05-19-2011 12:11 PM - edited 03-06-2019 05:09 PM
Aloha All,
I never was sure if you could do this. I did a little digging but failed to find a yes no answer yet. Here is my config:
ip http server
no ip http secure-server
ip nat translation timeout 60
ip nat pool rolloffs 999.129.10.250 66.129.10.250 netmask 255.255.255.0
ip nat source list 101 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.1.30 3389 999.129.10.165 3389 extendable
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 999.91.153.110 any eq isakmp
permit esp host 999.91.153.110 any
permit udp host 999.233.84.103 any eq isakmp
permit esp host 999.233.84.103 any
permit ip any any log
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
XXX1-bgw-02#sho ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 999.129.10.165:3389 192.168.1.30:3389 --- ---
We do have a point to point VPN in place, as you can see. I cannot seem to get the one static entry to work. Any help would be very much appreciated!
05-19-2011 12:37 PM
It should be possible. You need to deny the static entries though in your list 101 so they will not be used for dynamic NAT. Try that, it should work.
HTH,
Ian
05-19-2011 01:32 PM
Thanks for pointing that out Ian. I am close, but still no access. I added the deny's to the new acl for that nat (rolloff-NAT)
ip nat translation timeout 60
ip nat pool rolloffs 999.129.10.250 66.129.10.250 netmask 255.255.255.0
ip nat source list rolloff-NAT interface GigabitEthernet0/0 overload
ip nat source static 192.168.1.108 64.129.10.161
ip nat source static 192.168.1.100 64.129.10.163
ip nat source static 192.168.1.36 64.129.10.164
ip nat source static 192.168.1.30 64.129.10.165
ip nat source static 192.168.1.117 64.129.10.166
ip nat source static 192.168.1.114 64.129.10.167
ip nat source static 192.168.1.116 64.129.10.168
ip nat inside source list rolloff-NAT interface GigabitEthernet0/0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 999.91.153.110 any eq isakmp
permit esp host 999.91.153.110 any
permit udp host 999.233.84.103 any eq isakmp
permit esp host 999.233.84.103 any
permit ip any any log
ip access-list extended rolloff-NAT
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip host 192.168.1.30 any
deny ip host 192.168.1.36 any
deny ip host 192.168.1.100 any
deny ip host 192.168.1.108 any
deny ip host 192.168.1.114 any
deny ip host 192.168.1.116 any
deny ip host 192.168.1.117 any
deny ip host 192.168.1.16 any
permit ip 192.168.1.0 0.0.0.255 any
hnl1-bgw-02#sho ip nat nvi statistics
Total active translations: 7 (7 static, 0 dynamic; 0 extended)
NAT Enabled interfaces:
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Source [Id: 3] access-list rolloff-NAT interface GigabitEthernet0/0 refcount 0
hnl1-bgw-02#
hnl1-bgw-02#sho ip nat nvi tran
hnl1-bgw-02#sho ip nat nvi translations
Pro Source global Source local Destin local Destin global
--- 64.129.10.165 192.168.1.30 --- ---
--- 64.129.10.164 192.168.1.36 --- ---
--- 64.129.10.163 192.168.1.100 --- ---
--- 64.129.10.161 192.168.1.108 --- ---
--- 64.129.10.167 192.168.1.114 --- ---
--- 64.129.10.168 192.168.1.116 --- ---
--- 64.129.10.166 192.168.1.117 --- ---
05-19-2011 01:35 PM
Hi Ian,
Any reason why the Dynamic NAT is being preferred (or getting triggered) before the static?
05-19-2011 03:05 PM
Still no luck. Seems wierd that the device.
05-19-2011 03:16 PM
ip nat inside source static 192.168.1.30 64.129.10.165 no-payload extendable
this did the trick! what does this mean?
05-20-2011 12:33 AM
Were you just trying random commands or did you read the command reference? (Not meant to sound nasty, just wondering ).
http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#wp1079180
no-payload | (Optional) Prohibits the tanslation of an embedded address or port in the payload. |
or another definition also from Cisco:
no-payload
Enables translation of the IP header address only, bypassing the configured NAT rules.
So when you use "overload" you are actually using PAT. This is basically saying not to use PAT on this translation and do a 1:1 NAT translation of the IP header and port pair (as you are using extendable).
HTH,
Ian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide