03-22-2012 12:06 PM - edited 03-07-2019 05:43 AM
Hi Dears.
I configurated dual ISP at router. as you see my configuration i have two subnet: 192.168.20.0 and 192.168.10.0
i do that subnet at dynamic NAT.and they are backup at each other. all of them are perfect working. dynamci nat working perfectly.
i have also one static nat for my mail server(192.168.10.7) i do static nat but the problem is occur.
when i want to access site i can not access and i do ping 4.2.2.2 do not reply at mail server.
but i see this at my nat translation.
ro Inside global Inside local Outside local Outside global
icmp 81.21.95.12:512 192.168.10.7:512 4.2.2.2:512 4.2.2.2:512
tcp 81.21.95.12:4479 192.168.10.7:4479 64.191.223.35:80 64.191.223.35:80
tcp 81.21.95.12:4481 192.168.10.7:4481 64.191.223.35:80 64.191.223.35:80
tcp 81.21.95.12:4482 192.168.10.7:4482 64.191.223.35:80 64.191.223.35:80
tcp 81.21.95.12:4483 192.168.10.7:4483 208.50.223.240:80 208.50.223.240:80
tcp 81.21.95.12:4484 192.168.10.7:4484 208.50.223.240:80 208.50.223.240:80
tcp 81.21.95.12:4485 192.168.10.7:4485 208.50.223.240:80 208.50.223.240:80
udp 81.21.95.10:50462 192.168.10.86:50462 8.8.8.8:53 8.8.8.8:53
this is my pc ip 192.168.10.86 when i ping from my PC as you see the result:
*
*Mar 22 16:25:03.890: NAT*: s=192.168.10.86->81.x.x.10, d=4.2.2.2 [37441]
*Mar 22 16:25:03.974: NAT*: s=4.2.2.2, d=81.x.x.10->192.168.10.86 [10039]
this is my mail server result.
*Mar 22 16:25:07.426: NAT*: s=192.168.10.7->81.x.x.12, d=4.2.2.2 [3696]
no back nat translation.
what is the problem. what i must be change at my configuration.
configuration.
Primary#show run
Building configuration...
Current configuration : 4303 bytes
!
! Last configuration change at 11:48:43 UTC Thu Mar 22 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Primary
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1516C6A4
!
!
username teymur password 0 cisco
!
redundancy
!
!
track timer interface 5
!
track 1 interface GigabitEthernet0/0 line-protocol
!
track 2 ip sla 1 reachability
delay down 15 up 10
!
track 3 ip sla 2 reachability
delay down 15 up 10
!
!
!
!
crypto dynamic-map dynmap 10
reverse-route
!
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.116
description connected to ISP1
encapsulation dot1Q 116
ip address 81.x.x.10 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.859
description connected to ISP2
encapsulation dot1Q 859
ip address 85.x.x.114 255.255.255.240
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/1
description INSIDE
ip address 172.25.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map Classify
duplex auto
speed auto
standby 1 ip 172.25.10.3
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 20
!
!
ip forward-protocol nd
ip forward-protocol udp isakmp
ip forward-protocol udp non500-isakmp
!
no ip http server
no ip http secure-server
!
ip nat translation timeout 30
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload
i
p nat inside source static 192.168.10.7 81.21.95.12 route-map MAIL-Server
ip route 0.0.0.0 0.0.0.0 81.x.x.9
ip route 0.0.0.0 0.0.0.0 85.x.x.113
ip route 192.168.20.0 255.255.255.0 172.25.10.4
ip route 192.168.16.0 255.255.240.0 172.25.10.4
!
ip sla 1
icmp-echo 81.x.x.9 source-interface GigabitEthernet0/0.116
timeout 1000
threshold 1000
frequency 2
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 85.x.x.113 source-interface GigabitEthernet0/0.859
timeout 1000
threshold 1000
frequency 2
ip sla schedule 2 life forever start-time now
access-list 101 deny ip host 192.168.10.7 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip host 192.168.20.10 any
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit ip 192.168.16.0 0.0.7.255 any
access-list 105 permit ip host 192.168.10.7 any
!
!
!
!
route-map MAIL-Server permit 10
match ip address 105
match interface GigabitEthernet0/0.116
!
!
route-map Classify permit 10
match ip address 103
set ip next-hop verify-availability 81.x.x.9 1 track 2
set ip next-hop verify-availability 85.x.x.113 2 track 3
!
route-map Classify permit 20
match ip address 104
set ip next-hop verify-availability 85.x.x.113 1 track 3
set ip next-hop verify-availability 81.x.x.9 2 track 2
!
route-map ISP2 permit 20
match ip address 102 101
match interface GigabitEthernet0/0.859
!
route-map ISP1 permit 10
match ip address 101 102
match interface GigabitEthernet0/0.116
!
!
!
control-plane
please help me. thanks
03-23-2012 07:28 AM
Dears please help me. write your comments.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide