Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
1
Replies

Problem 2-way static NAT at Router

teymur azimov
Level 1
Level 1

‎03-22-2012 12:06 PM - edited ‎03-07-2019 05:43 AM

Hi Dears.

I configurated dual ISP at router. as you see my configuration i have two subnet: 192.168.20.0 and 192.168.10.0

i do that subnet at dynamic NAT.and they are backup at each other. all of them are perfect working. dynamci nat working perfectly.

i have also one static nat for my mail server(192.168.10.7) i do static nat but the problem is occur.

when i want to access site i can not access and i do ping 4.2.2.2 do not reply at mail server.

but i see this at my nat translation.

ro Inside global      Inside local       Outside local      Outside global

icmp 81.21.95.12:512   192.168.10.7:512   4.2.2.2:512        4.2.2.2:512

tcp 81.21.95.12:4479   192.168.10.7:4479  64.191.223.35:80   64.191.223.35:80

tcp 81.21.95.12:4481   192.168.10.7:4481  64.191.223.35:80   64.191.223.35:80

tcp 81.21.95.12:4482   192.168.10.7:4482  64.191.223.35:80   64.191.223.35:80

tcp 81.21.95.12:4483   192.168.10.7:4483  208.50.223.240:80  208.50.223.240:80

tcp 81.21.95.12:4484   192.168.10.7:4484  208.50.223.240:80  208.50.223.240:80

tcp 81.21.95.12:4485   192.168.10.7:4485  208.50.223.240:80  208.50.223.240:80

udp 81.21.95.10:50462  192.168.10.86:50462 8.8.8.8:53        8.8.8.8:53

this is my pc ip 192.168.10.86 when i ping from my PC as you see the result:

*

*Mar 22 16:25:03.890: NAT*: s=192.168.10.86->81.x.x.10, d=4.2.2.2 [37441]

*Mar 22 16:25:03.974: NAT*: s=4.2.2.2, d=81.x.x.10->192.168.10.86 [10039]

this is my mail server result.

*Mar 22 16:25:07.426: NAT*: s=192.168.10.7->81.x.x.12, d=4.2.2.2 [3696]

no back nat translation.

what is the problem. what i must be change at my configuration.

configuration.

Primary#show run

Building configuration...

Current configuration : 4303 bytes

!

! Last configuration change at 11:48:43 UTC Thu Mar 22 2012

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Primary

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

license udi pid CISCO2901/K9 sn FCZ1516C6A4

!

!

username teymur password 0 cisco

!

redundancy

!

!

track timer interface 5

!

track 1 interface GigabitEthernet0/0 line-protocol

!

track 2 ip sla 1 reachability

delay down 15 up 10

!

track 3 ip sla 2 reachability

delay down 15 up 10

!

!

!

!

crypto dynamic-map dynmap 10

reverse-route

!

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0/0.116

description connected to ISP1

encapsulation dot1Q 116

ip address 81.x.x.10 255.255.255.248

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/0.859

description connected to ISP2

encapsulation dot1Q 859

ip address 85.x.x.114 255.255.255.240

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/1

description INSIDE

ip address 172.25.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map Classify

duplex auto

speed auto

standby 1 ip 172.25.10.3

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 20

!

!

ip forward-protocol nd

ip forward-protocol udp isakmp

ip forward-protocol udp non500-isakmp

!

no ip http server

no ip http secure-server

!

ip nat translation timeout 30

ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload

ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload

i

p nat inside source static 192.168.10.7 81.21.95.12 route-map MAIL-Server

ip route 0.0.0.0 0.0.0.0 81.x.x.9

ip route 0.0.0.0 0.0.0.0 85.x.x.113

ip route 192.168.20.0 255.255.255.0 172.25.10.4

ip route 192.168.16.0 255.255.240.0 172.25.10.4

!

ip sla 1

icmp-echo 81.x.x.9 source-interface GigabitEthernet0/0.116

timeout 1000

threshold 1000

frequency 2

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 85.x.x.113 source-interface GigabitEthernet0/0.859

timeout 1000

threshold 1000

frequency 2

ip sla schedule 2 life forever start-time now

access-list 101 deny   ip host 192.168.10.7 any

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip host 192.168.20.10 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 104 permit ip 192.168.16.0 0.0.7.255 any

access-list 105 permit ip host 192.168.10.7 any

!

!

!

!

route-map MAIL-Server permit 10

match ip address 105

match interface GigabitEthernet0/0.116

!

!

route-map Classify permit 10

match ip address 103

set ip next-hop verify-availability 81.x.x.9 1 track 2

set ip next-hop verify-availability 85.x.x.113 2 track 3

!

route-map Classify permit 20

match ip address 104

set ip next-hop verify-availability 85.x.x.113 1 track 3

set ip next-hop verify-availability 81.x.x.9 2 track 2

!

route-map ISP2 permit 20

match ip address 102 101

match interface GigabitEthernet0/0.859

!

route-map ISP1 permit 10

match ip address 101 102

match interface GigabitEthernet0/0.116

!

!

!

control-plane

please help me. thanks

Labels:
0 Helpful
1 Reply 1

teymur azimov
Level 1
Level 1

‎03-23-2012 07:28 AM

Dears please help me. write your comments.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card