99.0 0.0.0.255 10.6.60.0 0.0.0.255
permit tcp 10.6.100.0 0.0.0.255 10.6.60.0 0.0.0.255
permit ip host 172.30.1.2 10.6.60.0 0.0.0.255
ip access-list extended ipnat_acl
deny   ip any 10.6.1.0 0.0.0.255
permit ip 172.30.1.0 0.0.0.255 any
permit ip 10.6.99.0 0.0.0.255 any
permit ip 10.6.100.0 0.0.0.255 any

!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card