Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3289
Views
10
Helpful
14
Replies

NAT command issue on ISR4351

Go to solution
sSiDs
Level 1
Level 1

‎10-13-2020 11:33 PM

Hi friends,

I am migrating config from 2951 to 4351....and NAT command shows strange output...looking for description on cisco.com shows nothing

Could somebody help to sort this out?

Cannot change mapping's source type, or the mapping already exists; remove mapping first to make change.

2951 all records existsx, but 4351 does not accept it...

BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 25 217.28.210.253 25 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 80 217.28.210.253 80 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 443 217.28.210.253 443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 587 217.28.210.253 587 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.3 22 217.29.49.100 22 extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.1.100 217.29.49.105 extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.60.21 217.29.49.106 extendable
BORDER-ISR4351(config)#ip nat pool WAN252 217.28.210.252 217.28.210.252 netmask 255.255.255.224
BORDER-ISR4351(config)#ip nat pool WAN233 217.28.210.233 217.28.210.233 netmask 255.255.255.224
BORDER-ISR4351(config)#ip nat inside source list Lan78 pool WAN233 overload
BORDER-ISR4351(config)#ip nat inside source list NAT_LOCAL interface GigabitEthernet0/0/0.6 overload
BORDER-ISR4351(config)#ip nat inside source route-map STARLINK interface GigabitEthernet0/0/0.16 overload
Cannot change mapping's source type, or the mapping already exists; remove mapping first to make change.
BORDER-ISR4351(config)#ip nat inside source route-map TELENET interface GigabitEthernet0/0/0.6 overload
Cannot change mapping's source type, or the mapping already exists; remove mapping first to make change.
BORDER-ISR4351(config)#ip nat inside source route-map WAN252 pool WAN252 overload
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎10-14-2020 07:14 AM

let do this in these sequence:-

first remove the ip nat inside outside from interface

second clear ip nat translation "make sure your translation dot contain any dynamic entry, sometimes you need to do clear several times"

third complete all config all, 

finally config NAT inside and outside we remove in first step.

 

Do these step and see result

View solution in original post

14 Replies 14

Go to solution
Georg Pauwen
VIP
VIP

‎10-14-2020 12:52 AM

Hello,

 

what is the content of your route maps ? Post the running configuration of your 4351.

0 Helpful

Go to solution
paul driver
VIP
VIP

‎10-14-2020 01:09 AM

Hello
Your nat configuration does seems rather convoluted but by the looks of it, It appears you are applying static mappings for route-map TELENET and then trying to apply a dynamic mapping for the same route-map.
If those NAT statements related to different route-maps names, then the router may well except it.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎10-14-2020 03:00 AM

I think the issue is with extendable, you use same mapped IP in different ip nat with extendable, 
as I know this is normal but for ISR 4321 i will check bug.

0 Helpful

Go to solution
sSiDs
Level 1
Level 1
In response to MHM Cisco World

‎10-14-2020 03:20 AM 

ip nat translation timeout 300
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 45
ip nat translation dns-timeout 3
ip nat translation icmp-timeout 5
ip nat translation max-entries 30000
ip nat translation max-entries all-host 800
ip nat pool WAN252 217.28.210.252 217.28.210.252 netmask 255.255.255.224
ip nat pool WAN233 217.28.210.233 217.28.210.233 netmask 255.255.255.224
ip nat inside source list Lan78 pool WAN233 overload
ip nat inside source list NAT_LOCAL interface GigabitEthernet0/0.6 overload
ip nat inside source route-map STARLINK interface GigabitEthernet0/0.16 overload
ip nat inside source route-map TELENET interface GigabitEthernet0/0.6 overload
ip nat inside source route-map WAN252 pool WAN252 overload
ip nat inside source static 172.16.8.11 77.50.63.243 route-map STARLINK extendable
ip nat inside source static tcp 192.168.1.114 2222 217.28.210.231 2222 route-map TELENET extendable
ip nat inside source static tcp 192.168.1.114 443 217.28.210.231 10443 route-map TELENET extendable
ip nat inside source static 192.168.78.30 217.28.210.233 route-map TELENET extendable
ip nat inside source static 192.168.2.181 217.28.210.234
ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 443 route-map TELENET extendable
ip nat inside source static tcp 192.168.60.32 1433 217.28.210.237 1433 route-map TELENET extendable
ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 33989 route-map TELENET extendable
ip nat inside source static tcp 192.168.60.33 3389 217.28.210.237 33990 route-map TELENET extendable
ip nat inside source static tcp 172.16.8.12 80 217.28.210.242 80 route-map TELENET extendable
ip nat inside source static tcp 172.16.8.12 443 217.28.210.242 443 route-map TELENET extendable
ip nat inside source static tcp 172.16.8.13 443 217.28.210.243 443 route-map TELENET extendable
ip nat inside source static tcp 192.168.1.80 443 217.28.210.250 443 extendable
ip nat inside source static tcp 192.168.1.113 80 217.28.210.251 80 route-map TELENET extendable
ip nat inside source static tcp 192.168.1.113 443 217.28.210.251 443 route-map TELENET extendable
ip nat inside source static tcp 172.16.8.239 25 217.28.210.252 25 extendable
ip nat inside source static tcp 192.168.57.11 80 217.28.210.252 80 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.11 443 217.28.210.252 443 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.11 587 217.28.210.252 587 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.11 993 217.28.210.252 993 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.3 995 217.28.210.252 995 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.11 25 217.28.210.253 25 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.3 80 217.28.210.253 80 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.3 443 217.28.210.253 443 route-map TELENET extendable
ip nat inside source static tcp 192.168.57.11 587 217.28.210.253 587 route-map TELENET extendable
ip nat inside source static tcp 192.168.60.3 22 217.29.49.100 22 extendable
ip nat inside source static 192.168.1.100 217.29.49.105 extendable
ip nat inside source static 192.168.60.21 217.29.49.106 extendable
ip route 0.0.0.0 0.0.0.0 217.28.210.33 track 101
ip route 0.0.0.0 0.0.0.0 77.50.63.241 track 102
ip route 8.8.4.4 255.255.255.255 77.50.63.241
ip route 8.8.8.8 255.255.255.255 217.28.210.33
ip route 10.7.0.0 255.255.255.0 192.168.100.2
ip route 10.8.0.0 255.255.255.0 192.168.100.2
ip route 77.50.0.4 255.255.255.255 77.50.63.241
ip route 77.50.1.4 255.255.255.255 77.50.63.241
ip route 172.16.10.15 255.255.255.255 172.16.50.1
ip route 172.16.10.20 255.255.255.255 172.16.50.1
ip route 172.16.10.25 255.255.255.255 172.16.50.1
ip route 192.168.0.0 255.255.255.240 192.168.100.2
ip route 192.168.9.2 255.255.255.255 192.168.100.2
ip route 192.168.26.4 255.255.255.252 192.168.26.9
ip route 192.168.39.0 255.255.255.252 192.168.100.2
ip route 192.168.55.0 255.255.255.0 192.168.100.2
ip route 192.168.57.0 255.255.255.0 192.168.55.2
ip route 192.168.57.0 255.255.255.0 192.168.100.2
ip route 192.168.88.0 255.255.255.0 192.168.0.45
ip route 192.168.89.0 255.255.255.0 192.168.0.45
ip route 192.168.123.0 255.255.255.0 192.168.85.18
ip route 192.168.128.0 255.255.240.0 192.168.100.2
ip route 192.168.232.0 255.255.255.0 192.168.100.2
ip route 192.168.233.0 255.255.255.0 192.168.100.2
ip route 217.28.208.8 255.255.255.255 217.28.210.33
ip route 217.28.210.10 255.255.255.255 217.28.210.33
ip route 217.28.213.224 255.255.255.224 217.29.49.110
route-map ROUTER permit 10
 match ip address ROUTER1
 set ip next-hop 217.28.210.33
!
route-map ROUTER permit 20
 match ip address ROUTER2
 set ip next-hop 77.50.63.241
!
route-map STARLINK permit 10
 match ip address NAT
 match interface GigabitEthernet0/0.16
!
route-map TELENET permit 10
 match ip address NAT
 match interface GigabitEthernet0/0.15
!
route-map HOP permit 10
 match ip address LAN1
 set ip next-hop verify-availability 217.28.210.33 10 track 101
 set ip next-hop 77.50.63.241
!
route-map HOP permit 20
 match ip address LAN2
 set ip next-hop verify-availability 77.50.63.241 10 track 102
 set ip next-hop 217.28.210.33
!
route-map HOP2 permit 10
 match ip address LAN3
 set ip next-hop 217.28.210.33
!
route-map WAN252 permit 10
 match ip address NAT252
 match interface GigabitEthernet0/0.15

This is config on isr2951. the same copy paste does not accepted by 4351....see above NAT error

0 Helpful

Go to solution
sSiDs
Level 1
Level 1

‎10-14-2020 03:32 AM - edited ‎10-14-2020 03:33 AM

this is what i get when copy pasting, 4351 does not accept only NAT for subinterfaces.... 

BORDER-ISR4351#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
BORDER-ISR4351(config)#ip nat pool WAN252 217.28.210.252 217.28.210.252 netmask 255.255.255.224
BORDER-ISR4351(config)#ip nat pool WAN233 217.28.210.233 217.28.210.233 netmask 255.255.255.224
BORDER-ISR4351(config)#ip nat inside source list Lan78 pool WAN233 overload
BORDER-ISR4351(config)#ip nat inside source list NAT_LOCAL interface GigabitEthernet0/0/0.6 overload
Cannot change mapping's interface name, or the mapping already exists; remove mapping first to make change.
BORDER-ISR4351(config)#ip nat inside source route-map STARLINK interface GigabitEthernet0/0/0.16 overload
Cannot change mapping's source type, or the mapping already exists; remove mapping first to make change.
BORDER-ISR4351(config)#ip nat inside source route-map TELENET interface GigabitEthernet0/0/0.6 overload
Cannot change mapping's source type, or the mapping already exists; remove mapping first to make change.
BORDER-ISR4351(config)#ip nat inside source route-map WAN252 pool WAN252 overload
BORDER-ISR4351(config)#ip nat inside source static 172.16.8.11 77.50.63.243 route-map STARLINK extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.114 2222 217.28.210.231 2222 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.114 443 217.28.210.231 10443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.78.30 217.28.210.233 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.2.181 217.28.210.234
%Static entry already exists
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.32 1433 217.28.210.237 1433 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 33989 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.33 3389 217.28.210.237 33990 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.12 80 217.28.210.242 80 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.12 443 217.28.210.242 443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.13 443 217.28.210.243 443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.80 443 217.28.210.250 443 extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.113 80 217.28.210.251 80 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.113 443 217.28.210.251 443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.239 25 217.28.210.252 25 extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 80 217.28.210.252 80 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 443 217.28.210.252 443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 587 217.28.210.252 587 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 993 217.28.210.252 993 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 995 217.28.210.252 995 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 25 217.28.210.253 25 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 80 217.28.210.253 80 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 443 217.28.210.253 443 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 587 217.28.210.253 587 route-map TELENET extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.3 22 217.29.49.100 22 extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.1.100 217.29.49.105 extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.60.21 217.29.49.106 extendable
BORDER-ISR4351(config)#

0 Helpful

Go to solution
sSiDs
Level 1
Level 1

‎10-14-2020 03:44 AM

and here is OUTSIDE subinterfaces

nterface GigabitEthernet0/0/0
 description Uplink to sw3-1-adm/41
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache policy
 negotiation auto
!
interface GigabitEthernet0/0/0.6
 encapsulation dot1Q 6
 ip address 217.28.210.254 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip verify unicast reverse-path
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/0.15
 description TELENET
 encapsulation dot1Q 15
 ip address 217.28.210.34 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip verify unicast reverse-path
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/0.16
 description STARLINK
 encapsulation dot1Q 16
 ip address 77.50.63.254 255.255.255.240
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip verify unicast reverse-path
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/0.49
 description TELENET2_NEW
 encapsulation dot1Q 49
 ip address 217.29.49.97 255.255.255.240
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no cdp enable
 ip virtual-reassembly

Go to solution
sSiDs
Level 1
Level 1

‎10-14-2020 05:34 AM - edited ‎10-14-2020 05:37 AM

i've forgot to add route-maps in config. after i've added them...i got another error on to strings to be added

BORDER-ISR4351(config)#ip nat inside source route-map STARLINK interface GigabitEthernet0/0/0.16 overload
Cannot change mapping's source type, or the mapping already exists; remove mapping first to make change.
BORDER-ISR4351(config)#ip nat inside source route-map TELENET interface GigabitEthernet0/0/0.6 overload
Cannot change mapping's source type, or the mapping already exists; remove mapping first to make change. 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎10-14-2020 07:14 AM

let do this in these sequence:-

first remove the ip nat inside outside from interface

second clear ip nat translation "make sure your translation dot contain any dynamic entry, sometimes you need to do clear several times"

third complete all config all, 

finally config NAT inside and outside we remove in first step.

 

Do these step and see result

Go to solution
sSiDs
Level 1
Level 1
In response to MHM Cisco World

‎10-14-2020 10:29 AM

It worked! beer is on the way

0 Helpful

Go to solution
sSiDs
Level 1
Level 1

‎10-14-2020 10:46 AM

I am appreciate all of you for advices!

0 Helpful

Go to solution
sSiDs
Level 1
Level 1

‎10-14-2020 09:49 PM

Too late for my happiness

when i plugged in IPSs cable to G0/0/0, ISR4351 delete NAT statements. attached is ISR2951 config

i don't know what axactly ISR4351 doesn't like in it.

ip nat inside source route-map STARLINK interface GigabitEthernet0/0/0.16 overload
ip nat inside source route-map TELENET interface GigabitEthernet0/0/0.6 overload

therefore there was no internet.

I have made again procedure like MHM Cisco World adviced but no luck. I think there route-map to NAT issue. But my skills not anough to sort it out

first remove the ip nat inside outside from interface
second clear ip nat translation "make sure your translation dot contain any dynamic entry, sometimes you need to do clear several times"
third complete all config all, 
finally config NAT inside and outside we remove in first step.

 here is out put when i ahve tried to add NAT

BORDER-ISR4351(config-subif)# exi
BORDER-ISR4351(config)#ip nat inside source static 172.16.8.11 77.50.63.243 route-map STARLINK extendable
%Route map rt-map STARLINK is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.114 2222 217.28.210.231 2222 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.114 443 217.28.210.231 10443 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static 192.168.78.30 217.28.210.233 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static 192.168.2.181 217.28.210.234
%Static entry already exists
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 443 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.32 1433 217.28.210.237 1433 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 33989 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.33 3389 217.28.210.237 33990 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.12 80 217.28.210.242 80 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.12 443 217.28.210.242 443 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.13 443 217.28.210.243 443 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.80 443 217.28.210.250 443 extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.113 80 217.28.210.251 80 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.1.113 443 217.28.210.251 443 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 172.16.8.239 25 217.28.210.252 25 extendable
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 80 217.28.210.252 80 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 443 217.28.210.252 443 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 587 217.28.210.252 587 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 993 217.28.210.252 993 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 995 217.28.210.252 995 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 25 217.28.210.253 25 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 80 217.28.210.253 80 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.3 443 217.28.210.253 443 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.57.11 587 217.28.210.253 587 route-map TELENET extendable
%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mapping
BORDER-ISR4351(config)#ip nat inside source static tcp 192.168.60.3 22 217.29.49.100 22 extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.1.100 217.29.49.105 extendable
BORDER-ISR4351(config)#ip nat inside source static 192.168.60.21 217.29.49.106 extendable

ROUTES

Border#sh ip rou
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 217.28.210.33 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 217.28.210.33
                [1/0] via 77.50.63.241
      8.0.0.0/32 is subnetted, 2 subnets
S        8.8.4.4 [1/0] via 77.50.63.241
S        8.8.8.8 [1/0] via 217.28.210.33
      10.0.0.0/24 is subnetted, 4 subnets
O        10.1.1.0 [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O        10.1.2.0 [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
S        10.7.0.0 [1/0] via 192.168.100.2
S        10.8.0.0 [1/0] via 192.168.100.2
      77.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
S        77.50.0.4/32 [1/0] via 77.50.63.241
S        77.50.1.4/32 [1/0] via 77.50.63.241
C        77.50.63.240/28 is directly connected, GigabitEthernet0/0.16
L        77.50.63.243/32 is directly connected, GigabitEthernet0/0.16
L        77.50.63.254/32 is directly connected, GigabitEthernet0/0.16
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.16.8.0/24 is directly connected, GigabitEthernet0/1.8
L        172.16.8.1/32 is directly connected, GigabitEthernet0/1.8
C        172.16.17.0/24 is directly connected, GigabitEthernet0/1.17
L        172.16.17.1/32 is directly connected, GigabitEthernet0/1.17
      192.168.0.0/24 is variably subnetted, 5 subnets, 3 masks
S        192.168.0.0/28 [1/0] via 192.168.100.2
C        192.168.0.32/30 is directly connected, Tunnel0
L        192.168.0.34/32 is directly connected, Tunnel0
C        192.168.0.36/30 is directly connected, Tunnel1
L        192.168.0.38/32 is directly connected, Tunnel1
O     192.168.1.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.2.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
      192.168.9.0/24 is variably subnetted, 2 subnets, 2 masks
O        192.168.9.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
S        192.168.9.2/32 [1/0] via 192.168.100.2
O     192.168.13.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.14.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.23.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.24.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.25.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
      192.168.26.0/30 is subnetted, 1 subnets
O        192.168.26.0 [110/1501] via 192.168.0.37, 00:21:31, Tunnel1
O     192.168.27.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
      192.168.39.0/30 is subnetted, 1 subnets
S        192.168.39.0 [1/0] via 192.168.100.2
S     192.168.55.0/24 [1/0] via 192.168.100.2
S     192.168.57.0/24 [1/0] via 192.168.100.2
                      [1/0] via 192.168.55.2
O     192.168.58.0/24 [110/1010] via 192.168.85.14, 00:22:00, Tunnel10
O     192.168.60.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.61.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.65.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.75.0/24 [110/1501] via 192.168.0.37, 00:21:31, Tunnel1
      192.168.78.0/25 is subnetted, 2 subnets
O        192.168.78.0 [110/1501] via 192.168.0.37, 00:21:31, Tunnel1
O        192.168.78.128 [110/1501] via 192.168.0.37, 00:21:31, Tunnel1
O     192.168.79.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
      192.168.83.0/26 is subnetted, 3 subnets
O        192.168.83.0 [110/13] via 192.168.85.10, 00:21:50, Tunnel9
O        192.168.83.64 [110/13] via 192.168.85.10, 00:21:50, Tunnel9
O        192.168.83.192 [110/13] via 192.168.85.10, 00:21:50, Tunnel9
      192.168.84.0/24 is variably subnetted, 3 subnets, 2 masks
O        192.168.84.0/25 [110/20] via 192.168.85.6, 00:21:50, Tunnel8
O        192.168.84.128/25 [110/20] via 192.168.85.6, 00:21:50, Tunnel8
O        192.168.84.150/32 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
      192.168.85.0/24 is variably subnetted, 12 subnets, 2 masks
C        192.168.85.0/30 is directly connected, Tunnel3
L        192.168.85.1/32 is directly connected, Tunnel3
C        192.168.85.4/30 is directly connected, Tunnel8
L        192.168.85.5/32 is directly connected, Tunnel8
C        192.168.85.8/30 is directly connected, Tunnel9
L        192.168.85.9/32 is directly connected, Tunnel9
C        192.168.85.12/30 is directly connected, Tunnel10
L        192.168.85.13/32 is directly connected, Tunnel10
C        192.168.85.16/30 is directly connected, Tunnel11
L        192.168.85.17/32 is directly connected, Tunnel11
C        192.168.85.20/30 is directly connected, Tunnel12
L        192.168.85.22/32 is directly connected, Tunnel12
O     192.168.86.0/24 [110/20] via 192.168.85.2, 00:21:50, Tunnel3
O     192.168.97.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
      192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.100.0/24 is directly connected, GigabitEthernet0/1.100
L        192.168.100.3/32 is directly connected, GigabitEthernet0/1.100
O     192.168.120.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.121.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.122.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
S     192.168.123.0/24 [1/0] via 192.168.85.18
      192.168.127.0/28 is subnetted, 1 subnets
O        192.168.127.0 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
S     192.168.128.0/20 [1/0] via 192.168.100.2
O     192.168.176.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.177.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.178.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.179.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.200.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
O     192.168.220.0/24 
           [110/2] via 192.168.100.2, 00:22:27, GigabitEthernet0/1.100
S     192.168.232.0/24 [1/0] via 192.168.100.2
S     192.168.233.0/24 [1/0] via 192.168.100.2
      217.28.208.0/32 is subnetted, 1 subnets
S        217.28.208.8 [1/0] via 217.28.210.33
      217.28.210.0/24 is variably subnetted, 15 subnets, 3 masks
S        217.28.210.10/32 [1/0] via 217.28.210.33
C        217.28.210.32/30 is directly connected, GigabitEthernet0/0.15
L        217.28.210.34/32 is directly connected, GigabitEthernet0/0.15
C        217.28.210.224/27 is directly connected, GigabitEthernet0/0.6
L        217.28.210.231/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.233/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.234/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.237/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.242/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.243/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.250/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.251/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.252/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.253/32 is directly connected, GigabitEthernet0/0.6
L        217.28.210.254/32 is directly connected, GigabitEthernet0/0.6
      217.28.213.0/27 is subnetted, 1 subnets
S        217.28.213.224 [1/0] via 217.29.49.110
      217.29.49.0/24 is variably subnetted, 5 subnets, 2 masks
C        217.29.49.96/28 is directly connected, GigabitEthernet0/0.49
L        217.29.49.97/32 is directly connected, GigabitEthernet0/0.49
L        217.29.49.100/32 is directly connected, GigabitEthernet0/0.49
L        217.29.49.105/32 is directly connected, GigabitEthernet0/0.49
L        217.29.49.106/32 is directly connected, GigabitEthernet0/0.49
Border# 

 

Preview file
56 KB
0 Helpful

Go to solution
sSiDs
Level 1
Level 1
In response to sSiDs

‎10-18-2020 08:57 AM

i have created 2 route-maps, with same logic, but different names to avoid error. So there will be TELENET-D to dynamic nat and TELENET-S to static. Tomorrow i will check while connecting cables to 4351.

%Route map rt-map TELENET is already used by a dynamic mapping and cannot be share with a static mappin
route-map TELENET-D permit 10 
 match ip address NAT
 match interface GigabitEthernet0/0/0.15
!
route-map TELENET-S permit 10 
 match ip address NAT
 match interface GigabitEthernet0/0/0.15
!
route-map HOP permit 10 
 match ip address LAN1
 set ip next-hop verify-availability 217.28.210.33 10 track 101
 set ip next-hop 77.50.63.241
!
route-map HOP permit 20 
 match ip address LAN2
 set ip next-hop verify-availability 77.50.63.241 10 track 102
 set ip next-hop 217.28.210.33
!
route-map HOP2 permit 10 
 match ip address LAN3
 set ip next-hop 217.28.210.33
!
route-map STARLINK-S permit 10 
 match ip address NAT
 match interface GigabitEthernet0/0/0.16
!
route-map WAN252 permit 10 
 match ip address NAT252
 match interface GigabitEthernet0/0/0.15
!
route-map STARLINK-D permit 10 
 match ip address NAT
 match interface GigabitEthernet0/0/0.16
!
ip nat pool WAN252 217.28.210.252 217.28.210.252 netmask 255.255.255.224
ip nat inside source static 172.16.8.11 77.50.63.243 route-map STARLINK-S extendable
ip nat inside source static tcp 192.168.1.114 2222 217.28.210.231 2222 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.1.114 443 217.28.210.231 10443 route-map TELENET-S extendable
ip nat inside source static 192.168.78.30 217.28.210.233 route-map TELENET-S extendable
ip nat inside source static 192.168.2.181 217.28.210.234
ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 443 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.60.32 1433 217.28.210.237 1433 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.60.32 3389 217.28.210.237 33989 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.60.33 3389 217.28.210.237 33990 route-map TELENET-S extendable
ip nat inside source static tcp 172.16.8.12 80 217.28.210.242 80 route-map TELENET-S extendable
ip nat inside source static tcp 172.16.8.12 443 217.28.210.242 443 route-map TELENET-S extendable
ip nat inside source static tcp 172.16.8.13 443 217.28.210.243 443 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.1.80 443 217.28.210.250 443 extendable
ip nat inside source static tcp 192.168.1.113 80 217.28.210.251 80 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.1.113 443 217.28.210.251 443 route-map TELENET-S extendable
ip nat inside source static tcp 172.16.8.239 25 217.28.210.252 25 extendable
ip nat inside source static tcp 192.168.57.11 80 217.28.210.252 80 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.11 443 217.28.210.252 443 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.11 587 217.28.210.252 587 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.11 993 217.28.210.252 993 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.3 995 217.28.210.252 995 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.11 25 217.28.210.253 25 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.3 80 217.28.210.253 80 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.3 443 217.28.210.253 443 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.57.11 587 217.28.210.253 587 route-map TELENET-S extendable
ip nat inside source static tcp 192.168.60.3 22 217.29.49.100 22 extendable
ip nat inside source static 192.168.1.100 217.29.49.105 extendable
ip nat inside source static 192.168.60.21 217.29.49.106 extendable
ip nat inside source route-map STARLINK-D interface GigabitEthernet0/0/0.16 overload
ip nat inside source route-map TELENET-D interface GigabitEthernet0/0/0.6 overload
ip nat inside source route-map WAN252 pool WAN252 overload
ip nat inside source list NAT_LOCAL interface GigabitEthernet0/0/0.6 overload
0 Helpful

Go to solution
sSiDs
Level 1
Level 1

‎10-18-2020 10:33 PM

does not working..... O_o

BORDER-ISR4351#
000100: Oct 19 06:43:10 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255, len 68, policy match
000101: Oct 19 06:43:10 MSK: IP: route map HOP2, item 10, permit
000102: Oct 19 06:43:10 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255 (GigabitEthernet0/0/0.15), len 68, policy routed
000103: Oct 19 06:43:10 MSK: IP: GigabitEthernet0/0/0.6 to GigabitEthernet0/0/0.15 217.28.210.33
BORDER-ISR4351# 
000104: Oct 19 06:43:16 MSK: IP: s=217.28.210.229 (GigabitEthernet0/0/0.6), d=255.255.255.255, len 85, policy match
000105: Oct 19 06:43:16 MSK: IP: route map HOP2, item 10, permit
000106: Oct 19 06:43:16 MSK: IP: s=217.28.210.229 (GigabitEthernet0/0/0.6), d=255.255.255.255 (GigabitEthernet0/0/0.15), len 85, policy routed
000107: Oct 19 06:43:16 MSK: IP: GigabitEthernet0/0/0.6 to GigabitEthernet0/0/0.15 217.28.210.33
BORDER-ISR4351# 
000108: Oct 19 06:43:21 MSK: IP: s=0.0.0.0 (GigabitEthernet0/0/0.6), d=255.255.255.255 (nil), len 328, policy rejected -- normal forwarding
BORDER-ISR4351# 
000109: Oct 19 06:43:25 MSK: IP: s=0.0.0.0 (GigabitEthernet0/0/0.6), d=255.255.255.255 (nil), len 328, policy rejected -- normal forwarding
BORDER-ISR4351# 
000110: Oct 19 06:43:33 MSK: IP: s=0.0.0.0 (GigabitEthernet0/0/0.6), d=255.255.255.255 (nil), len 328, policy rejected -- normal forwarding
BORDER-ISR4351# 
000111: Oct 19 06:43:44 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255, len 68, policy match
000112: Oct 19 06:43:44 MSK: IP: route map HOP2, item 10, permit
000113: Oct 19 06:43:44 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255 (GigabitEthernet0/0/0.15), len 68, policy routed
000114: Oct 19 06:43:44 MSK: IP: GigabitEthernet0/0/0.6 to GigabitEthernet0/0/0.15 217.28.210.33
BORDER-ISR4351# 
000115: Oct 19 06:43:49 MSK: IP: s=0.0.0.0 (GigabitEthernet0/0/0.6), d=255.255.255.255 (nil), len 328, policy rejected -- normal forwarding
BORDER-ISR4351# 
000116: Oct 19 06:44:19 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255, len 68, policy match
000117: Oct 19 06:44:19 MSK: IP: route map HOP2, item 10, permit
000118: Oct 19 06:44:19 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255 (GigabitEthernet0/0/0.15), len 68, policy routed
000119: Oct 19 06:44:19 MSK: IP: GigabitEthernet0/0/0.6 to GigabitEthernet0/0/0.15 217.28.210.33
BORDER-ISR4351# 
000120: Oct 19 06:44:38 MSK: IP: s=217.28.210.229 (GigabitEthernet0/0/0.6), d=217.28.210.255, len 86, policy match
000121: Oct 19 06:44:38 MSK: IP: route map HOP2, item 10, permit
000122: Oct 19 06:44:38 MSK: IP: s=217.28.210.229 (GigabitEthernet0/0/0.6), d=217.28.210.255 (GigabitEthernet0/0/0.15), len 86, policy routed
000123: Oct 19 06:44:38 MSK: IP: GigabitEthernet0/0/0.6 to GigabitEthernet0/0/0.15 217.28.210.33
BORDER-ISR4351# 
000124: Oct 19 06:44:54 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255, len 68, policy match
000125: Oct 19 06:44:54 MSK: IP: route map HOP2, item 10, permit
000126: Oct 19 06:44:54 MSK: IP: s=217.28.210.232 (GigabitEthernet0/0/0.6), d=255.255.255.255 (GigabitEthernet0/0/0.15), len 68, policy routed
000127: Oct 19 06:44:54 MSK: IP: GigabitEthernet0/0/0.6 to GigabitEthernet0/0/0.15 217.28.210.33[/code]

I don't know why...

when I plugging in ISP cables to new border 4351 I cannot ping second ISP 77.50.63.241

i will raise a ticket with them...maybe they are bloking new MAC or something else.

attached is config s 2951 and 4351. what could cause a ploblem...my skills cannot answer

Preview file
49 KB
Preview file
56 KB
0 Helpful

Go to solution
sSiDs
Level 1
Level 1

‎10-18-2020 10:34 PM

and logs from console

Preview file
277 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card