Dylan,Can you attach a copy

dylanlawless · ‎09-04-2014

I have a Cisco 1921 router, in the configuration I have several static addresses in a NAT. Recently, my NAT stopped working. I have everything set up correctly to the best of my knowledge. Thanks in advance!

Dylan Lawless.

Richard E · ‎09-08-2014

Dylan,

Can you attach a copy your show run and a quick overview of what your topology looks like?

Thanks

dylanlawless · ‎09-09-2014

There is a fiber switch, proved by the ISP, which feeds to my Cisco 1921, and then goes from there to a series of Cisco SG50024 (POE and non POE versions) and a number of SF50024 (some POE and non POE). The path to the devices that need NAT access are as follows

192.168.25.150 (Phone server)

Cisco 1921 > Cisco SG50025 > Server (with x.x.25.150)

192.168.25.152 (Backup of .150 address)

Cisco 1921 > Cisco SG50024 > Server (with x.x.25.152)

192.168.25.200 (Video Server)

Cisco 1921 > Cisco SG50024 > Cisco SF50024 > Video Server (with x.x.25.200)

192.168.25.202 (Door lock security server)

Cisco 1921 > Cisco SG50024 > Cisco SF50024 > Security Server (with x.x.25.202)

Current configuration : 2397 bytes

!

! Last configuration change at 23:25:12 UTC Sun Sep 7 2014

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

ip cef

!

ip dhcp excluded-address 192.168.25.1

ip dhcp excluded-address 192.168.25.150 192.168.25.254

ip dhcp excluded-address 192.168.25.60

!

ip dhcp pool DHCP_POOL

network 192.168.25.0 255.255.255.0

default-router 192.168.25.1

dns-server 8.8.8.8

option 128 ip 192.168.25.150

option 130 ascii "MITEL IP PHONE"

option 129 ip 192.168.25.150

!

no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO1921/K9 sn FGL172625ST

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Outside World

ip address 67.x.x.x 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex full

speed 1000

!

interface GigabitEthernet0/1

description Internal LAN

ip address 192.168.25.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex full

speed 1000

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool OTUSFWRD 192.168.25.60 192.168.25.60 netmask 255.255.255.0 type rotary

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside source static 192.168.25.200 67.x.x.x

ip nat inside source static 192.168.25.202 67.x.x.x

ip nat inside source static 192.168.25.150 67.x.x.x

ip nat inside source static 192.168.25.151 67.x.x.x

ip nat inside destination list 185 pool OTUSFWRD

ip route 0.0.0.0 0.0.0.0 67.x.x.x

!

access-list 1 permit 192.168.25.0 0.0.0.255

access-list 100 permit ip 192.168.25.0 0.0.0.255 any

access-list 185 permit tcp any any range 1 65000

access-list 185 permit udp any any range 1 65000

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

!

end

Richard E · ‎09-10-2014

Hi Dylan,

How many IP's are in your IP range you are assigned from your ISP? Are they static? I am working under the assumption that you have 1 static IP address assigned from your ISP. Is that correct?

Also is PAT working?

Thanks

dylanlawless · ‎09-10-2014

Thank you for your response, firstly.

I have a set of 16 addresses (13 usable) ranging from 67.x.x.146 to 67.x.x.158.

.150 NAT to 67.x.x.156

.152 NAT to 67.x.x.157

.200 NAT to 67.x.x.146

.202 NAT to 67.x.x.147

How would I test PAT?

Richard E · ‎09-10-2014

Hi Dylan,

I am making some notes on your show run. From what I can tell about your network these changes should get your static nat translations up and running. Some of the lines are marked through because they are redundant or not needed based off what I understand your goal to be.

~~ip nat pool OTUSFWRD 192.168.25.60 192.168.25.60 netmask 255.255.255.0 type rotary <- Not needed~~

ip nat inside source list 1 interface GigabitEthernet0/0 overload

~~ip nat inside source list 100 interface GigabitEthernet0/0 overload <- Redundant~~

ip nat inside source static 192.168.25.200 67.x.x.146

ip nat inside source static 192.168.25.202 67.x.x.147

ip nat inside source static 192.168.25.150 67.x.x.156

ip nat inside source static 192.168.25.152 67.x.x.157 <- This statement was binding .151 instead of .152.

~~ip nat inside destination list 185 pool OTUSFWRD <- Not needed~~

ip route 0.0.0.0 0.0.0.0 67.x.x.x

!

access-list 1 permit 192.168.25.0 0.0.0.255

~~access-list 100 permit ip 192.168.25.0 0.0.0.255 any <- Redundant~~

~~access-list 185 permit tcp any any range 1 65000 <- not needed~~

~~access-list 185 permit udp any any range 1 65000 <- not needed~~

Hope this helps.

dylanlawless · ‎09-12-2014

It should be also noted that I have an OpenTable PC for restaurant reservations. The OpenTable pc needs ports opened for remote communication. That is the OTUSFWRD pool. and a static address of 192.168.25.60

Richard E · ‎09-12-2014

Hi Dylan,

Thanks for the clarification on those commands purpose.

What type of communication does that Open Table PC need? Looking at the commands for that in your show run it is unclear what you are trying to accomplish.

Have you tried any of the fixes from above?

What is working / not working now?

Can devices on the network browse the internet?

Are you able to access the devices on the local network referenced through NAT?

Cisco 1921 NAT