Re: NAT / PAT: static + dynamic PAT on different IPs within subnet

martinnigsch · ‎08-09-2023

Hi all,

I can't get a combination of static and dynamic PAT to work for the following case:

Router is connected to a /29 range of external IP adresses: 1.1.1.33, subnet 255.255.255.248
I'd like to have machines connecting (regular dynamic NAT) from 192.168.1.1/24, getting IP adresses via DHCP. Those should use all ports on 1.1.1.34
I've got a range of local services that I'd like to expose for external access via static NAT to 1.1.1.35

The interface Gig0/0/0 is connected to WAN via router 1.1.1.38. I'd like to have a static PAT mapped from global 1.1.1.35:2207 to local 192.168.1.107 22. Somehow, I can't get this to work. The same line, mapping from the interface IP 1.1.1.33:2207 to local 192.168.1.107:22 works without problem. Both lines are in the configuration below.

If I understand correctly, I shouldn't add 1.1.1.35 as a secondary address to Gig0/0/0 (why?).

Attached is my configuration, any help would be appreciated. Thanks a lot in advance!

version 17.6
!
ip dhcp excluded-address 192.168.1.0 192.168.1.10
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool base
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1 
!
ip dhcp pool obelix-2
 host 192.168.1.207 255.255.255.0
 client-identifier XXX
 client-name obelix-kvm
!
ip dhcp pool obelix
 host 192.168.1.107 255.255.255.0
 client-identifier XXX
 client-name obelix
 default-router 192.168.1.1 
!
interface GigabitEthernet0/0/0
 ip address 1.1.1.33 255.255.255.248
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/6
 switchport mode access
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
ip default-gateway 1.1.1.38
ip forward-protocol nd
ip nat pool NATPOOL 1.1.1.34 1.1.1.35 netmask 255.255.255.252
ip nat inside source static tcp 192.168.1.107 22 1.1.1.33 2207 extendable
ip nat inside source static tcp 192.168.1.107 22 1.1.1.35 2207 extendable
ip nat inside source list 10 pool NATPOOL overload
ip default-network 1.1.1.38
ip route 0.0.0.0 0.0.0.0 1.1.1.38
ip route 192.168.1.0 255.255.255.0 Vlan1
!
!
!
ip access-list standard 10
 10 permit 192.168.1.0 0.0.0.255
ip access-list extended 101
 10 permit ip host 192.168.1.107 any
no access-list template
!
!

David Ruess · ‎08-09-2023

Hello,

Can you please do the following:

clear ip nat statistics

Then can you enter the command debug ip nat then clear the NAT translations (clear ip nat translations *). Then try to make a few connections utilizing the IPs needing translations. Then could you provide the output of the following command:

show ip nat translations

show ip nat statistics

-David

martinnigsch · ‎08-09-2023

Hi @David Ruess ,

Thanks for the reply! Below the results. Would be great if you could help further.

show ip nat translations

Pro  Inside global         Inside local          Outside local         Outside global
tcp  1.1.1.35:2207         192.168.1.107:22      ---                   ---
tcp  1.1.1.33:2207         192.168.1.107:22      ---                   ---
udp  1.1.1.34:512          192.168.1.207:123     X.X:X.X:123           X.X.X.X:123
tcp  1.1.1.33:2207         192.168.1.107:22      X.X.X.X:53660         X.X.X.X:53660
Total number of translations: 4

show ip nat statistics (after some failed attempts)

Total active translations: 4 (2 static, 2 dynamic; 4 extended)
Outside interfaces:
  GigabitEthernet0/0/0
Inside interfaces: 
  Vlan1
Hits: 33  Misses: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 7] access-list 10 pool NATPOOL refcount 0
 pool NATPOOL: id 4, netmask 255.255.255.252
 start 1.1.1.34 end 1.1.1.1.35
 type generic, total addresses 2, allocated 0 (0%), misses 0
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 4  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

David Ruess · ‎08-09-2023

Thank you for the output. I did see the couple of missed translations. Can you provide a debug of the NAT with debug ip nat command. I wont be able to lab this until later but in the meantime I can suggest the following:

Remove your first static NAT statement

ip nat inside source static tcp 192.168.1.107 22 1.1.1.33 2207 extendable <-remove
ip nat inside source static tcp 192.168.1.107 22 1.1.1.35 2207 extendable

See if your other Static NAT statements works as a standalone. If it does then ad back that static NAT command. My theory since its a 1:1 mapping that it will use the first translation only, ignoring the second Static NAT statement for the same IP.

You also might be able to do Policy based NAT where you configure an extended ACL with source and destination and teh NAT statement references a route-map. So only IPs in that range going to a specified destination will get the NAT treatment.

-David

Flavio Miranda · ‎08-09-2023

Hi @martinnigsch

I did not see error on the NAT config but I did not understand two config on the script

ip dhcp excluded-address 192.168.1.0 192.168.1.10

Here you are excluding the network from get IP address

ip route 192.168.1.0 255.255.255.0 Vlan1

Here you are creating a route to a interface vlan which is connected to the router. Furthermore, the route is not created properly.


interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!

martinnigsch · ‎08-09-2023

Dear @Flavio Miranda ,

The ip dhcp excluded-address is just for reserving some IPs out of the pool as the range from 192.168.1.0 to 192.168.1.10 are statically allocated IPs and not dynamically alloacted ones.

Could you elaborate on the problem with the "ip route 192.168.1.0 255.255.255.0 Vlan1" ?

If I get it right, this should be effectless as there's a direct connection -- but is it actually harmful? (I did remove it from the configuration to check whether it does do any harm in this particular instance -- it looks like it's actually just doing nothing, so please assume this line gone without any effect)

martinnigsch · ‎08-09-2023

Further update -- thanks to a hint, I corrected the NATPOOL from 252 to 248 in line with Gig0/0/0. Still unable to establish the static NAT connection from 1.1.1.35:2207 -> 192.168.1.107:22.

The nat still is in the show ip translation as if it'd work. The .33 works, not the .35.

show ip nat translation
Pro  Inside global         Inside local          Outside local         Outside global
tcp  1.1.1.35:2207         192.168.1.107:22      ---                   ---
tcp  1.1.1.33:2207         192.168.1.107:22      ---                   ---
Total number of translations: 2

martinnigsch · ‎08-09-2023

Further update -- I was made aware that a mapping of two global IPs to one single (same) IP and port might not work. Removed the double allocation, cleaned up also the 252 / 248 and pointless route mentionned above.

-> still, no connection possible. The same connection to .33 instead of .35 (interface adress vs adress in the interface subnet) works without problem.

EDIT -- issued "remove nat outside" / removed static nat / "clear ip nat translation *" / added nat again to make sure it's not some remains of past nat misconfiguration -> didn't work.

It's just as this is not working, I suspect that there is something fundamental I don't understand about how the router actually performs PAT in practice in this case.

The config, with no issues known to me currently.

version 17.6
!
ip dhcp pool base
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1 
!
ip dhcp pool obelix2
 host 192.168.1.207 255.255.255.0
 client-identifier XXXXXX
 client-name obelix2
!
ip dhcp pool obelix
 host 192.168.1.107 255.255.255.0
 client-identifier XXXXXX
 client-name obelix
 default-router 192.168.1.1 
!
!
interface GigabitEthernet0/0/0
 ip address 1.1.1.33 255.255.255.248
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/6
 switchport mode access
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
ip default-gateway 1.1.1.38
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat pool NATPOOL 1.1.1.34 1.1.1.35 netmask 255.255.255.248
ip nat inside source static tcp 192.168.1.107 22 1.1.1.35 2207 extendable
ip nat inside source list 10 pool NATPOOL overload
ip default-network 1.1.1.38
ip route 0.0.0.0 0.0.0.0 1.1.1.38
!
!
!
ip access-list standard 10
 10 permit 192.168.1.0 0.0.0.255

paul driver · ‎08-10-2023

Hello
You need to negate that specific internal lan host from the dynamic pat pool, try the following

no ip default-gateway 1.1.1.38
no ip default-network 1.1.1.38
no ip route 0.0.0.0 0.0.0.0 1.1.1.38

ip access-list standard 10
5 deny host 192.168.1.107

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.1.1.38

clear ip nat translation forced ( <-- do this when applicable)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul