Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3149
Views
0
Helpful
6
Replies

Nat interface overload AND statics possible?

mtp337
Level 1
Level 1

‎05-19-2011 12:11 PM - edited ‎03-06-2019 05:09 PM

Aloha All,

I never was sure if you could do this.  I did a little digging but failed to find a yes no answer yet.  Here is my config:

ip http server
no ip http secure-server
ip nat translation timeout 60
ip nat pool rolloffs 999.129.10.250 66.129.10.250 netmask 255.255.255.0
ip nat source list 101 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.1.30 3389 999.129.10.165 3389 extendable
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 999.91.153.110 any eq isakmp
permit esp host 999.91.153.110 any
permit udp host 999.233.84.103 any eq isakmp
permit esp host 999.233.84.103 any
permit ip any any log
!
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!

XXX1-bgw-02#sho ip nat nvi translations
Pro Source global         Source local          Destin  local         Destin  global
tcp 999.129.10.165:3389    192.168.1.30:3389     ---                   ---

We do have a point to point VPN in place, as you can see.  I cannot seem to get the one static entry to work.  Any help would be very much appreciated!

Labels:
0 Helpful
6 Replies 6

IAN WHITMORE
Level 4
Level 4

‎05-19-2011 12:37 PM

It should be possible. You need to deny the static entries though in your list 101 so they will not be used for dynamic NAT. Try that, it should work.

HTH,

Ian

0 Helpful

mtp337
Level 1
Level 1
In response to IAN WHITMORE

‎05-19-2011 01:32 PM

Thanks for pointing that out Ian.  I am close, but still no access.  I added the deny's to the new acl for that nat (rolloff-NAT)

ip nat translation timeout 60
ip nat pool rolloffs 999.129.10.250 66.129.10.250 netmask 255.255.255.0
ip nat source list rolloff-NAT interface GigabitEthernet0/0 overload
ip nat source static 192.168.1.108 64.129.10.161
ip nat source static 192.168.1.100 64.129.10.163
ip nat source static 192.168.1.36 64.129.10.164
ip nat source static 192.168.1.30 64.129.10.165
ip nat source static 192.168.1.117 64.129.10.166
ip nat source static 192.168.1.114 64.129.10.167
ip nat source static 192.168.1.116 64.129.10.168
ip nat inside source list rolloff-NAT interface GigabitEthernet0/0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

ip access-list extended Internet-inbound-ACL
permit udp host 999.91.153.110 any eq isakmp
permit esp host 999.91.153.110 any
permit udp host 999.233.84.103 any eq isakmp
permit esp host 999.233.84.103 any
permit ip any any log

ip access-list extended rolloff-NAT
deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
deny   ip host 192.168.1.30 any
deny   ip host 192.168.1.36 any
deny   ip host 192.168.1.100 any
deny   ip host 192.168.1.108 any
deny   ip host 192.168.1.114 any
deny   ip host 192.168.1.116 any
deny   ip host 192.168.1.117 any
deny   ip host 192.168.1.16 any
permit ip 192.168.1.0 0.0.0.255 any

hnl1-bgw-02#sho ip nat nvi statistics
Total active translations: 7 (7 static, 0 dynamic; 0 extended)
NAT Enabled interfaces:
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Source [Id: 3] access-list rolloff-NAT interface GigabitEthernet0/0 refcount 0
hnl1-bgw-02#
hnl1-bgw-02#sho ip nat nvi tran
hnl1-bgw-02#sho ip nat nvi translations
Pro Source global         Source local          Destin  local         Destin  global
--- 64.129.10.165         192.168.1.30          ---                   ---
--- 64.129.10.164         192.168.1.36          ---                   ---
--- 64.129.10.163         192.168.1.100         ---                   ---
--- 64.129.10.161         192.168.1.108         ---                   ---
--- 64.129.10.167         192.168.1.114         ---                   ---
--- 64.129.10.168         192.168.1.116         ---                   ---
--- 64.129.10.166         192.168.1.117         ---                   ---

0 Helpful

skarthic
Cisco Employee
Cisco Employee
In response to IAN WHITMORE

‎05-19-2011 01:35 PM

Hi Ian,

Any reason why the Dynamic NAT is being preferred (or getting triggered) before the static?

0 Helpful

mtp337
Level 1
Level 1
In response to skarthic

‎05-19-2011 03:05 PM

Still no luck.  Seems wierd that the device.

0 Helpful

mtp337
Level 1
Level 1
In response to mtp337

‎05-19-2011 03:16 PM

ip nat inside source static 192.168.1.30 64.129.10.165 no-payload extendable

this did the trick! what does this mean?

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to mtp337

‎05-20-2011 12:33 AM

Were you just trying random commands or did you read the command reference? (Not meant to sound nasty, just wondering ).

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#wp1079180

no-payload

(Optional) Prohibits the tanslation of an embedded address or port in the payload.

or another definition also from Cisco:

no-payload
Enables translation of the IP header address only, bypassing the configured NAT rules.

So when you use "overload" you are actually using PAT. This is basically saying not to use PAT on this translation and do a 1:1 NAT translation of the IP header and port pair (as you are using extendable).

HTH,

Ian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card