10-23-2004 08:25 PM - edited 03-05-2019 11:17 AM
Can anyone tell me why NAT to my DMZ fails?
interface FastEthernet0
ip address xx.100.97.194 255.255.255.248
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet2
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet3
switchport access vlan 3
no ip address
no cdp enable
!
interface FastEthernet4
switchport access vlan 3
no ip address
no cdp enable
!
interface Vlan2
ip address xx.145.181.66 255.255.255.224
ip nat outside
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Vlan1
description $ETH-SW-LAUNCH$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.100.97.193
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface Vlan2 overload
ip nat inside source static tcp 192.168.1.3 1220 xx.145.181.66 1220 extendable
ip nat inside source static tcp 192.168.1.7 4599 xx.145.181.66 4599 extendable
ip nat inside source static tcp 192.168.1.3 6401 xx.145.181.66 6401 extendable
ip nat inside source static tcp 192.168.1.3 10000 xx.45.181.66 10000 extendable
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
Thanks,
Jerry
10-25-2004 04:24 AM
Helo Jerry,
The question WHY it does not work should probably be answered by someone who is deeply involved in IOS programming. It is obvious what you want to achieve but you setup will not work.
Instead, this issue should be solved using route-maps. I found the following URL on the forum searching for the keywords "nat" and "conditional"
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
You might need to make your own adjustments but this is how it should be done.
Regards,
Leo
10-25-2004 05:06 AM
Network 192.168.1.0 is going with the first nat inside statement. Which is...
ip nat inside source list 1 interface FastEthernet0 overload
Access list 1 permits network 192.168.1.0. So the second Nat inside statement would never be used.
If you were to switch this statement around you would get the reverse effect.
I'm unable to try this is a lab envirmoment but you could give try using an extended access-list with this.
Example
ip nat inside source list 101 interface FastEthernet0 overload
ip nat inside source list 102 interface Vlan2 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 xx.145.181.66 0.0.0.31
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 xx.145.181.66 0.0.0.31
Let us know if it works!!
10-25-2004 10:01 PM
Nope, doesnt work. Users on LAN can get to the DMZ only after I have ping a host on the DMZ and populated the Arp cache on the cisco. I tested with an end user today and they could not ping anything and I proceeded to ping each host on dmz one by one and after I did this they were able to reach the hosts. I expect as soon as the arp cache times out or a reboot happens, it would fail.
Can anyone make this work in my environment? I am totally confused on local and global definitions for nat. Do I have to assigne additional space to make this work?
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#routemap
10-26-2004 07:07 AM
Where did you ping from?
What configuration does this work with?
10-29-2004 09:47 PM
I pinged from the router itself to populate the arp cache. An end user on the LAN (192.168.1.0/24) was only able to reach hosts after I ping the host first from the 1711 router. I have decided to change my direction and NAT to internet and Route to DMZ and Now THIS doesnt even work Can you see a probelm with this config?
version 12.3
no parser cache
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname LFL-1711-LAN
!
boot-start-marker
boot system flash c1700-k9o3sy7-mz.123-7.T.bin
boot-end-marker
!
logging buffered 51200 warnings
!
username admin password 1234
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login ssh local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name forless.com
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name forless.com
dns-server 63.147.112.162 204.8.143.122 63.145.181.67 63.145.181.77
!
!
ip cef
ip audit po max-events 100
no vlan accounting
no ftp-server write-enable
!
!
!
!
!
no crypto isakmp enable
!
!
!
interface FastEthernet0
ip address 67.100.97.194 255.255.255.248
ip access-group Wan_2_Local in
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet2
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet3
switchport access vlan 3
no ip address
no cdp enable
!
interface FastEthernet4
switchport access vlan 3
no ip address
no cdp enable
!
interface Vlan2
ip address 63.145.181.66 255.255.255.224
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Vlan1
description $ETH-SW-LAUNCH$
no ip address
ip tcp adjust-mss 1452
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.100.97.193
ip route 10.10.0.64 255.255.255.224 63.145.181.65
ip route 10.10.10.64 255.255.255.224 63.145.181.65
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0 overload
!
!
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
no cdp run
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide