08-09-2023 01:52 PM
Hi all,
I can't get a combination of static and dynamic PAT to work for the following case:
The interface Gig0/0/0 is connected to WAN via router 1.1.1.38. I'd like to have a static PAT mapped from global 1.1.1.35:2207 to local 192.168.1.107 22. Somehow, I can't get this to work. The same line, mapping from the interface IP 1.1.1.33:2207 to local 192.168.1.107:22 works without problem. Both lines are in the configuration below.
If I understand correctly, I shouldn't add 1.1.1.35 as a secondary address to Gig0/0/0 (why?).
Attached is my configuration, any help would be appreciated. Thanks a lot in advance!
version 17.6
!
ip dhcp excluded-address 192.168.1.0 192.168.1.10
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool base
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool obelix-2
host 192.168.1.207 255.255.255.0
client-identifier XXX
client-name obelix-kvm
!
ip dhcp pool obelix
host 192.168.1.107 255.255.255.0
client-identifier XXX
client-name obelix
default-router 192.168.1.1
!
interface GigabitEthernet0/0/0
ip address 1.1.1.33 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport mode access
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip default-gateway 1.1.1.38
ip forward-protocol nd
ip nat pool NATPOOL 1.1.1.34 1.1.1.35 netmask 255.255.255.252
ip nat inside source static tcp 192.168.1.107 22 1.1.1.33 2207 extendable
ip nat inside source static tcp 192.168.1.107 22 1.1.1.35 2207 extendable
ip nat inside source list 10 pool NATPOOL overload
ip default-network 1.1.1.38
ip route 0.0.0.0 0.0.0.0 1.1.1.38
ip route 192.168.1.0 255.255.255.0 Vlan1
!
!
!
ip access-list standard 10
10 permit 192.168.1.0 0.0.0.255
ip access-list extended 101
10 permit ip host 192.168.1.107 any
no access-list template
!
!
08-09-2023 02:19 PM
Hello,
Can you please do the following:
clear ip nat statistics
Then can you enter the command debug ip nat then clear the NAT translations (clear ip nat translations *). Then try to make a few connections utilizing the IPs needing translations. Then could you provide the output of the following command:
show ip nat translations
show ip nat statistics
-David
08-09-2023 03:03 PM - edited 08-09-2023 03:27 PM
Hi @David Ruess ,
Thanks for the reply! Below the results. Would be great if you could help further.
show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 1.1.1.35:2207 192.168.1.107:22 --- ---
tcp 1.1.1.33:2207 192.168.1.107:22 --- ---
udp 1.1.1.34:512 192.168.1.207:123 X.X:X.X:123 X.X.X.X:123
tcp 1.1.1.33:2207 192.168.1.107:22 X.X.X.X:53660 X.X.X.X:53660
Total number of translations: 4
show ip nat statistics (after some failed attempts)
Total active translations: 4 (2 static, 2 dynamic; 4 extended)
Outside interfaces:
GigabitEthernet0/0/0
Inside interfaces:
Vlan1
Hits: 33 Misses: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 7] access-list 10 pool NATPOOL refcount 0
pool NATPOOL: id 4, netmask 255.255.255.252
start 1.1.1.34 end 1.1.1.1.35
type generic, total addresses 2, allocated 0 (0%), misses 0
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 4 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
08-09-2023 04:03 PM
Thank you for the output. I did see the couple of missed translations. Can you provide a debug of the NAT with debug ip nat command. I wont be able to lab this until later but in the meantime I can suggest the following:
Remove your first static NAT statement
ip nat inside source static tcp 192.168.1.107 22 1.1.1.33 2207 extendable <-remove
ip nat inside source static tcp 192.168.1.107 22 1.1.1.35 2207 extendable
See if your other Static NAT statements works as a standalone. If it does then ad back that static NAT command. My theory since its a 1:1 mapping that it will use the first translation only, ignoring the second Static NAT statement for the same IP.
You also might be able to do Policy based NAT where you configure an extended ACL with source and destination and teh NAT statement references a route-map. So only IPs in that range going to a specified destination will get the NAT treatment.
-David
08-09-2023 02:31 PM
I did not see error on the NAT config but I did not understand two config on the script
ip dhcp excluded-address 192.168.1.0 192.168.1.10
Here you are excluding the network from get IP address
ip route 192.168.1.0 255.255.255.0 Vlan1
Here you are creating a route to a interface vlan which is connected to the router. Furthermore, the route is not created properly.
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
08-09-2023 03:06 PM - edited 08-09-2023 03:27 PM
Dear @Flavio Miranda ,
The ip dhcp excluded-address is just for reserving some IPs out of the pool as the range from 192.168.1.0 to 192.168.1.10 are statically allocated IPs and not dynamically alloacted ones.
Could you elaborate on the problem with the "ip route 192.168.1.0 255.255.255.0 Vlan1" ?
If I get it right, this should be effectless as there's a direct connection -- but is it actually harmful? (I did remove it from the configuration to check whether it does do any harm in this particular instance -- it looks like it's actually just doing nothing, so please assume this line gone without any effect)
08-09-2023 03:21 PM
Further update -- thanks to a hint, I corrected the NATPOOL from 252 to 248 in line with Gig0/0/0. Still unable to establish the static NAT connection from 1.1.1.35:2207 -> 192.168.1.107:22.
The nat still is in the show ip translation as if it'd work. The .33 works, not the .35.
show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 1.1.1.35:2207 192.168.1.107:22 --- ---
tcp 1.1.1.33:2207 192.168.1.107:22 --- ---
Total number of translations: 2
08-09-2023 03:52 PM - edited 08-09-2023 10:40 PM
Further update -- I was made aware that a mapping of two global IPs to one single (same) IP and port might not work. Removed the double allocation, cleaned up also the 252 / 248 and pointless route mentionned above.
-> still, no connection possible. The same connection to .33 instead of .35 (interface adress vs adress in the interface subnet) works without problem.
EDIT -- issued "remove nat outside" / removed static nat / "clear ip nat translation *" / added nat again to make sure it's not some remains of past nat misconfiguration -> didn't work.
It's just as this is not working, I suspect that there is something fundamental I don't understand about how the router actually performs PAT in practice in this case.
The config, with no issues known to me currently.
version 17.6
!
ip dhcp pool base
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool obelix2
host 192.168.1.207 255.255.255.0
client-identifier XXXXXX
client-name obelix2
!
ip dhcp pool obelix
host 192.168.1.107 255.255.255.0
client-identifier XXXXXX
client-name obelix
default-router 192.168.1.1
!
!
interface GigabitEthernet0/0/0
ip address 1.1.1.33 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport mode access
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip default-gateway 1.1.1.38
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat pool NATPOOL 1.1.1.34 1.1.1.35 netmask 255.255.255.248
ip nat inside source static tcp 192.168.1.107 22 1.1.1.35 2207 extendable
ip nat inside source list 10 pool NATPOOL overload
ip default-network 1.1.1.38
ip route 0.0.0.0 0.0.0.0 1.1.1.38
!
!
!
ip access-list standard 10
10 permit 192.168.1.0 0.0.0.255
08-10-2023 01:58 AM
Hello
You need to negate that specific internal lan host from the dynamic pat pool, try the following
no ip default-gateway 1.1.1.38
no ip default-network 1.1.1.38
no ip route 0.0.0.0 0.0.0.0 1.1.1.38
ip access-list standard 10
5 deny host 192.168.1.107
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.1.1.38
clear ip nat translation forced ( <-- do this when applicable)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide